Category: Tech

Fixing Insecure Content

For the past few weeks, I’ve been suffering from what is called “insecure” or “mixed content” issues on my WordPress multisite network, which I’m hosting over at WP Engine. The goal has been to use the new free Flexible SSL from CloudFlare on a number of sites in my multisite, but leaving three of those sites as Full a as designated in CloudFlare, because I purchased a 3-domain certificate from Commodo, through my domain name registrar, NameCheap.

Somehow, someway, something did a search and replace across my entire multisite and changed the domain from the origin domain to “netmix-co.netmix.co.” The network’s primary site is netmix.co, but I don’t use it for anything. After contacting WP Engine, they pointed out the issue with the URLs rewriting. I’m not sure if it was one of the insecure content plugins that are freely downloadable or JetPack’s Photon service, because not only was I in JavaScript console rewritten primary URLs for post content and images, I was also seeing URls from wp.com, which after turning off JetPack, those URLs disappeared – despite being served over https anyway.

It was a very strange situation, but after doing a search and replace on post and post meta in my databases, I was able to fix all my URLs and content. There was one more thing I didn’t know. An old plugin called Bad Behavior I used to use has an “http headers” table. There I found some of my domains in the multisite with a ton of incorrect URLs rewritten in the http headers table. I decided to fix those with a search and replace across all sites with the issue of rewritten URLs and that ended up clearing more JavaScript console errors.

While I’ve done all of this…I’m still not seeing my free, Flexible SSL locks on the site in the network that are SSL enabled at CloudFlare. I’m not sure if it’s going to take 24-hours to possibly resolve all those mixed content errors, which will finally unshackle me from a plain grey file looking icon up there in the URL bar of some sites in my network (not this one, as this one has a paid cert from Commodo).