Add ssl-insecure plugin. #47

blog/watch-tips/wp-content/plugins/ssl-insecure-content-fixer/is_ssl-test.php

@@ -0,0 +1,65 @@
+<?php
+// attempt to diagnose why SSL cannot be detected by WordPress
+
+/**
+* a copy if the is_ssl() function from WordPress, wp-includes/functions.php
+*/
+function is_ssl() {
+	if ( isset($_SERVER['HTTPS']) ) {
+		if ( 'on' == strtolower($_SERVER['HTTPS']) )
+			return true;
+		if ( '1' == $_SERVER['HTTPS'] )
+			return true;
+	} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
+		return true;
+	}
+	return false;
+}
+?>
+<!DOCTYPE html>
+<html lang="en-au">
+<head>
+<meta charset="utf-8" />
+<title>SSL Insecure Content Fixer - is_ssl() test</title>
+</head>
+
+<body>
+	<h1>SSL Insecure Content Fixer - is_ssl() test</h1>
+
+	<p>This page checks to see whether WordPress can even test for SSL. If it can't, something else needs fixing.</p>
+
+	<p>is_ssl() says: <strong><?php echo is_ssl() ? 'yes, SSL detected' : 'no, SSL not detected' ?></strong></p>
+
+	<?php if (!is_ssl()): ?>
+		<?php if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'): ?>
+		<p><strong>Your server is behind a load balancer or reverse proxy.</strong></p>
+		<p>Please add the following code to your wp-config.php file, above the require_once:</p>
+		<pre>
+if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
+    $_SERVER['HTTPS']='on';
+		</pre>
+		<?php else: ?>
+		<p><strong>Your server may be behind a load balancer or reverse proxy.</strong></p>
+		<p>Please ask your web hosting provider why your website can't detect SSL, and show them this article:</p>
+		<p><a href="http://snippets.webaware.com.au/snippets/wordpress-is_ssl-doesnt-work-behind-some-load-balancers/">WordPress is_ssl() doesn’t work behind some load balancers</a></p>
+		<?php endif; ?>
+	<?php endif; ?>
+
+<?php
+$msg = "This page wasn't loaded via SSL (HTTPS).
+Attempt to reload with SSL?
+(if this message shows again, something is forcing your browser to load the page via HTTP)";
+?>
+<script>
+if (document.location.protocol != "https:") {
+	var msg = <?php echo json_encode($msg); ?>;
+	if (confirm(msg)) {
+	    document.location = document.URL.replace(/^http:/i, "https:");
+	}
+}
+</script>
+
+</body>
+
+</html>
+

blog/watch-tips/wp-content/plugins/ssl-insecure-content-fixer/readme.txt

@@ -0,0 +1,116 @@
+=== SSL Insecure Content Fixer ===
+Contributors: webaware
+Plugin Name: SSL Insecure Content Fixer
+Plugin URI: http://snippets.webaware.com.au/wordpress-plugins/ssl-insecure-content-fixer/
+Author URI: http://www.webaware.com.au/
+Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FNFKTWZPRJDQE
+Tags: ssl, https, insecure content, partially encrypted, mixed content
+Requires at least: 3.2.1
+Tested up to: 4.2
+Stable tag: 1.8.0
+License: GPLv2 or later
+License URI: http://www.gnu.org/licenses/gpl-2.0.html
+
+Fix some common problems with insecure content on pages using SSL
+
+== Description ==
+
+Fix some common problems with insecure content on pages using SSL. Mostly, the fixes are CSS and JavaScript links that don't use SSL. The plugin originally used the method described in [this blog post](http://snippets.webaware.com.au/snippets/cleaning-up-wordpress-plugin-script-and-stylesheet-loads-over-ssl/), but now uses WordPress filters where possible.
+
+It is very lightweight, so it doesn't impact on performance, but that also means it doesn't catch everything. Some fixes need a bigger hammer, like the [WordPress HTTPS](http://wordpress.org/plugins/wordpress-https/) plugin. If your problem is small, a small solution like this one might fit better.
+
+**Current fixes:**
+
+* scripts that are registered using `wp_register_script()` or `wp_enqueue_script()`
+* stylesheets that are registered using `wp_register_style()` or `wp_enqueue_style()`
+* images and other media loaded by calling `wp_get_attachment_image()`, `wp_get_attachment_image_src()`, etc.
+* data returned from `wp_upload_dir()` (e.g. for some CAPTCHA images)
+* the stylesheet loaded by the [list-category-posts-with-pagination](http://wordpress.org/plugins/list-category-posts-with-pagination) plugin
+* images loaded by the [image-widget](http://wordpress.org/plugins/image-widget/) plugin
+
+I'll be adding other fixes as I find simple solutions for them. The better solution is to get errant plugins fixed by their authors, but until they do, let me know about them and I'll attempt to add fixes.
+
+== Installation ==
+
+1. Either install automatically through the WordPress admin, or download the .zip file, unzip to a folder, and upload the folder to your /wp-content/plugins/ directory. Read [Installing Plugins](http://codex.wordpress.org/Managing_Plugins#Installing_Plugins) in the WordPress Codex for details.
+2. Activate the plugin through the 'Plugins' menu in WordPress.
+
+If your browser still reports insecure/mixed content, have a read of the [FAQ](http://wordpress.org/plugins/ssl-insecure-content-fixer/faq/). If that doesn't help, tell me the URL of the problem page in [the support forum](http://wordpress.org/support/plugin/ssl-insecure-content-fixer).
+
+== Frequently Asked Questions ==
+
+= How do I tell what is causing the insecure content / mixed content warnings? =
+
+Look in your web browser's error console.
+
+* Google Chrome has a [JavaScript Console](https://developers.google.com/chrome-developer-tools/docs/console) in its developer tools
+* FireFox has the [Web Console](https://developer.mozilla.org/en-US/docs/Tools/Web_Console) or [Firebug](http://getfirebug.com/)
+* Internet Explorer has the [F12 Tools Console](http://msdn.microsoft.com/en-us/library/ie/gg589500%28v=vs.85%29.aspx)
+* Safari has the [Error Console](https://developer.apple.com/library/safari/documentation/AppleApplications/Conceptual/Safari_Developer_Guide/Introduction/Introduction.html)
+
+NB: after you open your browser's console, refresh your page so that it tries to load the insecure content again and logs warnings to the error console.
+
+= I get "insecure content" warnings from some of my content =
+
+You are probably loading content (such as images) with a URL that starts with "http:". Take that bit away, but leave the slashes, e.g. `//www.example.com/image.png`; your browser will load the content, using SSL when your page uses it.
+
+= My website is behind a load balancer or reverse proxy =
+
+If your website is behind a load balancer or other reverse proxy, and WordPress doesn't know when SSL is being used, this plugin won't help. See my blog post, [WordPress is_ssl() doesn’t work behind some load balancers](http://snippets.webaware.com.au/snippets/wordpress-is_ssl-doesnt-work-behind-some-load-balancers/), for some details. This plugin has a link to test whether is_ssl() is working, which you can find in the Tools menu in your WordPress admin. You might be able to fix it by adding this to your wp-config.php file:
+
+`// Amazon AWS Elastic Load Balancer, CloudFlare, and some others
+if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
+    $_SERVER['HTTPS']='on';`
+
+For websites hosted by Network Solutions, try downloading [this gist](https://gist.github.com/webaware/4688802) and saving it into your plugins folder, then enable the plugin "Force SSL URL Scheme".
+
+= I get warnings about basic WordPress scripts like jquery.js =
+
+You are probably behind a reverse proxy -- see the FAQ above about load balancers / reverse proxies, and run the is_ssl() test from the WordPress admin Tools menu.
+
+= I still get "insecure content" warnings on my secure page =
+
+Post about it to [the support forum](http://wordpress.org/support/plugin/ssl-insecure-content-fixer), and be sure to include a link to the page. Posts without working links will be ignored.
+
+= You listed my plugin, but I've fixed it =
+
+Great! Tell me which plugin is yours and how to check for your new version, and I'll drop the "fix" from my next release.
+
+== Changelog ==
+
+= 1.8.0 [2014-02-02] =
+* changed: use script/style source filters instead of iterating over script/style dependency objects
+* changed: only handle links for `wp_get_attachment_image()`, `wp_get_attachment_image_src()`, etc. on front end (i.e. not in admin)
+* changed: refactor for code simplification
+* added: fix data returned from `wp_upload_dir()` (fixes Contact Form 7 CAPTCHA images)
+* added: Tools menu link to `is_ssl()` test
+
+= 1.7.1 [2013-03-13] =
+* fixed: is_ssl() test checks to ensure test page was actually loaded via SSL
+
+= 1.7.0 [2013-03-13] =
+* added: simple test to see whether [is_ssl()](http://codex.wordpress.org/Function_Reference/is_ssl) is working, and try to diagnose when it isn't
+
+= 1.6.0 [2013-01-05] =
+* added: handle images and other media loaded by calling `wp_get_attachment_image()`, `wp_get_attachment_image_src()`, etc.
+
+= 1.5.0 [2012-11-09] =
+* added: handle properly enqueued admin stylesheets for admin over SSL
+
+= 1.4.1 [2012-09-21] =
+* fixed: handle uppercase links properly (i.e. HTTP://)
+
+= 1.4.0 [2012-09-13] =
+* added: fix for images loaded by [image-widget](http://wordpress.org/plugins/image-widget/)
+
+= 1.3.0 [2012-07-22] =
+* removed: fix for links-shortcode (fixed in v1.3)
+
+= 1.2.0 [2012-07-21] =
+* removed: fix for youtube-feeder (fixed in v2.0.0); NB: v2.0.0 of that plugin still loads Youtube videos over http, so you will still get insecure content errors on pages with embedded videos until plugin author applies a fix.
+
+= 1.1.0 [2012-05-17] =
+* added: fix for youtube-feeder stylesheet
+
+= 1.0.0 [2012-04-19] =
+* initial release

blog/watch-tips/wp-content/plugins/ssl-insecure-content-fixer/ssl-insecure-content-fixer.php

@@ -0,0 +1,135 @@
+<?php
+/*
+Plugin Name: SSL Insecure Content Fixer
+Plugin URI: http://snippets.webaware.com.au/wordpress-plugins/ssl-insecure-content-fixer/
+Description: Fix some common problems with insecure content on pages using SSL
+Version: 1.8.0
+Author: WebAware
+Author URI: http://www.webaware.com.au/
+*/
+
+/*
+copyright (c) 2012-2014 WebAware Pty Ltd (email : [email protected])
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+*/
+
+if (!defined('SSLFIX_PLUGIN_ROOT')) {
+	define('SSLFIX_PLUGIN_ROOT', dirname(__FILE__) . '/');
+	define('SSLFIX_PLUGIN_NAME', basename(dirname(__FILE__)) . '/' . basename(__FILE__));
+}
+
+class SSLInsecureContentFixer {
+
+	/**
+	* hook WordPress to handle script and style fixes
+	*/
+	public static function run() {
+		add_filter('plugin_row_meta', array(__CLASS__, 'pluginDetailsLinks'), 10, 2);
+		add_action('admin_menu', array(__CLASS__, 'adminMenu'));
+
+		if (is_ssl()) {
+			// filter script and stylesheet links
+			add_filter('script_loader_src', array(__CLASS__, 'fixURL'));
+			add_filter('style_loader_src', array(__CLASS__, 'fixURL'));
+
+			// filter uploads dir so that plugins using it to determine upload URL also work
+			add_filter('upload_dir', array(__CLASS__, 'uploadDir'));
+
+			// filter image links on front end e.g. in calls to wp_get_attachment_image(), wp_get_attachment_image_src(), etc.
+			if (!is_admin()) {
+				add_filter('wp_get_attachment_url', array(__CLASS__, 'fixURL'), 100);
+			}
+
+			// filter plugin Image Widget old-style image links
+			add_filter('image_widget_image_url', array(__CLASS__, 'fixURL'));
+
+			// handle some specific plugins
+			add_action('wp_print_styles', array(__CLASS__, 'stylesFix'), 100);
+		}
+	}
+
+	/**
+	* add plugin details links on plugins page
+	*/
+	public static function pluginDetailsLinks($links, $file) {
+		if ($file == SSLFIX_PLUGIN_NAME) {
+			$testURL = self::fixURL(plugins_url('is_ssl-test.php', __FILE__));
+			$links[] = sprintf('<a href="%s" target="_blank">%s</a>', $testURL, __('Test is_ssl()', 'ssl-insecure-content-fixer'));
+			$links[] = '<a href="http://wordpress.org/support/plugin/ssl-insecure-content-fixer">' . __('Get help', 'ssl-insecure-content-fixer') . '</a>';
+			$links[] = '<a href="http://wordpress.org/plugins/ssl-insecure-content-fixer/">' . __('Rating', 'ssl-insecure-content-fixer') . '</a>';
+			$links[] = '<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&amp;hosted_button_id=FNFKTWZPRJDQE">' . __('Donate', 'ssl-insecure-content-fixer') . '</a>';
+		}
+
+		return $links;
+	}
+
+	/**
+	* add our admin menu items
+	*/
+	public static function adminMenu() {
+		// add external link to Tools area
+		global $submenu;
+		if (current_user_can('manage_options')) {
+			$testURL = self::fixURL(plugins_url('is_ssl-test.php', __FILE__));
+			$submenu['tools.php'][] = array(
+				__('Test is_ssl()', 'ssl-insecure-content-fixer'),		// label
+				'manage_options',										// permissions
+				$testURL,												// URL
+			);
+		}
+	}
+
+	/**
+	* force specific plugins to load styles with SSL
+	*/
+	public static function stylesFix() {
+		// force list-category-posts-with-pagination plugin to load its CSS with SSL (it doesn't use wp_enqueue_style)
+		if (function_exists('admin_register_head') && is_dir(WP_PLUGIN_DIR . '/list-category-posts-with-pagination')) {
+			remove_action('wp_head', 'admin_register_head');
+			$url = plugins_url('pagination.css', 'list-category-posts-with-pagination/x');
+			wp_enqueue_style('lcpwp', $url);
+		}
+	}
+
+	/**
+	* replace http: URL with https: URL
+	* @param string $url
+	* @return string
+	*/
+	public static function fixURL($url) {
+		// only fix if source URL starts with http://
+		if (stripos($url, 'http://') === 0) {
+			$url = 'https' . substr($url, 4);
+		}
+
+		return $url;
+	}
+
+	/**
+	* filter uploads dir so that plugins using it to determine upload URL also work
+	* @param array $uploads
+	* @return array
+	*/
+	public static function uploadDir($uploads) {
+		$uploads['url'] = self::fixURL($uploads['url']);
+		$uploads['baseurl'] = self::fixURL($uploads['baseurl']);
+
+		return $uploads;
+	}
+
+}
+
+SSLInsecureContentFixer::run();