Samuel Elh Blog

WordPress, bbPress, BuddyPress, JavaScript tutorials and snippets

Allow/disallow user registration for email TLD

In this quick tutorial we will learn about allowing or disallowing WordPress user registration from custom TLDs and domain extensions for the user provided email.

You can either choose a set of TLDs and domain extensions to only limit and restrict registration to, or add a list of TLDs to prevent while processing user registration filtering the errors.

There is already Restrict User Registration free WordPress plugin which “Allows you to restrict registration for custom usernames, email addresses and custom email service providers”. This can be handy for denying registrations from specific email addresses or even email domains, so it is useful for this purpose.

Allowing registrations from custom TLDs:

In the following code, make sure to specify the extensions you want user registration to be restricted to, and place them into the array:

$allowed_tlds = array( "be", "nl" ); // allowing Belgium and Netherlands emails

Now as long as my email address is from a BE or NL email service provider site, then I am able to register.

Disallowing registrations from custom TLDs:

This process instead will deny registering users with specific TLDs while leaving the rest allowed. To use this, just add few extensions into the following array in follows-code.

$forbidden_tlds = array();

The code:

After you make your necessary edits, place this code into your child theme’s functions file, or with a custom plugin:

/**
* Plugin Name: Restrict mail TLD registration
* Plugin URI:  http://samelh.com
* Description: Allow/disallow user registration for email TLD
* Author:      Samuel Elh
* Author URI:  http://samelh.com
* Version:     0.1
*/

function se__verify_tld( $email ) {

	/* enter the TLDs to allow into following array, e.g array( "be", "nl", "cr" ) in lowercase */
	$allowed_tlds = array( "be", "nl" ); // allowing Belgium and Netherlands emails

	/* OR, enter few TLDs to prevent (forbidden) in lowercase */
	$forbidden_tlds = array();

	if ( empty( $email ) ) return false;
	$tld = strtolower( substr( $email, strpos( $email, '.' )+1 ) );
	if ( empty( $tld ) ) return true; // no tld caught, trigger error
	else $tld = strtolower( $tld );
	
	if ( !empty( $forbidden_tlds ) ) {
		if ( in_array($tld, $forbidden_tlds) ) {
			return true;
		}
	}

	else if ( !in_array($tld, $allowed_tlds) ) {
		return true;
	}

	return false;

}

add_filter( 'registration_errors', function( $errors, $user_login, $user_email ) {

	if ( se__verify_tld( $user_email ) ) {
		$errors->add( "tld_exception", "Sorry, you can not sign up with emails from this TLD" );
	}

    return $errors;

}, 10, 3 );

preview - Allowdisallow user registration for email TLD

Link to Github gist (downloadable plugin)

bbPress favorites total count by user ID

In this quick tip, we will try to get the total bbPress favorites made for all topics by a specific user, counting total favorites received on every topic this user has posted on the forums.

As if you don’t know, there’s this function bbp_get_topic_favoriters( int $post_ID ) that you can call to get an array of users who have favorite’d this topic we are specifying its POST ID in the first param. That is what we will use to count total bbPress favorites on all topics as we query topics by user ID who is the author of these topics.

We will use WordPress API get_posts to list all topics of the user we’re after.

function se_bbp_total_favorites_by_user( $user_id ) {
	$args = array( 'post_type' => array('topic'), 'author' => $user_id, 'posts_per_page' => -1 );
	$posts = get_posts( $args );
	$count = 0;

	if ( !empty( $posts ) ) {
		foreach ( $posts as $post ) {
			$count += count( bbp_get_topic_favoriters( $post->ID ) );
		}
	}

	return (int) $count;
}

Good, now simply call se_bbp_total_favorites_by_user( 1 ) with the user ID instead of 1 and it should be working perfect.

Caching bbPress favorites:

Please note that you should not always make query to the posts while you can do it in the first time and cache data for a later use with custom expiration interval. Caching is always the best tool out there to minimize the load time, and reduce memory and server ressource usage, and because this is simple enough, let’s just use WordPress transients for non-persistent caching, and set the timeout to a week or 2 days (DAY_IN_SECONDS * 2) or just flush every time a topic gets favorited (I don’t know how to hook into this, guess you’ll have to look into the core files for a custom hook)

Getting All Favorited Topics By User:

I have looked around the usermeta table in PMA of a local install, and I found out that all topics favorites by a user are saved in a custom user meta with the name of wp__bbp_favorites, saved in a comma-separated format. This can be used to list all topics that this user has favorited, as we’ll just look for that meta, explode the commas and we’re all set with the topics IDs.

function se_bbp_favorites_by_user( $user_id ) {
	$meta = get_user_meta( $user_id, "wp__bbp_favorites", 1 );
	if ( $meta ) {
		$meta = explode( ",", $meta );
		$meta = array_filter( $meta );
		if ( !empty( $meta ) ) {
			foreach ( $meta as $i => $topic_id ) {
				$meta[$i] = (int) $topic_id;
				/*
				* you might want to check if this post exists
				* or instead of attaching post ID only, make it post data
				* as $meta[$i] = get_post( $topic_id );
				*/
			}
		}
	} else return array();
	return $meta;
}

For this one, no need to worry about the caching (as long as you keep it simple as is) because by default, WordPress caches the user meta and loads it in memory; the cache will automatically be flushed when the user meta is updated (cool stuff right? WordPress!)

Disable XML-RPC (xmlrpc.php) in WordPress

As the titles states, this quick tutorial will help you disable access to XML-RPC in WordPress, mainly the xmlrpc.php core WordPress file.

If you have looked at some online tutorials and you were not successful to achieving the ban, then basically this tutorial will listen on init hook of WordPress fired upon WordPress initialization (before anything), and check if the current page is xmlrpc.php. If so, emulate an 403 Forbidden error and exit.

The code:

This code should be added to your child theme’s functions file, or through a custom plugin:

add_action("init", function() { 
	global $pagenow; // get current page
	if ( !empty($pagenow) && "xmlrpc.php" === $pagenow ) {
		header("HTTP/1.1 403 Forbidden" ); // Produce 403 error
		exit; // exit request
	} return;
});

blocking xmlrpc wordpress before and after

bbPress Messages – Send automatic welcome messages to new users

bbPress Messages – customizing and extending

Send automatic greeting and welcome messages to new users

In this quick tutorial we are going to talk about how to enable custom messages sent automatically to new user upon a successful registration on our WordPress blog or website.

Required plugins

For this process, you’re going to need:

  • bbPress, the parent plugin of bbPress Messages, for powering forums and communities
  • bbPress Messages: PRO ( v. 0.2.4 or greater), or lite ( v. 0.2.3 or greater ).

That’s all, and no, no BuddyPress is needed or involved.

Extending user registration system

We will be hooking into user_register, which provides us with a user ID for the currently registered user, which we will use to email the user a greeting and welcoming custom message of our own.

Make sure to provide a sender ID, and this is totally required, for the sake of simplicity I made it 1, which will be the first user on your blog and the admin. To find our your user ID, go to users, find your account, and click edit. Now in the address bar there will be something like ?user_id=ID_HERE . That’s the ID you should insert in the sender in follows-code.

 

Using BBP_messages_message::sender method

This method will allow us to insert the message. It takes 4 parameters, 3 required and one optional:

  • $user_id: (int) the recipient which we will direct the message to.
  • $message: (string) the custom message we are sending.
  • $sender: (int) the message sender user ID, which the user will be able to reply to (if possible) later upon login.
  • $notify(bool) choose whether to notify this user by email about this message or not. It defaults to true, but you can set it to false to not email.

The coding:

Add the following code, to your child theme’s functions file or with a custom plugin, and make sure to make necessary edits such as customizing the message and inserting the message sender ID.

add_action("user_register", function( $user_id ) { 
	if ( !class_exists('BBP_messages_message') ) return; // bbPress messages is not there

	$sender = 1; // admin. Please provide a valid user ID
	$message = sprintf(
		"Greetings, %s!\n\nThis is an automated message, sent to greet and thank you for signing up for a membership on our website.\n\nSee you online,\n%s — %s.",
		get_userdata( $user_id )->display_name,
		get_userdata( $sender )->display_name,
		get_bloginfo( "name" )
	); // message format

	return BBP_messages_message::sender( $user_id, $message, $sender );
});

That’s it. Hope this tutorial helps you greet and welcome your newly registered bbPress users, and point them to use the messaging functionality or provide instructions and so forth..

If you had any issues, please post in the plugin support forum provided provided by the author.

Link WordPress comment author to BuddyPress profile

In this quick tutorial, we will filter the WordPress comment author link URL and point to BuddyPress profile of this author as long as the comment was made by a verified user of your blog.

We can hook into get_comment_author_link for filtering the comment author link, and to get the BuddyPress profile link of a given user, you can use

bp_core_get_user_domain( $user_id )

for this purpose for which you specify a user ID in the first parameter.

The code:

Add the following code to your child theme’s functions file or with a custom plugin:

add_filter('get_comment_author_link', function( $link ) {

	if ( !function_exists('bp_core_get_user_domain') )
		return $link;

    global $comment;
    
    if ( !empty( $comment->user_id ) && !empty( get_userdata( $comment->user_id )->ID ) ) {

   		$link = sprintf(
   			'<a href="%s" rel="external nofollow" class="url">%s</a>',
   			bp_core_get_user_domain( $comment->user_id ),
   			strip_tags( $link )
   		);

    }

    return $link;
});

To make the avatar clickable as well, see how to add Link to WordPress Comment Avatar

Link WordPress comment author to bbPress profile

In this quick tutorial, we will filter the WordPress comment author link URL and point to bbPress profile of this author as long as the comment was made by a verified user of your blog.

We can hook into get_comment_author_link for filtering the comment author link, and to get the bbPress profile link of a given user, you can use

bbp_user_profile_url( $user_id )

for this purpose for which you specify a user ID in the first parameter.

The code:

Add the following code to your child theme’s functions file or with a custom plugin:

add_filter('get_comment_author_link', function( $link ) {

	if ( !function_exists('bbp_user_profile_url') )
		return $link;

    global $comment;
    
    if ( !empty( $comment->user_id ) && !empty( get_userdata( $comment->user_id )->ID ) ) {

   		$link = sprintf(
   			'<a href="%s" rel="external nofollow" class="url">%s</a>',
   			bbp_get_user_profile_url( $comment->user_id ),
   			strip_tags( $link )
   		);

    }

    return $link;
});

To make the avatar clickable as well, see how to add Link to WordPress Comment Avatar

Add Link to WordPress Comment Avatar

In this quick snippet of coding tutorial, we learn about adding an anchor link to WordPress comment avatar.

Link WordPress Comment Avatar

By default, if a user has left a comment on your WordPress blog through a post comment form, they can specify a link to their website, which will be assigned as anchor to the name they specified and displayed within the comments loop, and WordPress does not make this link added to the avatars.

Filtering get_avatar:

Simple work-around for achieving this is by filtering entire get_avatar output, which we will concentrate to apply this only when the queried avatar (gravatar) is used for comments, and this can be achieved by checking the second parameter provided while hooking into get_avatar, if it is a comment identifier, while it can be a user ID, email address or something else.

The coding:

Add the following code to your child theme’s functions file or with a custom plugin:

/**
  * PHP < 5.3 ? use a custom function instead of the anonymous callback
  */

add_filter('get_avatar', function( $avatar, $indent ) {

	/**
	  * check if the current queried avatar is for comments
	  */

	if ( !empty( $indent->comment_ID ) ) { // now that's a comment avatar

		/**
		  * Check if the comment poster has left a link
		  * You can link somewhere else regardless of link availability
		  * by commenting out the if statement lines and specifying a $url
		  * in the sprintf 2nd param, e.g link to bbPress, BuddyPress, author
		  * archives, etc..
		  */

		if ( "" < ( $url = get_comment_author_url( $indent->comment_ID ) ) ) {
			$avatar = sprintf(
	   			'<a href="%s" rel="external nofollow" class="url">%s</a>',
	   			$url,
	   			$avatar
			);
		}

	}

	return $avatar;

}, 10, 2);

That should make the avatar clickable in the comments section and ONLY if the comment author has left and specified a URL in the website comment form field while submitting.

Filter avatar link:

You can link to something else, such as bbPress profile

bbp_get_user_profile_url( $ident->user_id )

or BuddyPress profile

bp_core_get_user_domain( $ident->user_id )

or even to the author archives of this user ( and to know if the comment author is a verified registered user, just check if $ident->user_id is not empty ):

get_author_posts_url( $ident->user_id )

This should always work as long as you’re pulling the comment avatar by the comment ID in your comments output callback function, that if you are overriding the default WordPress’s comments callback.

An effective way of preventing spam registration with JavaScript – WordPress

As I am writing this blog post about preventing spam registration on wordPress, many weblogs out there are getting tons of new accounts registered which belong to robots and are totally untolerated spam.

Preventing Spam Registration on WordPress

There are so many ways out there, free and paid, which would help you knock off spam registration on your WordPress blog or website. One of them is CleanTalk, I love this one as it has a great database of malware checks (blacklist) and many online ready tools to verify a user before it successfully signs up.

But for me, I always prefer not to add another plugin to the load, so if it was to coding a little snippet of script that would help then that would be super. So hopefully this could help out preventing spam registration somehow.

Preventing Spam Registration – JavaScript

As many of you know, or as if you don’t know, spam bots (robots) actually run microsystems that do not have JavaScript running. This means that no DOM JavaScript is available for bots, so we will use this point to add a required (but hidden) field into the user registration form that will work with WordPress nonces too (cool, right?) which will be verified with wp_verify_nonce() function..

Every time the registration screen is requested, the form field for spam check will be added on window load, and it will be required to process the registration.

Important notice – if you are on an environment where your users prefer not to enable JavaScript, then do not use this process OR, notify your users to enable JavaScript in order to register and then switch back to disabled JS mode.

Once the field was not added, the request will be killed with a simple error message:

WordPress are you spamming go back - preventing spam registration

Are you spamming?

Or possibly if you don’t want to kill the request but show a warning message notice instead, comment out wp_die function and remove the comments for $errors->add method usage in the script code; inside se_nospam_register_validate callback function, and this would appear:

bad guy spotted spam registration wordpress - preventing spam registration

Cool! now where can I get the plugin? (no plugin, just some small snippet of non commented code) ; read on.

Preventing Spam Registration on WordPress: The code

You can use the following code to be added to your child theme’s functions file, or download the plugin from Github gist:

<?php
/**
  * Plugin Name: No Spam Registration with JavaScript
  * Plugin URI:  http://blog.samelh.com
  * Description: Prevents spam registration on your WordPress blog/website by adding a necessary form field with JavaScript on document load
  * Author:      Samuel Elh
  * Author URI:  http://samelh.com
  * Version:     0.1
  */
add_action('register_form', 'se_nospam_register_append_input');
add_action('register_post', 'se_nospam_register_validate', 10, 3);
if ( !function_exists('se_nospam_register_append_input') ) :;
function se_nospam_register_append_input()
{
?>
	<script type="text/javascript" id="se_nospam_inline_js">
		window.onload = function() { // it's all about this JS, once JS is loaded, the spamcheck field will be available..
			var e = document.getElementById('se_nospam_inline_js');
			if ( null !== e ) {
				e.outerHTML = '<input id="process-register" type="hidden" name="process-register" value="<?php echo wp_create_nonce( 'se-nospam-register' ); ?>" />';
			} return;
		}
	</script>
<?php
}
endif;
if ( !function_exists('se_nospam_register_validate') ) :;
function se_nospam_register_validate( $login, $email, $errors )
{
	$die_message = apply_filters( "se_nospam_register_error", "Are you spamming?<br/><br/> <a href=\"javascript: window.history.go(-1);\">&laquo; Go back</a>" );
    if( !isset($_POST['process-register']) ) {
    	wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    }
    else if( empty($_POST['process-register']) )
    {
    	wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    }
    else if(!wp_verify_nonce($_POST['process-register'], 'se-nospam-register'))
    {
    	wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    }
    return $errors;
}
endif;

Cool! if preventing spam registration on WordPress with this custom trick has worked for you, then that’s what matters! Yay!! Personally it helped me a lot on my product support forums website where I have bbPress installed for the forums functionality.

Preventing Spam Registration on WordPress: After

Saying that it was helpful to preventing spam registration, there should be more to do after this, right? I mean like, capturing the prevented spam registration attempts and saving some count to the database so you can see a log of how many spam bots were blocked; something like adding this code:

update_option( $name = "se_how_many_spam", ( (int) get_option( $name ) ) + 1 );

That to be added right before each wp_die in the code, And then calling

get_option( "se_how_many_spam" );

to tell how much spam was denied. Also you might want to capture the user IP to block them or something, as long as possible, saying that spam can never be tolerated. (beware, bots will call you agressive then)

Note that this can also be effective on embedded forms like registration forms added with widgets or shortcodes, as the form field for spam check will be added with JavaScript there too.

That is it for this tutorial and I am hoping this helps you as it helped me and if there is any improvements or suggestions and ideas to implement, please feel free to discuss in below comments.

Thank you!

Simple and secure php password hashing and verification system

As I am writing this post, there happens to be dozens of online tutorials that are still basing their password hashing process on weaker technologies and tools. The widely known one is md5, a reportedly no-longer secure password hashing system available in almost every programming language.

Plain text passwords (no password hashing done)

Some people are lazy and dumb enough to save their inputted passwords as is, into their database as plain text! This is totally bad and horrible! I mean, let’s assume some hacker has gained access to your database (that only means this person can read the data or delete it), as this person lists the users table, they can access raw and plain text passwords and use them to login easily and quickly so as to access more tools and actions limited to admins (saying that as assuming they can’t do nothing hacking into our database except reading raw data). Or even save again a new password and use it later.

Just thinking about it sucks. But if you were to hash your passwords with a strong password hashing system then, they can not revert these passwords, or even if they replace them with plain text, then your password verification will also be negative and keep the bad guys locked out.

md5 is insecure

Yes, if you were hashing your user input passwords with this tool and store into the database users table, that is dangerous and and a bad practice. For its salting and cryptography that is probably static, it is being reverted and reportedly many people have succeeded to do that.

Even though it is insecure, it can be used for hashing strings for minor uses, example when dealing with a quick project that does not require much security. MD5 is used to hash email addresses to get a Gravatar image URL based on the user email, you can test that out.

Using a PHP built-in password hashing system

As if you haven’t heard yet, PHP password_* functions are introduced as of PHP 5 (>= 5.5.0), and available also on PHP’s latest; 7.

The hashing function introduced uses a strong algorithm therefore it’s making it impossible to revert the hash into the plain text password. This is a great security practice to base your project on, especially when creating a social network with PHP where uses are able to register new accounts, reset passwords and so forth.

For earlier PHP versions ( < 5.5 ):

Thanks to ircmaxell’s hard work, you can use password_* functions while you can’t get to PHP 5.5 at least (I know, sometimes to do an upgrade you need to set tight and fix a lot); simple download this package from Github:

https://github.com/ircmaxell/password_compat

And so load the package:

require_once 'password_compat/lib/password.php';

And now you can use those functions and even access useful documentation in the project’s Github page.

Assuming you have the functions in use, let’s carry on with the simple process.

password_hash() function

It is always easy and flexible coding with PHP, from the documentaion you can use:

password_hash( password_from_input_as_plain_text, PASSWORD_DEFAULT )

And here’s an example:

password_hash( 'samuel', PASSWORD_DEFAULT )

Assuming your password field in the form is tagged with the name password:

$password = password_hash( $_POST['password'], PASSWORD_DEFAULT )

Now it is perfect to save into your database users table (wait, saving? let’s not bring that SQL injection talk, be a nice and use PDO’s prepared statements. )

I am just dumping the return of the hash, but it is changing each time even though the plain text password is the same and that is because of the randomly-generated salt used for cryptography.

$2y$10$.HRdBcQBdCSJ0fW60x.MR.v4s6TePvv35p/YxGLlBo0c67n8KcX0.

So let’s say you now feel a little secure, and that you have one more step ahead which is verifying the user inputted password to detect if it matches the one on the database which is hashed, or if not. That’s what you will be using in your login forms, assuming you are at first place searching for a user by its username, email or ID and then move on to verify the password inputted to process and log in this user and then set the PHP session and so..

We’re now taking advantage of PHP’s password_verify() function, which takes 2 parameters one for the plain text and the other for the hash.

Verifying input password with hashed password from the database:

As mentioned earlier, we’re after the boolean returned by password_verify() function. And for it we need to pass the plain text password (as inputted in the form by the user) with the hashed password from the database:

$log_in_verify = password_verify( 'samuel', '$2y$10$.HRdBcQBdCSJ0fW60x.MR.v4s6TePvv35p/YxGLlBo0c67n8KcX0.' )

And $log_in_verify will either return true or false (boolean).

if ( $log_in_verify ) { 
  // Welcome, user!
  // do things in terms of cookie setting and session etc to login this user
} else {
  // You're not welcome, anonymous!
  // alert them that somehow they're not the right guy!
}

Once true, then, don’t worry much and proceed with logging in your user, if it was false then warn the user that they submitted a wrong password, or give them extra more shots and lock them away if they are still insisting to consume your server ressources and bandwidth in order to try silly attempts. Oops, to much aggressive? sometimes you should, especially when you are on a shared hosting and your hosting provided yells at you all the time.

Making a social site that needs more traffic and server ressources? try deploying a VPS on the cloud with Digital Ocean, it’s the most recommended, and I am comfortable with it hosting my applications websites. (Note: referral link for extra bonus)

That’s it!

Yep, feeling like it is. Go out there and make the web a secure place by securing your projects, and sharing secure ways as if you were to help someone with their own project.

How to force SSL on WordPress

So you want to force SSL on WordPress for your  blog or website and you had trouble with some (if not all) requests still being served in HTTP? that’s a common issue, which can be fixed with no such trouble. Or something else?

How to force SSL on WordPress

How to force SSL on WordPress: Some free SSL certificates providers

There are so many free SSL certificates providers which you can use for your WordPress, on top of them finally Let’s Encrypt was introduced, and there’s also CloudFlare if you are already using it for DNS or want to further try it, then it offers free SSL on all plans, but it reportedly does not work on outdated operating systems like Windows XP, earlier Android versions..

How to force SSL on WordPress: the process

Anyways, the first thing to do is to change that HTTP to HTTPS in our URL settings (Dashboard>Settings>General):

force SSL on WordPress - change http to https WordPress

Doing so would probably be followed with a login redirect which after you should be able to browse the site on HTTPS.

Right after, we will always make requests from http:// redirect to https://, and there are 2 ways of doing this, I recommend using both:

Through htaccess:

Adding these 2 lines to your .htaccess file located in the root directory of your WordPress installation (You’ll need to login to ftp or using CPanel file manager):

RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=302,L]

Through functions.php file:

This will catch the http traffic and points right to a secure path of the current request URI. Simply we detect if

$_SERVER['REQUEST_SCHEME']

property is not ‘https’ string, and then we redirect:

add_action("init", function() { 
	if ( "https" !== $_SERVER['REQUEST_SCHEME'] ) {
		wp_redirect( "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] );
		exit;
	}
}, 0);

Great! that should be handy. Now let’s browse our site, try on http and it should redirect back to https. Now, let’s check how green the https lock in the address bar is.

force SSL on WordPress - https green sign

How to force SSL on WordPress: The green lock

Green? cool. Not so green, then you’re in trouble, no, just some minor fixes required.

When it is not green, that means that still, your current page is serving assets and scripts (1 at least) from http. And if you just open a static file in https (e.g an uploaded photo), the sign should be green because there’s nothing loaded in http.

Broken scripts, stylesheets, assets, and so? no worries, a lots of work to do is ahead.

There are some plugins and themes that are hard-coding the scripts enqueing process, so they always load their assets on http:// and you need to change that to https. Contact them for a fix.

Right after that, you are also required to look into your page source code, and see which scripts are loaded from http (by pressing ctrl+f in the developer tools, and search for http://yoursite..)

Media attachements:

While adding the media attachements to your posts while in http (earlier), those stick to http and they are a reason the site says something as “this page is not secure”. You’ll need to edit these posts or pages and update these included attachements, simple as clicking to edit each attachement in the TINYMCE editor, and then update and the new included file URL should be now secure. Now update your posts and visit, and the result should be in your favor.

I also suspect that you can edit these media from the media screen in the admin, and there should be a tweak (hook) also to update these URLs without this whole process as you force SSL on WordPress..

Until you finally succeed to make everything be called on HTTPS, that green lock would be there with you as you browse. While not, you should always look through the developer console and search for which file was loaded on http protocol and switch back to the secure protocol. Links on http do not matter, but assets do (e.g img src, script src, stylesheet href)..

Thanks for reading! and good luck securing every inch of that site!

Reference:

« Older posts

© 2016 Samuel Elh - Powered by WordPress, DigitalOcean & NameCheap

Theme by Anders NorenUp ↑

Subscribe to our mailing list

Sign up to receive updates about WordPress, free and premium plugins and themes in general and tips and tricks

* indicates required