Hyperlinks to external urls getting replaced to https

There are two situations where a normal hyperlink to an external URL could get replaced to https

The website domain is part of the external domain

If for example, the external URL is http://domain.com.au, while the website URL is http://domain.com, this can happen.

Really Simple SSL replaces all instances of the own website domain in the HTML to https. In this edge case, the external URL gets replaced as well: replace http://domain.com in http://domain.com.au to https, and the external link is https as well. This can be fixed by excluding this URL from the mixed content fixer: https://really-simple-ssl.com/knowledge-base/exclude-url-mixed-content-fixer/.

Links to non-https sites on the same multisite network

WordPress uses the home_url() function to return the URL’s in a website. This function returns an https URL when the current website is on https. This means that if you link to another site on your network, which is not https, but the current site is https,  WordPress will return a https link anyway. I’ve created a fix for this WordPress behavior (this is incorporated in Really Simple SSL as of 2.5.0):

add_filter("set_url_scheme", "rsssl_check_protocol_multisite", 20, 3 );

function rsssl_check_protocol_multisite($url, $scheme, $orig_scheme){
    if (is_multisite()) {
    //get blog id by url.
    //make sure the domain is with http, e.g. http://domain.com
    $domain = str_replace("https://","http://",$url);
    //remove http:// from the domain. e.g. domain.com
    $domain = str_replace("http://","",$domain);
    $blog_id = get_blog_id_from_url($domain);
    // exit if no blog id was found.
    if ($blog_id==0) return $url; //no blog id found
    
    //request the blog url and return it. If it is http, the returned url will now also be http.
    $url = get_blog_option($blog_id, "siteurl");
  }
  return $url;
}

If these options do not apply to your site, Really Simple SSL won’t be the cause as it does not replace external URLs. In that case, I would advise checking if another plugin might be causing this.

Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.