Posts tagged “ssl”

WordPress is_ssl() doesn’t work behind some load balancers

WordPress has a function is_ssl() that it uses to check whether a page is loaded with the HTTPS protocol, so that it can use the same protocol to load scripts, stylesheets, and other assets. It relies on the web server giving it a couple of clues, but when your website is hosted behind a load balancer, those clues aren't always available. In particular, websites hosted by Network Solutions get no clues at all when pages are loaded over HTTPS.

Stop turning off CURLOPT_SSL_VERIFYPEER and fix your PHP config

As Pádraic Brady points out in a recent article about PHP security, there's a whole lot of misinformation about how to deal with the error "SSL certificate problem, verify that the CA cert is OK" from curl. Nearly everyone advises that you turn CURLOPT_SSL_VERIFYPEER off (in fact, countless comments on the PHP manual page for curl_setopt tell you this). This is bad, because it allows your nice, encrypted stream of confidential data to be silently highjacked by a bad guy. Don't do that! Instead, just fix your PHP installation so that it doesn't get that error.

Cleaning up WordPress plugin script and stylesheet loads over SSL

It's quite common to use WordPress as the host for an online shop, and that often means having an order page that needs to be encrypted via SSL. You don't want your customers providing credit card details or other sensitive information over an unencrypted connection! But many WordPress plugins don't take SSL into account, and merrily load scripts and stylesheets without encryption. Here's a couple of ways to fix this problem.