How to Fix Common SSL Issues on WordPress

Despite some high profile security issues, SSL (and TLS) remain the standards for ensuring secure communications and commerce on the web, and has seen dramatic growth in recent years. When SSL was conceived and introduced, a relatively small number of businesses had websites, and even fewer were managing commerce or critical aspects of business operations online. Today, most businesses of reasonable size have an active website to drive consumer engagement and at a minimum, properly secure communications (if not transactions) through its website.

According to the Mozilla Foundation, more than 70% of websites now use SSL encryption. As more and more sites add SSL or TLS capabilities, user adoption in turn also increases.

What SSL is ?

Originally designed by Netscape to secure transactions between web servers and browsers, the Secure Sockets Layer (best known as SSL) protocol served well its purpose for a long time. This was the case until critical vulnerabilities (such as Heartbleed and Poodle) were found in some of its most-used implementations. This eventually led to the recommendation of avoiding SSL and using the Transport Layer Security, or TLS for short. Version 1.2 of the TLS protocol is well documented in RFC 5246.

When you request a page over HTTPS (https://www.yeahhub.com/ for example), the server responds with a valid certificate that has been signed by a common trusted party, along with its public key. The client then returns an encrypted key (signed with the server’s public key), which is then decrypted using the server’s private key.

From this point on, a secure session is initiated between server and client, and both use the session key to encrypt and decrypt exchanged data. In more technical terms, asymmetric cryptography (public / private key pair) is used while the session key is being exchanged, and then symmetric encryption (shared key) is utilized while the client and the server communicate with each other.

In case if you wish to go with SSL certificate, you need to understand the requirement of your business. For example, if it is for subdomain then, wildcard SSL certificate is an ideal option while if it is for a single domain then, domain validation or single domain SSL certificate is perfect choice.

With SSL issues, when you identify the error exactly, half the battle is already won. But identifying the error can be ironically harder in some situations. We’ve listed below the most common error conditions.

Most Common SSL Issues –

Mixed Content Errors (Fix With Plugin/Fix Manually)
Untrusted SSL Certificate/Intermediate Certificate
Improper HTTPS Redirection
Too many redirects errors
Net:: ERR_CERT_INVALID Issue
Outdated SSL Certificate

If you are not currently using SSL with WordPress then these are just a few things that are insecure.

Your password when logging into the WordPress admin area (critical).
Other users passwords when they log into any part of your website.
Form submissions from website visitors (contact forms etc)
Payment screens should always use HTTPS/SSL.
Any data transferred to and from your site by you and your users could be read by malicious parties.

1. Mixed Content Errors (Fix With Plugin/Fix Manually)

If for some reason you need to move a page (or any kind of file, for that matter) to a different server, you will want your users to still be able to access that resource by browsing to the usual URL. This option may come in handy if you need to move a site between servers, or to leverage the available bandwidth of the second system.

Mixed content occurs if the sources such as images, scripts, or stylesheets of your website are still loading with the insecure HTTP protocol in the URL. In that situation, you won’t be able to see that green lock icon in your website URL.

Below is the screenshot where you can see that the green lock is not properly visible because of mixed content issues.

Basically, there are 2 ways to fix this issue i.e. either manually or with plugin.

To fix this issue manually, you need to open the website in any browser and press F12 which opens the developer console window where you need to lookout all the errors related to insecure elements/requests in console tab as shown below.

Sometimes, its very hard to find out the particular page/request which initiates from HTTP. Alternatively, you can also use Better Search Replace Plugin for fixing the insecure elements by replacing the old HTTP urls to new HTTPS urls.

Again if you find any mixed content errors, then you have to manually troubleshoot the website.

The second way to fix this issue is with plugin i.e. Really Simple SSL which automatically converts all HTTP elements/requests to HTTPS.

Simply download the plugin from WordPress repository, once it is activated, move to Settings > SSL page to just review the plugin settings, you don’t have to modify any settings. This plugin really does wonders to your website and it automatically takes care of your website and fixes the mixed content errors.

After hitting the save button, you’ll be able to see the proper green lock as shown below:

2. Untrusted SSL Certificate/Intermediate Certificate

When the client initiates the SSL Connection (for example https://www.yeahhub.com) , the server sends the Certificate chain to the client and the client verifies the CA (Certificate authority) certificate against its own SSL Trusted CAs (this is mostly a keystore).

If a match is not found, the connection is rejected. For a Web Application accessed through browser, you see a warning in your browser as shown below:

You will always get an error or warning from the web browser if you use self-signed SSL certificate. The untrusted SSL certificate issue arises when the SSL certificate is not signed by a trusted certificate authority. To accept a certificate by the browser, it must be linked to a trusted root certificate.

3. Improper HTTPS Redirection

Next, you may also fix the issue redirecting HTTP to HTTPS. WordPress will automatically redirect any HTTP requests to HTTPS. If you have installed the Really Simple SSL plugin, then this plugin will take care of all the redirects.

Suppose, you’ve a directory named as /abc/ where you’re running a normal HTML based website, then the above solution will not work, so you need to enter the following code in your root .htaccess file as shown below:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https:// %{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

4. Too many redirects errors

Suppose your website is on Nginx server and you suddenly changed your protocol from HTTP to HTTPS, then you’ll receive the errors like too many redirects, redirected you too many times etc.

This is because the wordpress still thinks that it is being accessed using “http” scheme (because your reverse proxy server is not sending the correct scheme in the header. It may be also possible that you need to make a change in wordpress config file so that it correctly detects the HTTPS.

Make sure that you define the WP_SITEURL and WP_HOME at wp-config.php

define(‘WP_HOME’,’https://example.com’);
define(‘WP_SITEURL’,’https://example.com’);

If WordPress is hosted behind a reverse proxy that provides SSL, but is hosted itself without SSL, these options will initially send any requests into an infinite redirect loop.

To avoid this, you may configure WordPress to recognize the HTTP_X_FORWARDED_PROTO header in your htaccess file as shown below;

SetEnvIf X-Forwarded-Proto https HTTPS

5. Net:: ERR_CERT_INVALID Issue

There are several reasons for this issue such as:

The SSL certificate might be given to a different domain or a subdomain.
The SSL certificate might be expired.
Your browser may not be able to identify the certificate issuing authority.

You can even scan your website with SSL Checker or SSL Diagnostics Tool to find out the particular issue.

Another best option is to contact the hosting provider and ask them to re-install the SSL certificate.

6. Outdated SSL Certificate

SSL certificates are issued for certain time frame (1,2 or 3 years typically). Generally a SSL certificate is valid only for 1 year but you can even get more validity if you pay more. But in case of Let’s encrypt, their certificates are valid for only 90 days i.e. 3 months only.

In order to fix the outdated SSL certificate, you have to renew your custom SSL certificate with your certificate authority from where you purchased the SSL for your site.

In case, if you’re getting a 404 Error then make sure that your $_SERVER value should be turned ON.

Add the following code in your wp-config.php to figure out if you have your server configured properly or not:

$_SERVER[‘HTTPS’]=’on’;

You may also like: