Mixed content break my SSL

Hope this issue can be fixed in Wordfence! Waiting for your reply, thanks!

You can reproduce the issue on Firefox, by navigate on https://www.MarcoBorla.IT and click on Accesso LogIn button in the right side of the page. WordPress Widget

The issue is not visible in Chrome or in Edge

wordfence_logHuman is the issue this load http URL and not https url if website have no SSL enabled. URL should start with // so if there are http will be http and if is https will be https.

Where I can report a BUG issue like this one? Is here the right place?

Hi,

Sorry for the delayed response. This issue is caused by the option to only require HTTPS on some pages in WooCommerce. Our script is loaded by the same protocol as the page (https, if the page is https), but it gets redirected back visit back to plain http, since it’s not one of the pages where HTTPS is forced.

You can prevent the issue for now, by turning off “Enable Live Traffic View” near the top of the Wordfence options page — this stops the script from being loaded. (Some of the Live Traffic features will still work while this is enabled.) This script is affected while other .js files aren’t, because this one is processed through WordPress as part of the live traffic feature, instead of just being a plain .js file that the web server could read directly.

Alternately, if the site were set up to use HTTPS throughout the whole site, it should prevent the issue as well, since the script request won’t be redirected to plain http.

This will be changed to avoid the problem in an upcoming version (reference number FB965), but I don’t have a date for when that will be yet.

-Matt R

Hi, thanks for the reply.
I do not want disable live traffic function, I hope this bug can be fixed maybe not next year.
I don’t use WooCommerce.

The behaviour is only present in the login page.

Ok. I haven’t heard of it happening only on the login page before, and without using WooCommerce. Do you use another plugin, define()s in wp-config.php, or custom .htaccess code, that forces HTTPS only on the login page?

-Matt R

Yes Matt, on https://www.marcoborla.it I need no HTTPS and I need HTTPS only in login page … and only Firefox alert me of mixed content.

If I use development tools of Firefox I AM able to see the not https string is a wordfence string.

I post a screenshot so you can see. Please if you need details of the plug in used let me where share this info in private. Thanks.

https://postimg.org/image/lw1o0ybzn/

Thank you, I’ve added the details of this to the internal case referenced above. I don’t have an estimate for when this will be changed, but this input helps since the solution will have to be different to correct the issue in both plugins.

-Matt R

Thank you for the feedback. I will keep monitoring this as I have issue: https://github.com/PeopleInside/ServerStatusMB/issues/3

Not nice have no secure padlock ?? hope the update will not take too long, is not urgent but not nice cannot have secure login. Login is secure but not well showed by the browser as Firefox alert of mixed content ??

Hope this issue can be resolved.
PadLock warning on the log in page

https://www.marcoborla.it/wp-web/wp-login.php?redirect_to=https%3A%2F%2Fwww.marcoborla.it%2Fwp-web%2Fwp-admin%2Findex.php&reauth=1

In Firefox

This issue is still present.
Please can you provide a manual FIX?

Hi,
this problem still present and I cannot have a secure padlock. Please fix IT.

I can also vouch for having the same exact issue… also, how about adding a note for the link which describes why one would want to disable this? At least until you can figure out a better workaround.