Community Forums › Forums › Archived Forums › General Discussion › SSL installed on Genesis site, WP HTTPS plugin too, but security not complete
Tagged: Genesis security, SSL, WhyNoPadlock, WP HTTPS
- This topic has 4 replies, 2 voices, and was last updated 8 years, 6 months ago by yjw.
November 21, 2014 at 4:48 pm #132450
I need clarity and guidance regarding completing the security protection of my site, where some of the pages come up fully as HTTPS and some still default to HTTP. I’d be infinitely grateful if someone can point out or help with a solution to this problem.
Link to Site: https://yoramweis.com
Link to Store page: https://yoramweis.com/liveonlineworkshops/
My site is a Genesis Executive Pro child theme, hosted by Synthesis. Since I use WordPress eStore with the WP Payment Gateway Bundle addon for my commerce, integrating with PayPal Advanced.
Upon returning from PayPal’s HTTPS platform to my site, both Safari and Firefox flag a warning of non-secure communication and potential information compromise, either immediately after the purchase or upon canceling it – obviously a severe turn off for customers and for any long-term trust building.
As per Synthesis advice we installed SSL to the site, but while the home page and couple of pages showed the full protection with the Padlock, most of the pages didn’t.
As a next step I installed the WP HTTPS plugin (at default settings), which enabled full protection to the WP Admin, but did not resolve the problem for the rest of the site. Running the security test by WhyNoPadlock still called an array of non secure items, mostly uploaded images.
As a next step I combed my site for all the HTTP URLs and changed them all to HTTPS. Running the WhyNoPadlock on each page comes up with all the items called securely, including calls to other sites, fonts, links, etc.
BUT the problem does persist!! And most of the pages still do not show the secure Padlock. Something causes these pages to redirect to HTTP and show as non fully encrypted.
From what I can observe: the pages that have no sidebar come up fully secure with the padlock and on HTTPS. All the pages containing sidebars, with diverse widgets in them, seem to default to HTTP. I combed through the text widgets and again changed all the HTTP to HTTPS, but the problem persist.
- What might be causing this nagging problem and what can fix it?
- Is it SSL issue? (certificate by GoDaddy, installation by Synthesis team)
- Is there a structural conflict with Genesis framework or WordPress plugin, specifically perhaps with the sidebars?
- Is there any content in the sidebars widgets that triggers this conflict?
- Is there anything else I need to/could change manually besides the HTTP in the site that may resolve this problem? If yes, how?
Thank you in advance for the Wiz that may shed light on it, as with my novice level I am at a total loss with it all.https://yoramweis.comNovember 21, 2014 at 6:44 pm #132451blogjunkieParticipant
Hi, when you set a site to https, the browser expects *everything* to be secure including stuff from 3rd-parties. Your page here (https://yoramweis.com/liveonlineworkshops/) has some problems because the Aweber form is being submitted over http, not https. For the page to be completely secure and have an unbroken padlock, the form must also be secure. You should consult Aweber on how to use a secure version of the form.
You can use the Google Chrome browser inspector to see the problems affecting each page. Right click and select Inspect Element, and then go to the Console tab. you'll see something like this - http://imgur.com/DJknmQQ
Also, the WordPress HTTPS plugin is buggy and has not kept up to date with the latest versions of WordPress. I would suggest simply making the whole site https by changing your site address in Settings ?’ General to https://yoramweis.com. Next ask Synthesis to redirect all http traffic to https.
That's my advice as a fellow customer of Synthesis with https 🙂
WordPress evangelist, Nike runner, Apple fanboy.
Work: ClickWP WordPress Support, Play: adventures of a blogjunkie. Talk to me on Twitter @blogjunkieNovember 21, 2014 at 9:47 pm #132464
Thank you so much blogjunkie! You made my day, no – my month!
You were completely right about the Aweber Sign Up form causing the problem, and since I couldn’t get through to them in time, I ended up simply going into their Raw HTML version of the Sign up Form, and simply changed the 3 http there to https, and voila – it works!
Did the same also on my other Sign Up form for another page and that was it, the page became secured too.
With that, the whole site became completely secured throughout !!
Had to change couple of URLs also on the eStore setting for the Return, Thank you and Cancel links from PayPal, so this, along with the now fully secured site, eliminated the original annoying security warnings, that started me on this whole journey.
So here we are, everything works now like an ET mothership 🙂
I have to hand it to you my friend, with great respect and gratitude. It may be simple in the end, but I have been on this saga, back and forth with support, for over a week, with this monster holding on to life… Good to have people like you – kind, clear, to the point, and accurate like poetry 🙂
Thank you again.
Yoram.November 22, 2014 at 1:38 am #132480blogjunkieParticipant
Good to hear, but make sure the Aweber form accepts the secure https version of the URL too otherwise your visitors would not be able to sign up to your list. Cheers
WordPress evangelist, Nike runner, Apple fanboy.
Work: ClickWP WordPress Support, Play: adventures of a blogjunkie. Talk to me on Twitter @blogjunkieNovember 22, 2014 at 9:13 am #132513
Thank you again. I will certainly follow up with Aweber on this.
Best wishes to you.
- The forum ‘General Discussion’ is closed to new topics and replies.