Wordpress Install - Page is trying to load unsafe script
-
I followed the install how-to on Mangolassi using wp-cli on Fedora 27 and managed to get Wordpress installed as a subdirectory on my main site. The main site is behind Nginx with proper SSL certs and that's been working beautifully. Problem is that when I go to the blog subfolder, I get this "Page is trying to load unsafe script" error which is breaking SSL. If I allow the unsafe script, Wordpress looks normal but site shows with broken SSL.
This is what I have if I don't allow the unsafe scripts to run:
This is the Nginx conf file:
server { listen 80; server_name domain.com www.domain.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name domain.com www.domain.com; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy strict-origin; add_header X-Frame-Options "SAMEORIGIN"; ssl_stapling on; ssl_stapling_verify on; server_tokens off; ssl on; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; proxy_cookie_path / "/; secure; HttpOnly"; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://192.168.100.85; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }This is the Apache conf file:
<VirtualHost *:80> ServerAdmin [email protected] <Directory /var/www/html/domain.com> Require all granted AllowOverride All Options -Indexes </Directory> DocumentRoot /var/www/html/domain.com ServerName domain.com ServerAlias www.domain.com ErrorLog /var/log/httpd/domain.com.error.log CustomLog /var/log/access.log combined </VirtualHost>Any ideas why the unsafe script error only with Wordpress install? When I access the regular site, no broken SSL, everything looks good, but Wordpress break SSL. I'm at a loss.
-
Open the site up in FF, right click on the page, click View Page Info... then in the Media tab, look for any media not using https.
-
WP is a bitch about this when running behind a proxy.
-
Thanks @Tim_G that shows this...
http://domain.com/blog/wp-content/themes/twentyseventeen/assets/images/header.jpgWonder why that image would be served via http even though the site redirects all http tp https.
-
When I "inspect element" with Chrome, I see these issues:
Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure script 'http://domain.com/blog/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate&ver=4.9.4'. This request has been blocked; the content must be served over HTTPS.Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure script 'http://domain.com/blog/wp-content/plugins/better-wp-security/core/modules/strong-passwords/js/script.js?ver=4087'. This request has been blocked; the content must be served over HTTPS.Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure stylesheet 'http://domain.com/blog/wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4'. This request has been blocked; the content must be served over HTTPS.Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://domain.com/blog/wp-login.php'. This endpoint should be made available over a secure connection.Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure stylesheet 'http://domain.com/blog/wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4'. This request has been blocked; the content must be served over HTTPS. -
Also, in your WP settings page, verify these are "https":
-
Try adding this to the bottom of wp-config.php:
if($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){ $_SERVER['HTTPS'] = 'on'; $_SERVER['SERVER_PORT'] = 443; } -
@tim_g said in Wordpress Install - Page is trying to load unsafe script:
Also, in your WP settings page, verify these are "https":
If I di this, unfortunately, I can't get to the blog or admin pages. I get an error stating too many redirects.
-
I just looked again, and seen this as being blocked (but shows a green lock because FF is automatically blocking it):
-
@tim_g said in Wordpress Install - Page is trying to load unsafe script:
Try adding this to the bottom of wp-config.php:
if($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){ $_SERVER['HTTPS'] = 'on'; $_SERVER['SERVER_PORT'] = 443; }Added this but no change. Still getting the error. Looks like there are javascript being served via http instead of https.
-
@tim_g said in Wordpress Install - Page is trying to load unsafe script:
I just looked again, and seen this as being blocked (but shows a green lock because FF is automatically blocking it):
Yeah I changed the theme to sixteen to see if that changed anything but still getting mixed content warnings.
-
I think because my URLs on the Settings tab are still showing HTTP instead of HTTPS, the scripts are being served up via HTTP. But if I change the URLs to HTTPS, browser errors out with too may redirects.
-
@nashbrydges said in Wordpress Install - Page is trying to load unsafe script:
@tim_g said in Wordpress Install - Page is trying to load unsafe script:
Try adding this to the bottom of wp-config.php:
if($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){ $_SERVER['HTTPS'] = 'on'; $_SERVER['SERVER_PORT'] = 443; }Added this but no change. Still getting the error. Looks like there are javascript being served via http instead of https.
Did you add use this without the URLs set to https on the main settings page?
-
@tim_g I added the code lines to the bottom of wp-config.php as well as set both fields in Settings to https.
Doesn't work. Get a too many redirects error.
-
@nashbrydges said in Wordpress Install - Page is trying to load unsafe script:
@tim_g I added the code lines to the bottom of wp-config.php as well as set both fields in Settings to https.
Doesn't work. Get a too many redirects error.
Try the code without the urls changed
-
I used a plugin to fix ssl last time I I’d to do this.
No idea what the plugin was anymore.
-
@jaredbusch said in Wordpress Install - Page is trying to load unsafe script:
I used a plugin to fix ssl last time I I’d to do this.
No idea what the plugin was anymore.
This one?
https://wordpress.org/plugins/ssl-insecure-content-fixer/ -
Force SSL Plugin
https://wordpress.org/plugins/wp-force-ssl/Administrator over SSL
https://codex.wordpress.org/Administration_Over_SSL -
@tim_g said in Wordpress Install - Page is trying to load unsafe script:
@jaredbusch said in Wordpress Install - Page is trying to load unsafe script:
I used a plugin to fix ssl last time I I’d to do this.
No idea what the plugin was anymore.
This one?
https://wordpress.org/plugins/ssl-insecure-content-fixer/Either this one or
-
@black3dynamite said in Wordpress Install - Page is trying to load unsafe script:
Force SSL Plugin
https://wordpress.org/plugins/wp-force-ssl/This one
