swmkii

@fierevere
Thank you so much for that confirmation. So running on older databases in these cases are more just a liability issue when it comes to security?

@jarnovos
Yes that’s correct. But I’ve seen the mixed content also affect the Elementor editor and it’s only being triggered by images (last seen yesterday).

The wp-config file does unfortunately not contain any hard coded https:// either. You can probably see why this confused me by the minute.

I’ve also had Mixed content fixer - back-end applied since way back. But today I tried to apply the Mixed content fixed init-hook as well just to humor myself, even though it’s supposed to be for front-end use.

This seems to have redeemed the issues for some reason, for now at least. I haven’t seen the mixed content warning on the wp-admin login page on any of my browsers. Hopefully this will somehow also extend to any other pages back/front-end.

So I guess the most annoying part is solved!

Regarding this error log
AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice
Is the “traffic-advice” not supposed to be in there?
This also appeared today
[redacted].cc [Thu Jul 27 01:45:50.522440 2023] [core:info] [pid 31418:tid 139893082564352] [client 138.199.60.183:46034] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/pki-validation/cloud.php


Thanks!

• This reply was modified 1 year, 3 months ago by swmkii.
• This reply was modified 1 year, 3 months ago by swmkii.

Hello @jarnovos,
Thank you kindly for assisting me with these questions.

Settings > General
WordPress URL
https://[redacted].cc
Site URL
https://[redacted].cc

1. Favicon uploaded with correct dimensions & filetype & new filename.
2. Cache cleared with WP-Rocket & browser cache flushed to the bone.
3. Really Simple SSL installed (settings listed up top)
4. I don’t have access to directly write to the root of my site – since I’m not yet comfortable using SSH I guess this is a problem. So I haven’t been able to put a favicon directly in the root to then manually load through a code snippet as shown in the site you linked.


Regarding .htaccess rules, there are two:

#1
Located right after “#BEGIN WP Rocket v3.14.2.1” at the top:
#Begin Really Simple SSL Redirect
<IfModule mod_rewrite.c>
RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/ RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
<IfModule>
#End Really Simple SSL Redirect

#2
Located closer to the bottom:
#BEGIN Really Simple SSL LETS ENCRYPT
RewriteRule ^.well-known/(.*)$ - [L]
#ENDReally Simple SSL LETS ENCRYPT

• This reply was modified 1 year, 4 months ago by swmkii.

I’ve read around some and understood that there is a possibility that this ‘unsecure’ might only happen locally for me for some reason while not for others? I’ve really tried to get it working but I just can’t seem to figure out why the favicon is set to go over “http” rather than “https” in the site headers.

Something else that I’ve seen in the log that should be connected to RSSSL, is this how it’s supposed to be? If not, how can it be fixed? I’ve seen the folder and the .htaccess has a line for it.

[redacted].cc [Sun Jul 23 09:17:53.647219 2023] [core:info] [pid 27993:tid 139893132920576] [client 74.125.208.102:52890] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice
[redacted].cc [Sun Jul 23 14:50:04.256397 2023] [core:info] [pid 11210:tid 139893141313280] [client 74.125.208.104:38800] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice
[redacted].cc [Sun Jul 23 17:06:00.070582 2023] [core:info] [pid 47394:tid 139893200062208] [client 74.125.208.102:11680] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice

Apologies for all these beginner questions.

• This reply was modified 1 year, 4 months ago by swmkii.

I “undid” the process. As in removed the top most line beneath <?php from wp-config.php and added back the three lines into .htaccess.

The mixed content (page is not secure) seems to be a constant on the login page though.

Microsoft Edge (this time)
Mixed Content: The page at 'https://[redacted]/wp-login.php?redirect_to=https%3A%2F%2F[redacted]%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure favicon 'https://[redacted]/wp-content/uploads/2020/02/cropped-output-onlinepngtools-1-2-32x32.png'. This content should also be served over HTTPS.

• This reply was modified 1 year, 4 months ago by swmkii.

@rogierlankhorst

Thanks a lot!

I’ve enabled .htaccess redirect however I took the “read instructions first” and did the changes that were only supposed to be done if the redirect results in a loop. (edited .htaccess & wp-config.php) I read it several times "you need to know how to remove it just in case" and still went through with it. I must be tired.

I can simply remove / add back the lines again, but is it harmful leaving it as it is – or are these changes undoing the whole process?

The /wp-admin login page is still showing up as “not secure”, at least in Firefox. (parts of this webiste is not secure such as images)

Best Regards,

• This reply was modified 1 year, 4 months ago by swmkii.

@wfpeter
That’s great information. Thank you!
With your help I have now completely removed Wordfence, database – login security and all; and can soon begin to reinstall it with the company account.

Are there any other plugins or functionality within them if activated that could in any way clash with Wordfence for future reference?
– Really Simple SSL
– Jetpack (deactivated)
– Redirection
– WP Rocket

Recommendation
Is there a scenario where it’s better to install and update plugins before installing Wordfence and activating the self learning protocol or does it not matter?

Asking because I’m currently using WP Staging to make duplicates of our site to test plugin updates and such. We don’t have the premium version so it’s using our current database.

Best Regards,

First of all; thanks a lot @wfpeter for giving me some depth and insight to the situation!

I guess the developer at the other host could have told us about this but chose not to, so now I have to clean up their mess as well. They were the ones who installed Wordfence for upkeep. I’ve looked around for the wordfence_waf.php which normally should be in the root but it’s nowhere to be found, also searched wide for it but it’s not on the file server.
There’s nothing in the .htaccess pointing to the file neither, no mention of Wordfence (not sure if it should be specifically in writing?).

The host dev did mention that they were still (before deactivation at least) getting reports to the e-mail which was used to install Wordfence and as such recommended the “easiest method:” remove / uninstall it and re-install it if I want to keep using it.

Even if I reactivate Wordfence and run the wizard, would it make me able to reassign the installation to another e-mail?
My gut tells me “no” since the initial installation is done by first registering at wordfence.com and input the URL which it’s supposed to be installed so the user can monitor / edit some settings via wordfence/central as well. But I’d rather like to be mistaken.

• This reply was modified 1 year, 4 months ago by swmkii.
• This reply was modified 1 year, 4 months ago by swmkii.
• This reply was modified 1 year, 4 months ago by swmkii.

@beautyofcode

Hello and thank you for replying.
I’ve sent an extensive support message to you as this issue seems to have started to affect more things in the back-end than just being a deprecated message. It seems as if it’s started to affect product creation as well.
It’s sent from the same e-mail & username as I have here.

Please note that the account I’m asking for help from isn’t the same which our WooCommerce installation is on – as I do not have access to the e-mail which was used with the setup of the site. I’d really appreciate if you could somehow also see what e-mail that site has been registered to so that I can request the person to sign over the account to me.

I’m a member of the WooCommerce Slack community and I was told to send a message through the proper channels even though I don’t have the right account. I hope you take this seriously!

Please take a look.

Best Regards,

• This reply was modified 1 year, 4 months ago by swmkii.
• This reply was modified 1 year, 4 months ago by swmkii.

@timwhitlock
Well, that was easy! Thanks a LOT!!
Being thrown into the sole admin role as well as photographer and graphic designer is no simple feat. So much to take care of and not enough time to do it in.

Huge thanks to you @rogierlankhorst

@rogierlankhorst
Thank you so much!

You are right, the file doesn’t exist in the site root directory.
It’s always scary when you encounter an unknown error. Hopefully this won’t happen again soon. I updated WooCommerce as well today and that error didn’t display at that point.

• This reply was modified 1 year, 5 months ago by swmkii.