Mixed content and expired session issues with SSL and wp-admin

I am developing a site that has an SSL certificate. I've activated wp-admin being conducted over https (using define('FORCE_SSL_ADMIN', true); in wp-config.php).

It's created a lot of issues using wp-admin.

1) Whilst doing things in wp-admin I'll regularly get a message saying the session has expired. As far as I can tell, this mostly happens when jumping from one admin page (url) to another page (url).

2) In Chrome I'll often see a little silver shield in the address bar indicating there are "unsafe scripts" the page is trying to load. I have to then manually tell it to load those scripts (I gather these are scripts wp-admin is trying to load over http, rather than https).

3) Some pages load fine with full HTTPS support (no mixed content) and the EV greenbar, etc. But other pages (in admin) will generate mixed content errors. It seems to be that when switching from a URL with mixed content errors over to one with no such errors (or vice versa) this is when the session expiration issues occurs (not 100% sure about that, but certainly looks that way).

On the front end I used whynopadlock.com to show me which resources were loading over HTTP when using HTTPS, and fixed them (it was simply images in posts, etc.). But since wp-admin requires one to log in, I don't have that option available.

I have two questions:

Q1) Is there a recommended way to get wp-admin to work correctly over SSL?

Q2) What's a recommended way to troubleshoot why wp-admin over SSL is so unstable? (meaning it works on some admin pages, breaks on others, and causes session expiration on others).

Thank you,

Jonathan

Topic https ssl wp-admin Wordpress

Category Web

1
answered at

WordPress's system uses shared scripts and resources between Backend and FrontEnd, you should not use SSL only for WP-ADMIN. It will create many kinds of unforeseen complications. You can also find the HTTP links by viewing the page source and search for the string http://

The best practice is to move the entire site into HTTPS.

  • Make sure WP-Admin/Settings screen is set to https:// for both site links (WordPress Address and Site Address field)

WordPress Address and Site Address field

Optional:

If you really want a fast performing HTTPS site, make use of AutoOptimize, WP Fastest Cache and CloudFlare together. Then, Use WP-Optimize to tackle all the database overhead.

1
answered at

Another way to fix this is enable wp_debug as it will get you into the WP Admin area and then you can install the Really Simple SSL Plugin and activate...This will help with any mixed-content or session expired warning you're getting on your WordPress website.

1
answered at

You must check all the files you load within the admin pages (including files loaded from plugins); they should be loaded over HTTPS. WordPress takes care about the files it loads itself, but it doesn't control if you or your plugins load resources over HTTP; you must fix it.

To find the resources loaded over HTTP you can use the Console log of Chrome or Firefox developer tools.

Also, there are some instances of wp-admin that loads resources from front-end. For example, the customizer is in the admin side but the preview is a iframe of the front end. If you have SSL only on admin, you can end up with troubles.

The best thing you can do is to use HTTPS in the entire site. It will be more stable, your users will love it and search engines will love it.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.