SSL

Really Simple SSL 2.5.24 – minor multisite fix

Today Really Simple SSL 2.5.24 was released. Apart from the renaming of a css class, there was only one important change, and this one affecting only sites which:

  • are multisite
  • with the network back-end already on SSL
  • and Really Simple SSL not activated yet

To see why this can be a problem I need to explain how WordPress handles SSL. If a site is loaded over https, the server usually passes something like $_SERVER[“https”] = “on”. On some servers it doesn’t and WordPress may end up in a redirect loop. Really Simple SSL fixes that,  but that’s not what I’m getting at.

WordPress uses this to decide if is_ssl() is true or not. If is_ssl() is true, core functions like home_url(), admin_url(), etc will start returning https URL’s. On multisite this applies to domains from other blogs in the network as well. This is fine…unless you are visiting blog A on https, and looking at a link to blog B which is on http. WordPress now thinks: is_ssl() is true, so the url for site B will return a https link! If you don’t have an SSL certificate on site B, this can be a serious issue.

To fix this, we have created two filters (as of 2.3.10), which check if a blog is on http or https, and return the site url or admin url with the corresponding protocol.

But… in some edge cases when:

  • You have a blog or the main blog, or at least the back-end, redirected to https
  • The site_url of the current site is http, not https
  • Really Simple SSL is not enabled yet (otherwise site_url would be https)

Then the following happens: WordPress is redirected to https, but Really Simple SSL sees the url is not on https, so forces the url back to http. A broken css styling is the result. Enabling SSL on that site fixes it, but it might cause some stress.

To fix this, we have adjusted the admin filter so they won’t force back the URL to http if the URL that is requested is for the current blog id. Now Really Simple SSL won’t redirect back to http when the admin is loaded over https.

Related Articles

  • Chrome and Firefox ending support for legacy Symantec certificates

    Chrome and Firefox ending support for legacy Symantec certificates From Google Chrome version 66 and Firefox 60 onwards, support for legacy Symantec certificates (certificates issued before 1 June 2016) will be...
  • Getting everything our of your security headers

    When you have installed Really Simple SSL pro, you will get a bunch of new options. Users sometimes ask: “which headers should I enable, and why isn’t it all enabled...
  • Really Simple SSL 2.5.14, minor update

    2.5.14 was released today, with two adjustments: A bug was discovered in the mixed content fixer, where a match was found on http links across html elements when newlines were removed...
  • Really Simple SSL 3.1.0

    Over the past few weeks we have made a number of improvements to the free Really Simple SSL plugin. The 3.1.0 version of Really Simple SSL is released as of...