Find WordPress HTTP Links

WordPress logo Have you converted your WordPress sites to display a Secure notice for visitors?

I converted my sites to https after Google announced an upcoming change to the Chrome browser:

Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.

WordPress Requirements

WordPress has two https requirements:

  1. An SSL certificate for your Web server.
    • Get a free certificate from Let’s Encrypt for generic servers.
    • Got cPanel? cPanel partnered with Comodo, a certificate vendor, to offer free SSL certificates.
  2. Edit wp-config.php.
    • Add define( 'FORCE_SSL_ADMIN', true );
    • Secure your Dashboard.
    • Login and edit “WordPress Address” and “Site Address” on General Settings
    • Can’t edit options? Options in wp-config.php override General Settings.
    • Edit WP_SITEURL and WP_HOME in wp-config.php.

Mixed Content

After updating your site’s address, you must update your old http links.

Browsers display a mixed content warning if a Web page uses ‘http’ resources on an ‘https’ page.

All content must have https links. The problem is often images. See How to Deploy HTTPS Correctly by Electronic Frontier Foundation, for additional information.

The Chrome browser complains about images with http links:

Attackers might be able to see the images you’re looking at on this site and trick you by modifying them.

How can you find and fix these errors on a WordPress site?

If you have access to your server’s command line, skip ahead to WP-CLI instructions. Otherwise, use my new plugin.

Find WordPress HTTP Links Plugin

I wrote a WordPress plugin to find http links in posts, page, postmeta, options, widgets.

My plugin checks text widgets, RSS widgets and the media widgets added to WordPress 4.8.

Download the plugin from the Github Release. Install it on an SSL site.

Users must be able to edit_published_posts to use the plugin.

Select “Find Http Links” on the tools menu to search your site.

Reports

Find WordPress http links

Displays reports for published pages and posts, custom post fields, options and widgets.

Documents are displayed with an edit link, and marked if the mixed content is in a custom post field.

Edit links open in a new tab, to preserve the report.

Plugin does not check user data. For example, there might be an old ‘http’ link to the site in a user bio. I might add that in a future version.

Missing Data?

postmeta data found on page

Many WordPress plugins add info to the database, but fail to remove it when they are uninstalled.

The original release of my Quick Mail plugin left info in database. It seemed like a good idea at the time, in case the plugin was reinstalled. Recent versions of Quick Mail remove settings when the plugin is uninstalled.

If you see data like _schema_article shown, but cannot find it, it could belong to a plugin that was uninstalled.

You might also have a plugin to manage widgets, that stores data differently than WordPress.

You must edit your database to remove obsolete info.

Fake Mode

Fake Mode screenshot

Fake Mode lets you work on a test site, as though it was the “real site.”

Example: Babies Monthly was updated from http to https. I can install the site at home, by modifying wp-config.php:

if (empty($_SERVER['SERVER_ADDR']) || $_SERVER['SERVER_ADDR'] == '127.0.0.1') {
define('WP_SITEURL', "http://dev.babiesmonthly.com");
define('WP_HOME', "http://dev.babiesmonthly.com"); }

However, the database value for wp_options.home is https://babiesmonthly.com

Plugin detects the difference when it loads, and runs in “Fake Mode.” It pretends that it is running on http://babiesmonthly.com and converts http links to https://babiesmonthly.com.

You can use the plugin to find errors, or replace the production database after replacing links.

Very helpful!

More Features For Developers

Programmers can add a filter for two settings.

PurposeDefault
Minimum Permissionedit_published_posts
Links per page20

Test Additional Content

  • Check themes for hardcoded http scripts and stylesheets.
    • For example, Google fonts are not displayed on an https site, if you load them with an http link.
  • Check plugins, widgets and shortcodes for http image links.

Do Not Forget to Test External Links

Use w3C Link Checker to verify your new links. If you see:

http://example.com/test redirected to https://example.com/test

Find the link on your site, or image from another site, and fix it. Many http links have been updated to https.

Google / Bing / Social

Update your sitemap after fixing links. If you use Google or Bing Webmaster Tools, you can create a new profile for your https site.

Update your Twitter, Facebook, Instagram, Google+ profiles.

Verify Results

Use Jitbit’s SSL Checker to test your site.

Jitbit’s free service checks up to 200 documents.

This site has over 200 posts, besides links for tags, categories, pages, etc.

Jitbit’s page limit inspired me to write this WordPress plugin, to check the entire site.

WP-CLI

WP-CLI lets you manipulate WordPress from a command line. It “just works” on *nix / MacOs. I found directions to install WP-CLI on Microsoft Windows, but I have not tested them.

It is easy to fix mixed content errors with WP-CLI’s search / replace command. Try:

wp search-replace 'http://example.com' 'https://example.com' --all-tables --skip-columns=guid --skip-columns=pinged --precise --dry-run

Remove --all-tables to limit replace. See Documentation.
Remove --dry-run to replace links.

The search replace command will update your content links, or every link, depending on settings.

Follow my instructions to check additional content, etc.

Get Find WordPress HTTP Links

Clone or fork Find WP Http links on Github or download the latest release as a .zip.

I am not sure if I will add the plugin to the WordPress Plugin Repository.

Comments

Dwayne

Interesting idea. Nice display and reports.

Leave a comment

name*

email* (not published)

website

Comment moderation is enabled. Your comment may take some time to appear.