HTTPS detection

WordPress is normally pretty good at detecting when your pages are loaded over HTTPS. It needs to know so that it can load other resources like scripts and stylesheets over HTTPS too.

Sometimes WordPress can’t tell. Most often this is because of your website configuration. To improve performance or security, some websites operate behind a reverse proxy, which handles the HTTPS traffic for your website and passes requests back to WordPress via HTTP. Here’s some common configurations that do this:

  • Amazon AWS load balancing
  • Azure ARR
  • NginX + Apache
  • NginX + php-fpm
  • transparent CDN like Cloudflare or CloudFront

The settings page in SSL Insecure Content Fixer allows you to select the appropriate method of detecting HTTPS to suit your website configuration. Because you might not know which one to pick, the settings page takes a peek at your website and recommends the best setting. Here’s what it looks like:

settings for HTTPS detection
settings for HTTPS detection

Sometimes your website just doesn’t give enough information, and that’s what “unable to detect HTTPS” means. If you get that as your recommended setting, run the SSL Tests page from the Tools menu. It will show some information about your server environment that might help find a way to detect HTTPS. If there really is no way, that’s OK — you can make your whole website run on HTTPS and SSL Insecure Content Fixer will detect that instead, and run its fixes.

NB: WordPress Multisite installations only offer the SSL Tests page to super admins.