WordPress HTTPS (SSL) - Version 2.0

Version Description

  • Full support for using a custom SSL port has been added. A special thanks to Chris "doingweb" Antes for his feedback and testing of this feature.
  • Forcing pages to/from HTTPS is now pluggable using the 'force_ssl' filter.
  • When using Force Shared SSL Admin, links to the admin panel will always be rewritten with the Shared SSL Host.
  • When using Shared SSL, all links to post and pages from within the admin panel will use the Shared SSL Host to retain administration functionality on those pages.
  • Redirects to the admin panel now hook into wp_redirect rather than using the auth_redirect pluggable function.
  • Canonical redirects will now still occur on sites usinga different SSL Host, but not on secure pages.
  • Cookies are now set with hooks rather than pluggable functions.
  • Plugin will now delete all options and custom metadata when uninstalled.
  • Added a HTTP_X_FORWARDED_PROTO check to the is_ssl function.
  • Internal HTTPS Elements option has been removed. Disabling this option was never a good idea, so it was removed and the plugin will always act as it did when this option was enabled.
  • External HTTPS Elements option has been removed. The handling of external elements has improved in such a way that this option is no longer required.
  • Disable Automatic HTTPS option has been removed. This option should have generally been enabled anyway.
  • Bug Fix - After logging in, the logged_in cookie was not being set properly. This caused the admin bar to not show up in both HTTP and HTTPS.
  • Bug Fix - When using Shared SSL, the login page would not honor the redirect_to variable after a successful login.
Download this release

Release Info

Developer Mvied
Plugin Icon wp plugin WordPress HTTPS (SSL)
Version 2.0
Comparing to
See all releases

Code changes from version 1.9.2 to 2.0

Files changed (11) hide show
  1. css/admin.css +89 -31
  2. css/images/help.png +0 -0
  3. css/images/widget-title-red.png +0 -0
  4. js/admin.php +19 -3
  5. js/jquery.tooltip.js +19 -0
  6. js/sidebar.php +24 -0
  7. js/updates.php +7 -19
  8. readme.txt +44 -18
  9. screenshot-1.png +0 -0
  10. screenshot-2.png +0 -0
  11. wordpress-https.php +822 -444
css/admin.css CHANGED
@@ -1,20 +1,3 @@
1
- div#message-wrap {
2
- position: fixed;
3
- bottom: 50%;
4
- left: 50%;
5
- margin-left: -25%;
6
- width: 50%;
7
- z-index: 10;
8
- text-align: center;
9
- }
10
-
11
- div#message {
12
- margin: 15px 0 0 0;
13
- }
14
- div#message p {
15
- line-height: 100%;
16
- }
17
-
18
  div#wphttps-main div#post-body {
19
  overflow: hidden;
20
  }
@@ -26,11 +9,19 @@ form#wordpress-https {
26
  form#wordpress-https h3 {
27
  margin-bottom: .5em;
28
  }
29
- form#wordpress-https fieldset {
30
- margin-bottom: 20px;
 
 
 
31
  }
32
- form#wordpress-https fieldset p {
33
- margin: 2px 0 5px 0;
 
 
 
 
 
34
  }
35
 
36
  div#wphttps-sidebar {
@@ -43,6 +34,11 @@ div#wphttps-sidebar div.wphttps-widget {
43
  margin: 0 auto 20px auto;
44
  width: 285px;
45
  }
 
 
 
 
 
46
  div.wphttps-widget-content {
47
  background: #F1F1F1;
48
  padding: 5px 20px;
@@ -68,7 +64,23 @@ div.wphttps-widget h3 {
68
  -moz-border-radius-topleft:8px;
69
  -moz-border-radius-topright:8px;
70
  color: #FFF;
71
- text-shadow:0 -1px 0 #3F3F3F;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
72
  }
73
 
74
  div.wphttps-widget#wphttps-updates img#updates-loading {
@@ -76,24 +88,70 @@ div.wphttps-widget#wphttps-updates img#updates-loading {
76
  margin: 1em auto;
77
  }
78
 
79
- div.wphttps-widget#wphttps-donate form {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
80
  text-align: center;
81
  }
82
 
83
- img.waiting {
 
 
 
 
 
 
 
84
  display: none;
85
  }
86
- img#submit-waiting {
 
 
 
 
87
  vertical-align: middle;
88
  margin-left: 5px;
89
  }
90
 
91
- p.description {
92
- color: #666;
93
- font-size: 12px;
94
- font-style: italic;
 
 
 
 
 
 
 
95
  }
96
 
97
- input#wordpress-https_sharedssl_host {
98
- width: 350px;
 
 
 
 
99
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
  div#wphttps-main div#post-body {
2
  overflow: hidden;
3
  }
9
  form#wordpress-https h3 {
10
  margin-bottom: .5em;
11
  }
12
+ form#wordpress-https input[type="text"] {
13
+ margin: -5px 0 0 0;
14
+ }
15
+ form#wordpress-https input[type="checkbox"] {
16
+ margin: 0;
17
  }
18
+ form#wordpress-https table tr td,
19
+ form#wordpress-https table tr th {
20
+ line-height: 1em;
21
+ padding: 10px;
22
+ }
23
+ form#wordpress-https table tr td {
24
+ padding: 10px 0 0 0;
25
  }
26
 
27
  div#wphttps-sidebar {
34
  margin: 0 auto 20px auto;
35
  width: 285px;
36
  }
37
+
38
+ div.wphttps-widget h3 {
39
+ cursor: auto !important;
40
+ }
41
+
42
  div.wphttps-widget-content {
43
  background: #F1F1F1;
44
  padding: 5px 20px;
64
  -moz-border-radius-topleft:8px;
65
  -moz-border-radius-topright:8px;
66
  color: #FFF;
67
+ text-shadow: 0 -1px 0 #3F3F3F;
68
+ }
69
+
70
+ div.wphttps-widget#wphttps-warnings h3 {
71
+ background: url(images/widget-title-red.png) repeat-x;
72
+ border-color: #7B4A4A;
73
+ text-shadow: 0 -1px 0 #4E2F2F;
74
+ }
75
+ div.wphttps-widget#wphttps-warnings div.wphttps-widget-content {
76
+ border-color: #E5D4D4;
77
+ background-color: #F4EDED;
78
+ color: #3F2626;
79
+ word-wrap: break-word;
80
+ }
81
+
82
+ div.wphttps-widget#wphttps-warnings .warning-help {
83
+ background: url(images/help.png) no-repeat 50% 50%;
84
  }
85
 
86
  div.wphttps-widget#wphttps-updates img#updates-loading {
88
  margin: 1em auto;
89
  }
90
 
91
+ div.wphttps-widget#wphttps-donate a#wphttps-donate-link {
92
+ display: block;
93
+ margin: 0 auto 10px auto;
94
+ width: 74px;
95
+ height: 21px;
96
+ }
97
+
98
+ .wphttps-icon {
99
+ display: inline-block;
100
+ height: 16px;
101
+ width: 16px;
102
+ overflow: hidden;
103
+ text-indent: -1000em;
104
+ vertical-align: top;
105
+ padding: 0 3px;
106
+ cursor: pointer;
107
+ }
108
+
109
+ div.wphttps-message-wrap {
110
+ position: fixed;
111
+ bottom: 50%;
112
+ left: 50%;
113
+ margin-left: -25%;
114
+ width: 50%;
115
+ z-index: 10;
116
  text-align: center;
117
  }
118
 
119
+ div#message {
120
+ margin: 15px 0 0 0;
121
+ }
122
+ div#message p {
123
+ line-height: 100%;
124
+ }
125
+
126
+ .wphttps-warning {
127
  display: none;
128
  }
129
+
130
+ div#wphttps-main img.waiting {
131
+ display: none;
132
+ }
133
+ div#wphttps-main img#submit-waiting {
134
  vertical-align: middle;
135
  margin-left: 5px;
136
  }
137
 
138
+ #wphttps-tooltip {
139
+ position: absolute;
140
+ z-index: 3000;
141
+ border: 1px solid #DDD;
142
+ background-color: #FFF;
143
+ padding: 5px;
144
+ font-size: 13px;
145
+ max-width: 350px;
146
+ }
147
+ .wphttps-tooltip-body {
148
+ display: none;
149
  }
150
 
151
+ /* Post Edit Page */
152
+ .branch-3-2 .misc-pub-section-last {
153
+ border-bottom-width: 1px;
154
+ }
155
+ .misc-pub-section-wphttps {
156
+ border-bottom-width: 0;
157
  }
css/images/help.png ADDED
Binary file
css/images/widget-title-red.png ADDED
Binary file
js/admin.php CHANGED
@@ -25,17 +25,23 @@ jQuery(document).ready(function($) {
25
  var options = {
26
  data: { ajax: '1'},
27
  success: function(responseText, textStatus, XMLHttpRequest) {
 
28
  $('#message-body').html(responseText);
29
- // .animate is used to delay the fadeOut by 5 seconds
30
  $('#message-body').fadeIn().animate({opacity: 1.0}, 5000).fadeOut();
31
- $('#submit-waiting').hide();
32
  }
33
  };
34
 
35
  $('#wordpress-https').ajaxForm(options);
36
 
37
  $('#wphttps-updates .wphttps-widget-content').load('<?php echo parse_url($wordpress_https->plugin_url, PHP_URL_PATH); ?>/js/updates.php');
38
-
 
 
 
 
 
 
 
39
  function resize() {
40
  $('#wphttps-main').width( $('#wphttps-main').parent().width() - ($('#wphttps-sidebar').width() + 15));
41
  }
@@ -44,4 +50,14 @@ jQuery(document).ready(function($) {
44
  resize();
45
  });
46
  resize();
 
 
 
 
 
 
 
 
 
 
47
  });
25
  var options = {
26
  data: { ajax: '1'},
27
  success: function(responseText, textStatus, XMLHttpRequest) {
28
+ $('#submit-waiting').hide();
29
  $('#message-body').html(responseText);
 
30
  $('#message-body').fadeIn().animate({opacity: 1.0}, 5000).fadeOut();
 
31
  }
32
  };
33
 
34
  $('#wordpress-https').ajaxForm(options);
35
 
36
  $('#wphttps-updates .wphttps-widget-content').load('<?php echo parse_url($wordpress_https->plugin_url, PHP_URL_PATH); ?>/js/updates.php');
37
+
38
+ $.ajax({
39
+ url: '<?php echo parse_url($wordpress_https->plugin_url, PHP_URL_PATH); ?>/js/sidebar.php',
40
+ success: function(response) {
41
+ $('#wphttps-sidebar').append(response);
42
+ }
43
+ });
44
+
45
  function resize() {
46
  $('#wphttps-main').width( $('#wphttps-main').parent().width() - ($('#wphttps-sidebar').width() + 15));
47
  }
50
  resize();
51
  });
52
  resize();
53
+
54
+ $('#wphttps-warnings .warning-help').tooltip({
55
+ id: 'wphttps-tooltip',
56
+ delay: 0,
57
+ showURL: false,
58
+ positionLeft: true,
59
+ bodyHandler: function() {
60
+ return $($(this).attr("href")).html();
61
+ }
62
+ });
63
  });
js/jquery.tooltip.js ADDED
@@ -0,0 +1,19 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ /*
2
+ * jQuery Tooltip plugin 1.3
3
+ *
4
+ * http://bassistance.de/jquery-plugins/jquery-plugin-tooltip/
5
+ * http://docs.jquery.com/Plugins/Tooltip
6
+ *
7
+ * Copyright (c) 2006 - 2008 J�rn Zaefferer
8
+ *
9
+ * $Id: jquery.tooltip.js 5741 2008-06-21 15:22:16Z joern.zaefferer $
10
+ *
11
+ * Dual licensed under the MIT and GPL licenses:
12
+ * http://www.opensource.org/licenses/mit-license.php
13
+ * http://www.gnu.org/licenses/gpl.html
14
+ */;(function($){var helper={},current,title,tID,IE=$.browser.msie&&/MSIE\s(5\.5|6\.)/.test(navigator.userAgent),track=false;$.tooltip={blocked:false,defaults:{delay:200,fade:false,showURL:true,extraClass:"",top:15,left:15,id:"tooltip"},block:function(){$.tooltip.blocked=!$.tooltip.blocked;}};$.fn.extend({tooltip:function(settings){settings=$.extend({},$.tooltip.defaults,settings);createHelper(settings);return this.each(function(){$.data(this,"tooltip",settings);this.tOpacity=helper.parent.css("opacity");this.tooltipText=this.title;$(this).removeAttr("title");this.alt="";}).mouseover(save).mouseout(hide).click(hide);},fixPNG:IE?function(){return this.each(function(){var image=$(this).css('backgroundImage');if(image.match(/^url\(["']?(.*\.png)["']?\)$/i)){image=RegExp.$1;$(this).css({'backgroundImage':'none','filter':"progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true, sizingMethod=crop, src='"+image+"')"}).each(function(){var position=$(this).css('position');if(position!='absolute'&&position!='relative')$(this).css('position','relative');});}});}:function(){return this;},unfixPNG:IE?function(){return this.each(function(){$(this).css({'filter':'',backgroundImage:''});});}:function(){return this;},hideWhenEmpty:function(){return this.each(function(){$(this)[$(this).html()?"show":"hide"]();});},url:function(){return this.attr('href')||this.attr('src');}});function createHelper(settings){if(helper.parent)return;helper.parent=$('<div id="'+settings.id+'"><h3></h3><div class="body"></div><div class="url"></div></div>').appendTo(document.body).hide();if($.fn.bgiframe)helper.parent.bgiframe();helper.title=$('h3',helper.parent);helper.body=$('div.body',helper.parent);helper.url=$('div.url',helper.parent);}function settings(element){return $.data(element,"tooltip");}function handle(event){if(settings(this).delay)tID=setTimeout(show,settings(this).delay);else
15
+ show();track=!!settings(this).track;$(document.body).bind('mousemove',update);update(event);}function save(){if($.tooltip.blocked||this==current||(!this.tooltipText&&!settings(this).bodyHandler))return;current=this;title=this.tooltipText;if(settings(this).bodyHandler){helper.title.hide();var bodyContent=settings(this).bodyHandler.call(this);if(bodyContent.nodeType||bodyContent.jquery){helper.body.empty().append(bodyContent)}else{helper.body.html(bodyContent);}helper.body.show();}else if(settings(this).showBody){var parts=title.split(settings(this).showBody);helper.title.html(parts.shift()).show();helper.body.empty();for(var i=0,part;(part=parts[i]);i++){if(i>0)helper.body.append("<br/>");helper.body.append(part);}helper.body.hideWhenEmpty();}else{helper.title.html(title).show();helper.body.hide();}if(settings(this).showURL&&$(this).url())helper.url.html($(this).url().replace('http://','')).show();else
16
+ helper.url.hide();helper.parent.addClass(settings(this).extraClass);if(settings(this).fixPNG)helper.parent.fixPNG();handle.apply(this,arguments);}function show(){tID=null;if((!IE||!$.fn.bgiframe)&&settings(current).fade){if(helper.parent.is(":animated"))helper.parent.stop().show().fadeTo(settings(current).fade,current.tOpacity);else
17
+ helper.parent.is(':visible')?helper.parent.fadeTo(settings(current).fade,current.tOpacity):helper.parent.fadeIn(settings(current).fade);}else{helper.parent.show();}update();}function update(event){if($.tooltip.blocked)return;if(event&&event.target.tagName=="OPTION"){return;}if(!track&&helper.parent.is(":visible")){$(document.body).unbind('mousemove',update)}if(current==null){$(document.body).unbind('mousemove',update);return;}helper.parent.removeClass("viewport-right").removeClass("viewport-bottom");var left=helper.parent[0].offsetLeft;var top=helper.parent[0].offsetTop;if(event){left=event.pageX+settings(current).left;top=event.pageY+settings(current).top;var right='auto';if(settings(current).positionLeft){right=$(window).width()-left;left='auto';}helper.parent.css({left:left,right:right,top:top});}var v=viewport(),h=helper.parent[0];if(v.x+v.cx<h.offsetLeft+h.offsetWidth){left-=h.offsetWidth+20+settings(current).left;helper.parent.css({left:left+'px'}).addClass("viewport-right");}if(v.y+v.cy<h.offsetTop+h.offsetHeight){top-=h.offsetHeight+20+settings(current).top;helper.parent.css({top:top+'px'}).addClass("viewport-bottom");}}function viewport(){return{x:$(window).scrollLeft(),y:$(window).scrollTop(),cx:$(window).width(),cy:$(window).height()};}function hide(event){if($.tooltip.blocked)return;if(tID)clearTimeout(tID);current=null;var tsettings=settings(this);function complete(){helper.parent.removeClass(tsettings.extraClass).hide().css("opacity","");}if((!IE||!$.fn.bgiframe)&&tsettings.fade){if(helper.parent.is(':animated'))helper.parent.stop().fadeTo(tsettings.fade,0,complete);else
18
+ helper.parent.stop().fadeOut(tsettings.fade,complete);}else
19
+ complete();if(settings(this).fixPNG)helper.parent.unfixPNG();}})(jQuery);
js/sidebar.php ADDED
@@ -0,0 +1,24 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ require_once('../wordpress-https.php');
4
+
5
+ // Disable errors
6
+ error_reporting(0);
7
+
8
+ // Set headers
9
+ header("Status: 200");
10
+ header("HTTP/1.1 200 OK");
11
+ header('Content-Type: text/html');
12
+ header('Cache-Control: no-store, no-cache, must-revalidate');
13
+ header('Cache-Control: post-check=0, pre-check=0', FALSE);
14
+ header('Pragma: no-cache');
15
+ header("Vary: Accept-Encoding");
16
+
17
+ $url = 'http://mvied.com/wphttps-sidebar.html';
18
+
19
+ $content = WordPressHTTPS::get_file_contents($url);
20
+
21
+ if ($content) {
22
+ echo $content;
23
+ }
24
+ ?>
js/updates.php CHANGED
@@ -1,4 +1,10 @@
1
  <?php
 
 
 
 
 
 
2
  // Set headers
3
  header("Status: 200");
4
  header("HTTP/1.1 200 OK");
@@ -8,27 +14,9 @@ header('Cache-Control: post-check=0, pre-check=0', FALSE);
8
  header('Pragma: no-cache');
9
  header("Vary: Accept-Encoding");
10
 
11
- function get_content($url) {
12
- $ch = curl_init();
13
-
14
- curl_setopt($ch, CURLOPT_URL, $url);
15
- curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
16
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
17
- curl_setopt($ch, CURLOPT_HEADER, 0);
18
- curl_setopt($ch, CURLOPT_ENCODING, 'gzip,deflate');
19
-
20
- $result = curl_exec($ch);
21
- curl_close($ch);
22
- return $result;
23
- }
24
-
25
  $url = 'http://mvied.com/wphttps-updates.html';
26
 
27
- $content = file_get_contents($url);
28
-
29
- if (!$content) {
30
- $content = get_content($url);
31
- }
32
 
33
  if ($content) {
34
  echo $content;
1
  <?php
2
+
3
+ require_once('../wordpress-https.php');
4
+
5
+ // Disable errors
6
+ error_reporting(0);
7
+
8
  // Set headers
9
  header("Status: 200");
10
  header("HTTP/1.1 200 OK");
14
  header('Pragma: no-cache');
15
  header("Vary: Accept-Encoding");
16
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
17
  $url = 'http://mvied.com/wphttps-updates.html';
18
 
19
+ $content = WordPressHTTPS::get_file_contents($url);
 
 
 
 
20
 
21
  if ($content) {
22
  echo $content;
readme.txt CHANGED
@@ -1,23 +1,22 @@
1
  === WordPress HTTPS (SSL) ===
2
  Contributors: Mvied
3
- Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6ZL95VTJ388HG
4
- Tags: security, encryption, ssl, shared ssl, private ssl, http, https
5
  Requires at least: 2.7.0
6
  Tested up to: 3.2.1
7
- Stable tag: 1.9.2
8
 
9
  WordPress HTTPS is intended to be an all-in-one solution to using SSL on WordPress sites.
10
 
11
  == Description ==
12
  <ul>
13
  <li>Supports Shared and Private SSL.</li>
14
- <li>Change internal and external scripts, stylesheets and images to HTTPS if the page is being viewed via HTTPS to prevent partially encrypted errors.</li>
15
- <li>Force HTTPS on only the pages you need to be HTTPS.</li>
16
- <li>Force pages to HTTP that have not been forced to HTTPS.</li>
17
- <li>Prevent WordPress from changing all of your page, category and post links to HTTPS on HTTPS pages.</li>
18
  </ul>
19
 
20
- If you're having partially encrypted errors or other problems, please read the <a href="http://wordpress.org/extend/plugins/wordpress-https/faq/">FAQ</a>. If you're still having trouble, please <a href="http://wordpress.org/tags/wordpress-https#postform">start a support topic</a> and I will do my best to assist you.
21
 
22
  == Installation ==
23
 
@@ -26,21 +25,19 @@ If you're having partially encrypted errors or other problems, please read the <
26
 
27
  == Frequently Asked Questions ==
28
 
29
- = How do I make my whole website HTTPS? =
30
 
31
- To make your entire website HTTPS, you simply need to change your home url and site url to HTTPS instead of HTTP. Please read <a href="http://codex.wordpress.org/Changing_The_Site_URL" target="_blank">how to change the site url</a>.
32
 
33
- = How do I make only my administration panel HTTPS? =
34
 
35
- WordPress already has this process well documented. Please read <a href="http://codex.wordpress.org/Administration_Over_SSL" target="_blank">how to set up administration over SSL</a>.
36
 
37
- If you are using Shared SSL, there is an option in WordPress HTTPS to Force Shared SSL Admin.
38
 
39
- = How do I make only certain pages HTTPS? =
40
 
41
- As of version 1.5, this plugin grants that ability. Within the Publish box on the add/edit post screen, a checkbox for 'Force SSL' has been added to make this process easy. See Screenshots if you're having a hard time finding it.
42
-
43
- = How do I fix partially encrypted errors? =
44
 
45
  To identify what is causing your page(s) to be insecure, please follow the instructions below.
46
  <ol>
@@ -61,12 +58,41 @@ Any other insecure content warnings can generally be resolved by changing absolu
61
  <li>Google Maps - Loading Google maps over HTTPS requires a Google Maps API Premiere account. (<a href="http://code.google.com/apis/maps/faq.html#ssl" target="_blank">source</a>)</li>
62
  </ul>
63
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
64
  == Screenshots ==
65
  1. WordPress HTTPS Settings screen
66
  2. Force SSL checkbox added to add/edit posts screen
67
 
68
  == Changelog ==
69
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
70
  = 1.9.2 =
71
  * Added External URL caching to the plugin so that external elements will only be checked for once, increasing the speed of sites not using the Bypass External Check option.
72
  * Any forms whose action points to page that has the Forced SSL option on will be updated to HTTPS even on HTTP pages.
@@ -164,4 +190,4 @@ Fixes `PHP Warning: Invalid argument supplied for foreach()` error.
164
  = 0.3 =
165
  Version 0.3 gives you the option to change external elements to HTTPS if the external server allows the elements to be accessed via HTTPS.
166
  = 0.2 =
167
- Version 0.1 did not correctly detect HTTPS on IIS and possibly other servers. Please update to version 0.2 to fix this issue.
1
  === WordPress HTTPS (SSL) ===
2
  Contributors: Mvied
3
+ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=N9NFVADLVUR7A
4
+ Tags: security, encryption, ssl, shared ssl, private ssl, public ssl, private ssl, http, https
5
  Requires at least: 2.7.0
6
  Tested up to: 3.2.1
7
+ Stable tag: 2.0
8
 
9
  WordPress HTTPS is intended to be an all-in-one solution to using SSL on WordPress sites.
10
 
11
  == Description ==
12
  <ul>
13
  <li>Supports Shared and Private SSL.</li>
14
+ <li>Helps reduce or completely fix partially encrypted / mixed content errors.</li>
15
+ <li>Force SSL on a per-page basis.</li>
16
+ <li>Force SSL in admin panel.</li>
 
17
  </ul>
18
 
19
+ If you're having partially encrypted/mixed content errors or other problems, please read the <a href="http://wordpress.org/extend/plugins/wordpress-https/faq/">FAQ</a>. If you're still having trouble, please <a href="http://wordpress.org/tags/wordpress-https#postform">start a support topic</a> and I will do my best to assist you.
20
 
21
  == Installation ==
22
 
25
 
26
  == Frequently Asked Questions ==
27
 
28
+ = How do I make my whole website secure? =
29
 
30
+ To make your entire website secure, you simply need to change your home url and site url to use HTTPS instead of HTTP. Please read <a href="http://codex.wordpress.org/Changing_The_Site_URL" target="_blank">how to change the site url</a>.
31
 
32
+ = How do I make only certain pages secure? =
33
 
34
+ In the Publish box on the add/edit post screen, a checkbox for 'Force SSL' has been added to make this process easy. See Screenshots if you're having a hard time finding it.
35
 
36
+ = I'm getting 404 errors on all of my pages. Why? =
37
 
38
+ If you're using a public/shared SSL, try disabling your custom permalink structure. Some public/shared SSL's have issues with WordPress' permalinks because of the way they are configured.
39
 
40
+ = How do I fix partially encrypted/mixed content errors? =
 
 
41
 
42
  To identify what is causing your page(s) to be insecure, please follow the instructions below.
43
  <ol>
58
  <li>Google Maps - Loading Google maps over HTTPS requires a Google Maps API Premiere account. (<a href="http://code.google.com/apis/maps/faq.html#ssl" target="_blank">source</a>)</li>
59
  </ul>
60
 
61
+ = Is there a hook or filter to force pages to be secure? =
62
+
63
+ Yes! Here is an example of how to use the 'force_ssl' hook to force a page to be secure.
64
+ <code>
65
+ function custom_force_ssl( $force_ssl, $post_id ) {
66
+ if ( $post_id == 5 ) {
67
+ return true
68
+ }
69
+ return $force_ssl;
70
+ }
71
+
72
+ add_filter('force_ssl' , 'custom_force_ssl', 10, 2);
73
+ </code>
74
+
75
  == Screenshots ==
76
  1. WordPress HTTPS Settings screen
77
  2. Force SSL checkbox added to add/edit posts screen
78
 
79
  == Changelog ==
80
 
81
+ = 2.0 =
82
+ * Full support for using a custom SSL port has been added. A special thanks to <a href="http://chrisdoingweb.com/">Chris "doingweb" Antes</a> for his feedback and testing of this feature.
83
+ * Forcing pages to/from HTTPS is now pluggable using the 'force_ssl' filter.
84
+ * When using Force Shared SSL Admin, links to the admin panel will always be rewritten with the Shared SSL Host.
85
+ * When using Shared SSL, all links to post and pages from within the admin panel will use the Shared SSL Host to retain administration functionality on those pages.
86
+ * Redirects to the admin panel now hook into wp_redirect rather than using the auth_redirect pluggable function.
87
+ * Canonical redirects will now still occur on sites usinga different SSL Host, but not on secure pages.
88
+ * Cookies are now set with hooks rather than pluggable functions.
89
+ * Plugin will now delete all options and custom metadata when uninstalled.
90
+ * Added a HTTP_X_FORWARDED_PROTO check to the is_ssl function.
91
+ * Internal HTTPS Elements option has been removed. Disabling this option was never a good idea, so it was removed and the plugin will always act as it did when this option was enabled.
92
+ * External HTTPS Elements option has been removed. The handling of external elements has improved in such a way that this option is no longer required.
93
+ * Disable Automatic HTTPS option has been removed. This option should have generally been enabled anyway.
94
+ * Bug Fix - After logging in, the logged_in cookie was not being set properly. This caused the admin bar to not show up in both HTTP and HTTPS.
95
+ * Bug Fix - When using Shared SSL, the login page would not honor the redirect_to variable after a successful login.
96
  = 1.9.2 =
97
  * Added External URL caching to the plugin so that external elements will only be checked for once, increasing the speed of sites not using the Bypass External Check option.
98
  * Any forms whose action points to page that has the Forced SSL option on will be updated to HTTPS even on HTTP pages.
190
  = 0.3 =
191
  Version 0.3 gives you the option to change external elements to HTTPS if the external server allows the elements to be accessed via HTTPS.
192
  = 0.2 =
193
+ Version 0.1 did not correctly detect HTTPS on IIS and possibly other servers. Please update to version 0.2 to fix this issue.
screenshot-1.png CHANGED
Binary file
screenshot-2.png CHANGED
Binary file
wordpress-https.php CHANGED
@@ -4,7 +4,7 @@
4
  Plugin URI: http://mvied.com/projects/wordpress-https/
5
  Description: WordPress HTTPS is intended to be an all-in-one solution to using SSL on WordPress sites.
6
  Author: Mike Ems
7
- Version: 1.9.2
8
  Author URI: http://mvied.com/
9
  */
10
 
@@ -15,83 +15,112 @@
15
  * @package WordPressHTTPS
16
  * @copyright Copyright 2011
17
  *
18
- * @return object
19
- *
20
  */
21
  if ( !class_exists('WordPressHTTPS') ) {
22
  class WordPressHTTPS {
23
 
24
  /**
25
- * Plugin version
26
  *
27
  * @var int
28
  */
29
- var $plugin_version = '1.9.2';
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
30
 
31
  /**
32
  * Plugin URL
33
  *
34
  * @var string
35
  */
36
- var $plugin_url;
37
 
38
  /**
39
  * HTTP URL
40
  *
41
  * @var string
42
  */
43
- var $http_url;
44
 
45
  /**
46
  * HTTPS URL
47
  *
48
  * @var string
49
  */
50
- var $https_url;
51
 
52
  /**
53
- * Shared SSL
 
 
 
 
 
 
 
 
 
54
  *
55
  * @var boolean
56
  */
57
- var $shared_ssl = false;
58
 
59
  /**
60
- * Default options
 
 
 
 
 
 
 
 
 
61
  *
62
  * @var array
63
  */
64
- var $options_default = array(
65
- 'wordpress-https_internalurls' => 1, // Force internal URL's to HTTPS
66
- 'wordpress-https_externalurls' => 0, // Force external URL's to HTTPS
67
- 'wordpress-https_bypass' => 0, // Bypass option to check if external elements can be loaded via HTTPS
68
- 'wordpress-https_disable_autohttps'=> 0, // Prevents WordPress 3.0+ from making all links HTTPS when viewing a secure page.
69
- 'wordpress-https_exclusive_https'=> 0, // Exclusively force SSL on posts and pages with the `Force SSL` option checked.
70
- 'wordpress-https_frontpage'=> 0, // Force SSL on front page
71
- 'wordpress-https_sharedssl'=> 0, // Enable Shared SSL
72
- 'wordpress-https_sharedssl_admin' => 0, // Shared SSL for admin panel
73
- 'wordpress-https_sharedssl_host' => '', // Hostname for Shared SSL
74
- 'wordpress-https_external_urls' => array() // External URL's that are okay to rewrite to HTTPS
75
  );
76
 
77
  /**
78
- * Initialize plugin (PHP4)
79
  *
80
  * @param none
81
  * @return void
82
  */
83
- function WordPressHTTPS() {
84
  $argcv = func_get_args();
85
  call_user_func_array(array(&$this, '__construct'), $argcv);
86
  }
87
 
88
  /**
89
- * Initialize plugin (PHP5+)
90
  *
91
  * @param none
92
  * @return void
93
  */
94
- function __construct() {
95
  // Assign plugin_url
96
  if ( version_compare( get_bloginfo('version'), '2.8', '>=' ) ) {
97
  $this->plugin_url = plugins_url('', __FILE__);
@@ -99,41 +128,73 @@ if ( !class_exists('WordPressHTTPS') ) {
99
  $this->plugin_url = WP_PLUGIN_URL . '/' . plugin_basename(dirname(__FILE__));
100
  }
101
 
102
- // Assign HTTP URL
103
  $this->http_url = 'http://' . parse_url(get_option('home'), PHP_URL_HOST);
104
- // Assign HTTPS URL
105
  $this->https_url = $this->replace_http($this->http_url);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
106
 
107
- // Shared SSL
108
- if ( get_option('wordpress-https_sharedssl') == 1 && get_option('wordpress-https_sharedssl_host') != '' ) {
109
- // Turn on Shared SSL
110
- $this->shared_ssl = true;
111
- // Assign HTTPS URL to Shared SSL Host
112
- $this->https_url = get_option('wordpress-https_sharedssl_host');
113
- // Prevent WordPress from causing a redirect loop
114
- remove_filter('template_redirect', 'redirect_canonical');
115
- // Remove Shared SSL authentication cookies on logout
116
  add_action('clear_auth_cookie', array(&$this, 'clear_auth_cookie'));
117
- }
118
 
119
- // Fix admin_url for Shared SSL login
120
- if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->shared_ssl && $this->is_ssl() ) {
121
- add_filter('admin_url', array(&$this, 'replace_http_url'));
 
 
 
 
 
 
 
 
 
 
 
 
122
  }
123
 
124
- // Filter site_url in admin panel when using Shared SSL
125
- if ( is_admin() && $this->shared_ssl && $this->is_ssl() ) {
126
- add_filter( 'site_url', array(&$this, 'replace_http_url'));
127
  }
128
 
129
- // Redirect login page if using Shared SSL. This is not pluggable due to the redirect methods used in wp-login.php
130
- if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->shared_ssl && !$this->is_ssl() && get_option('wordpress-https_sharedssl_admin') == 1 ) {
131
- $this->redirect('https');
 
 
 
 
 
 
132
  }
133
 
134
  // Start output buffering
135
- add_action('plugins_loaded', array(&$this, 'buffer_start'));
 
 
 
 
136
 
 
137
  if ( is_admin() ) {
138
  // Add admin menus
139
  add_action('admin_menu', array(&$this, 'menu'));
@@ -146,8 +207,9 @@ if ( !class_exists('WordPressHTTPS') ) {
146
  // Load on Settings page
147
  if ( @$_GET['page'] == 'wordpress-https' ) {
148
  wp_enqueue_script('jquery-form', $this->plugin_url . '/js/jquery.form.js', array('jquery'), '2.47', true);
149
- wp_enqueue_script('wordpress-https', $this->plugin_url . '/js/admin.php', array('jquery'), $this->plugin_version, true);
150
- wp_enqueue_style('wordpress-https', $this->plugin_url . '/css/admin.css', $this->plugin_version, true);
 
151
 
152
  if ( function_exists('add_thickbox') ) {
153
  add_thickbox();
@@ -163,358 +225,626 @@ if ( !class_exists('WordPressHTTPS') ) {
163
  add_action('save_post', array(&$this, 'post_save'));
164
  }
165
 
166
- // Check if the page needs to be redirected
167
- add_action('template_redirect', array(&$this, 'check_https'));
168
-
169
  // Filter HTTPS from links in WP 3.0+
170
- if ( get_option('wordpress-https_disable_autohttps') == 1 && !is_admin() && strpos(get_option('home'), 'https://') === false ) {
171
- add_filter('page_link', array(&$this, 'replace_https'));
172
- add_filter('post_link', array(&$this, 'replace_https'));
173
- add_filter('category_link', array(&$this, 'replace_https'));
174
- add_filter('get_archives_link', array(&$this, 'replace_https'));
175
- add_filter('tag_link', array(&$this, 'replace_https'));
176
- add_filter('search_link', array(&$this, 'replace_https'));
177
- add_filter('home_url', array(&$this, 'replace_https'));
178
  add_filter('bloginfo', array(&$this, 'bloginfo'), 10, 2);
179
  add_filter('bloginfo_url', array(&$this, 'bloginfo'), 10, 2);
180
 
181
- // If the whole site is not HTTPS, set links to the front-end to HTTP
182
  } else if ( is_admin() && $this->is_ssl() && strpos(get_option('home'), 'https://') === false ) {
183
- add_filter('page_link', array(&$this, 'replace_https'));
184
- add_filter('post_link', array(&$this, 'replace_https'));
185
- add_filter('category_link', array(&$this, 'replace_https'));
186
- add_filter('get_archives_link', array(&$this, 'replace_https'));
187
- add_filter('tag_link', array(&$this, 'replace_https'));
188
- add_filter('search_link', array(&$this, 'replace_https'));
189
  }
190
 
191
- // End output buffering
192
- //add_action('shutdown', array(&$this, 'buffer_end'));
 
 
 
193
  }
194
 
195
  /**
 
 
196
  * Operations performed when plugin is activated.
197
  *
198
  * @param none
199
  * @return void
200
  */
201
- function install() {
202
  // Set default options
203
  foreach ( $this->options_default as $option => $value ) {
204
  if ( get_option($option) === false ) {
205
  add_option($option, $value);
206
  }
207
  }
 
 
208
  }
209
 
210
  /**
211
- * Sets the authentication cookies based User ID.
212
- * Override for WordPress' pluggable function wp_set_auth_cookie
213
  *
214
- * The $remember parameter increases the time that the cookie will be kept. The
215
- * default the cookie is kept without remembering is two days. When $remember is
216
- * set, the cookies will be kept for 14 days or two weeks.
217
  *
218
- * @param int $user_id User ID
219
- * @param bool $remember Whether to remember the user or not
220
- * @param bool $secure Whether or not cookie is secure
221
  */
222
- function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
223
- if ( $remember ) {
224
- $expiration = $expire = time() + apply_filters('auth_cookie_expiration', 1209600, $user_id, $remember);
225
- } else {
226
- $expiration = time() + apply_filters('auth_cookie_expiration', 172800, $user_id, $remember);
227
- $expire = 0;
228
  }
 
 
 
229
 
230
- if ( $secure === '' ) {
231
- $secure = $this->is_ssl() ? true : false;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
232
  }
 
233
 
234
- if ( $secure ) {
235
- $auth_cookie_name = SECURE_AUTH_COOKIE;
236
- $scheme = 'secure_auth';
237
- } else {
238
- $auth_cookie_name = AUTH_COOKIE;
239
- $scheme = 'auth';
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
240
  }
 
241
 
242
- $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
243
- $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
244
 
245
- do_action('set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme);
246
- do_action('set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in');
 
 
 
 
 
 
 
 
 
247
 
248
- // Cookie paths defined to accomodate Shared SSL
249
- $cookie_domain = '.' . parse_url($this->https_url, PHP_URL_HOST);
250
- $cookie_path = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . COOKIEPATH;
251
- $cookie_path_site = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . SITECOOKIEPATH;
252
- $cookie_path_plugins = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . PLUGINS_COOKIE_PATH;
253
- $cookie_path_admin = $cookie_path_site . 'wp-admin';
 
 
 
254
 
255
- if ( $this->shared_ssl && $this->is_ssl() ) {
256
- setcookie($auth_cookie_name, $auth_cookie, $expire, $cookie_path_plugins, $cookie_domain, $secure, true);
257
- setcookie($auth_cookie_name, $auth_cookie, $expire, $cookie_path_admin, $cookie_domain, $secure, true);
258
- setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, $cookie_path, $cookie_domain, false, true);
259
- if ( $cookie_path != $cookie_path_site )
260
- setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, $cookie_path_site, $cookie_domain, false, true);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
261
  } else {
262
- setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
263
- setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
264
- setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
265
- if ( COOKIEPATH != SITECOOKIEPATH )
266
- setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
267
  }
268
  }
269
 
270
  /**
271
- * Removes all of the cookies associated with authentication.
272
  *
273
- * @param none
274
- * @return void
275
  */
276
- function clear_auth_cookie() {
277
- // Cookie paths defined to accomodate Shared SSL
278
- $cookie_domain = '.' . parse_url($this->https_url, PHP_URL_HOST);
279
- $cookie_path = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . COOKIEPATH;
280
- $cookie_path_site = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . SITECOOKIEPATH;
281
- $cookie_path_plugins = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . PLUGINS_COOKIE_PATH;
282
- $cookie_path_admin = $cookie_path_site . 'wp-admin';
283
-
284
- setcookie(AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_admin, $cookie_domain);
285
- setcookie(AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_plugins, $cookie_domain);
286
- setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_admin, $cookie_domain);
287
- setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_plugins, $cookie_domain);
288
- setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, $cookie_path, $cookie_domain);
289
- setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, $cookie_path_site, $cookie_domain);
290
  }
291
 
292
  /**
293
- * Checks if a user is logged in, if not it redirects them to the login page.
294
  *
295
- * @param none
296
- * @return void
297
  */
298
- function auth_redirect() {
299
- if ( $this->is_ssl() || force_ssl_admin() )
300
- $secure = true;
301
- else
302
- $secure = false;
303
 
304
- // If https is required and request is http, redirect
305
- if ( $secure && !$this->is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
306
- $this->redirect('https');
307
  }
 
 
308
 
309
- if ( $user_id = wp_validate_auth_cookie( '', apply_filters( 'auth_redirect_scheme', '' ) ) ) {
310
- do_action('auth_redirect', $user_id);
311
-
312
- // If the user wants ssl but the session is not ssl, redirect.
313
- if ( !$secure && get_user_option('use_ssl', $user_id) && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
314
- $this->redirect('https');
 
 
 
 
 
 
 
 
 
 
315
  }
316
-
317
- return; // The cookie is good so we're done
 
 
 
 
318
  }
319
 
320
- // The cookie is no good so force login
321
- nocache_headers();
322
 
323
- if ( $this->is_ssl() )
324
- $proto = 'https://';
325
- else
326
- $proto = 'http://';
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
327
 
328
- $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
 
329
 
330
- // Rewrite URL to Shared SSL URL
331
- if ( $this->shared_ssl && strpos($redirect, 'https://') !== false ) {
332
- $redirect = $this->replace_http_url( $redirect );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
333
  }
 
 
334
 
335
- $login_url = wp_login_url($redirect);
336
-
337
- wp_redirect($login_url);
338
- exit();
 
 
 
 
339
  }
340
 
341
  /**
342
- * Process output buffer
 
 
343
  *
344
  * @param string $buffer
345
  * @return string $buffer
346
  */
347
- function process($buffer) {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
348
  if ( $this->is_ssl() ) {
349
- // Fix the regular stuff
350
  if ( is_admin() ) {
351
- preg_match_all('/\<(script|link|img)[^>]+((http|https):\/\/[\/-\w\.#?=\+&;]+)[^>]+>/im', $buffer, $matches);
352
  } else {
353
- preg_match_all('/\<(script|link|img|input|form|embed|param)[^>]+((http|https):\/\/[\/-\w\.#?=\+&;]+)[^>]+>/im', $buffer, $matches);
354
  }
355
-
356
- $external_urls = get_option('wordpress-https_external_urls');
357
-
358
- for ($i = 0; $i<=sizeof($matches[0]); $i++) {
359
  $html = $matches[0][$i];
360
  $type = $matches[1][$i];
361
  $url = $matches[2][$i];
362
  $scheme = $matches[3][$i];
 
363
 
364
  if ( $type == 'img' || $type == 'script' || $type == 'embed' ||
365
  ( $type == 'link' && ( strpos($html, 'stylesheet') !== false || strpos($html, 'pingback') !== false ) ) ||
366
- ( $type == 'form' && ( strpos($html, 'loginform') !== false || strpos($html, 'wp-pass.php') !== false ) ) ||
 
367
  ( $type == 'input' && strpos($html, 'image') !== false ) ||
368
  ( $type == 'param' && strpos($html, 'movie') !== false )
369
  ) {
 
370
  if ( is_admin() && $type == 'img' ) {
371
- if ( strpos($url, $this->replace_http($this->http_url)) !== false && $this->shared_ssl ) {
372
- $buffer = str_replace($html, str_replace($url, $this->replace_http_url($url), $html), $buffer);
 
 
373
  }
374
  } else {
375
- if ( strpos($url, $this->http_url) !== false && get_option('wordpress-https_internalurls') == 1 ) {
376
- $buffer = str_replace($html, str_replace($url, $this->replace_http_url($url), $html), $buffer);
377
- } else if ( strpos($url, $this->replace_http($this->http_url)) !== false && $this->shared_ssl ) {
378
- $buffer = str_replace($html, str_replace($url, $this->replace_http_url($url), $html), $buffer);
379
- } else if ( $this->shared_ssl && get_option('wordpress-https_internalurls') == 1 && strpos($html, $this->http_url) !== false ) {
380
- $buffer = str_replace($html, str_replace($url, $this->replace_http_url($url), $html), $buffer);
381
- } else if ( strpos($url, $this->https_url) === false && strpos($url, 'https://') === false && get_option('wordpress-https_externalurls') == 1 ) {
382
- if ( get_option('wordpress-https_bypass') == 1 ) {
383
- $buffer = str_replace($html, str_replace($url, $this->replace_http($url), $html), $buffer);
384
- } else if ( in_array($url, $external_urls) || @file_get_contents($this->replace_http($url)) !== false ) {
385
- $buffer = str_replace($html, str_replace($url, $this->replace_http($url), $html), $buffer);
386
- // Cache this URL as available over HTTPS for future reference
387
- if ( !in_array($url, $external_urls) ) {
388
  $external_urls[] = $url;
389
  update_option('wordpress-https_external_urls', $external_urls);
 
 
 
 
390
  }
391
  }
 
 
 
 
 
 
 
 
 
 
 
 
392
  }
393
  }
394
  }
 
 
 
 
395
  }
396
 
397
- // Fix any CSS background images
398
- preg_match_all('/background: url\([\'"]?(http:\/\/[\/-\w\.#?=\+&;]+)[\'"]?\)/im', $buffer, $matches);
399
- for ($i = 0; $i<=sizeof($matches[0]); $i++) {
400
  $css = $matches[0][$i];
401
- $url = $matches[1][$i];
402
-
403
- $buffer = str_replace($css, str_replace($url, $this->replace_http_url($url), $css), $buffer);
 
404
  }
405
 
406
- // Look for any relative paths that should be udpated to the Shared SSL path
407
- if ( $this->shared_ssl ) {
408
- preg_match_all('/\<(script|link|img|input|form|embed|param|a)[^>]+[\'"](\/[\/-\w\.#?=\+&;]*)[^>]+>/im', $buffer, $matches);
409
 
410
- for ($i = 0; $i<=sizeof($matches[0]); $i++) {
411
  $html = $matches[0][$i];
412
  $type = $matches[1][$i];
413
- $url = $matches[2][$i];
414
- if ( $type != 'input' || ( $type == 'input' && strpos($html, 'image') !== false ) ) {
415
- $buffer = str_replace($html, str_replace($url, $this->https_url . $url, $html), $buffer);
 
 
 
416
  }
417
  }
418
  }
419
  }
420
 
421
  // Update anchor and form tags to appropriate URL's
422
- preg_match_all('/\<(a|form)[^>]+[\'"]((http|https):\/\/[\/-\w\.#?=\+&;]+)[^>]+>/im', $buffer, $matches);
423
 
424
- for ($i = 0; $i<=sizeof($matches[0]); $i++) {
425
  $html = $matches[0][$i];
426
  $type = $matches[1][$i];
427
  $url = $matches[2][$i];
428
  $scheme = $matches[3][$i];
 
429
 
430
  unset($force_ssl);
431
 
432
- $url_path = parse_url($url, PHP_URL_PATH);
433
- if ( $this->shared_ssl ) {
434
- $url_path = str_replace(parse_url($this->https_url, PHP_URL_PATH), '', $url_path);
435
- }
436
- $url_path = str_replace(parse_url(get_option('home'), PHP_URL_PATH), '', $url_path);
437
-
438
- if ( preg_match("/page_id=([\d]+)/", parse_url($url, PHP_URL_QUERY), $postID) == 1 ) {
439
- $post = $postID[1];
440
- } else if ( $post = get_page_by_path($url_path) ) {
441
- $post = $post->ID;
442
- } else if ( $url_path == '/' ) {
443
- if ( get_option('show_on_front') == 'posts' ) {
 
 
 
 
 
 
 
444
  $post = true;
445
- $force_ssl = (( get_option('wordpress-https_frontpage') == 1 ) ? true : false);
446
- } else {
447
- $post = get_option('page_on_front');
448
  }
449
- }
450
 
451
- if ( $post ) {
452
- $force_ssl = (( !isset($force_ssl) ) ? get_post_meta($post, 'force_ssl', true) : $force_ssl);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
453
 
454
- if ( $force_ssl ) {
455
- $buffer = str_replace($html, str_replace($url, $this->replace_http_url($url), $html), $buffer);
456
- } else if ( get_option('wordpress-https_exclusive_https') == 1 ) {
457
- $buffer = str_replace($html, str_replace($this->https_url, $this->http_url, $html), $buffer);
458
  }
459
  }
460
  }
461
 
462
- // Fix any anchor or form tags that contain the HTTPS version of the regular domain when using Shared SSL
463
- if ( $this->shared_ssl && get_option('wordpress-https_internalurls') == 1 ) {
464
- $regex_url = preg_quote($this->replace_http($this->http_url));
465
- $regex_url = str_replace('/', '\/', $regex_url);
466
- preg_match_all('/\<(a|form)[^>]+(' . $regex_url . ')[^>]+>/im', $buffer, $matches);
 
 
 
 
 
 
 
 
 
 
 
467
 
468
- for ($i = 0; $i<=sizeof($matches[0]); $i++) {
469
- $html = $matches[0][$i];
470
- $type = $matches[1][$i];
471
- $url = $matches[2][$i];
472
 
473
- $buffer = str_replace($html, str_replace($url, $this->https_url, $html), $buffer);
 
 
 
 
 
 
 
 
 
 
 
 
474
  }
 
 
475
  }
476
 
477
  return $buffer;
478
  }
479
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
480
  /**
481
  * Checks if the current page is SSL
482
  *
483
  * @param none
484
  * @return bool
485
  */
486
- function is_ssl() {
487
  // Some extra checks for proxies and Shared SSL
488
- if ( isset($_SERVER['HTTP_X_URL_SCHEME']) && isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && !is_ssl() && strpos($this->https_url, $_SERVER['HTTP_X_URL_SCHEME'] . '://' . $_SERVER['HTTP_X_FORWARDED_SERVER']) !== false ) {
 
 
 
 
489
  return true;
490
- } else if ( $this->shared_ssl && !is_ssl() && strpos($this->https_url, $_SERVER['HTTP_HOST']) !== false ) {
491
  return true;
492
  }
493
  return is_ssl();
494
  }
495
 
496
  /**
 
 
497
  * Checks if the current page needs to be redirected
498
  *
499
  * @param none
500
  * @return void
501
  */
502
- function check_https() {
503
  global $post;
504
  if ( is_front_page() && get_option('show_on_front') == 'posts' ) {
505
  if ( get_option('wordpress-https_frontpage') == 1 && !$this->is_ssl() ) {
506
- $this->redirect('https');
507
- } else if ( get_option('wordpress-https_frontpage') != 1 && get_option('wordpress-https_exclusive_https') == 1 && $this->is_ssl() ) {
508
- $this->redirect('http');
509
  }
510
  } else if ( ( is_single() || is_page() || is_front_page() || is_home() ) && $post->ID > 0 ) {
511
- $forceSSL = get_post_meta($post->ID, 'force_ssl', true);
512
- if ( !$this->is_ssl() && $forceSSL ) {
513
- $this->redirect('https');
514
- } else if ( get_option('wordpress-https_exclusive_https') == 1 && !$forceSSL ) {
515
- $this->redirect('http');
 
516
  }
517
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
518
  }
519
 
520
  /**
@@ -523,7 +853,7 @@ if ( !class_exists('WordPressHTTPS') ) {
523
  * @param string $scheme Either http or https
524
  * @return void
525
  */
526
- function redirect($scheme = 'https') {
527
  if ( !$this->is_ssl() && $scheme == 'https' ) {
528
  $url = parse_url($this->https_url);
529
  $url['scheme'] = $scheme;
@@ -534,25 +864,129 @@ if ( !class_exists('WordPressHTTPS') ) {
534
  $url = false;
535
  }
536
  if ( $url ) {
537
- $destination = $url['scheme'] . '://' . $url['host'] . (( $this->shared_ssl ) ? $url['path'] : '') . $_SERVER['REQUEST_URI'];
538
  if ( function_exists('wp_redirect') ) {
539
  wp_redirect($destination, 301);
 
 
540
  } else {
541
  // End all output buffering and redirect
542
  while(@ob_end_clean());
 
 
 
 
 
 
543
  header("Location: " . $destination);
544
  }
545
  exit();
546
  }
547
  }
548
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
549
  /**
550
  * Add 'Force SSL' checkbox to add/edit post pages
551
  *
552
  * @param none
553
  * @return void
554
  */
555
- function post_checkbox() {
556
  global $post;
557
 
558
  wp_nonce_field(plugin_basename(__FILE__), 'wordpress-https');
@@ -561,7 +995,7 @@ if ( !class_exists('WordPressHTTPS') ) {
561
  if ( $post->ID ) {
562
  $checked = get_post_meta($post->ID, 'force_ssl', true);
563
  }
564
- echo '<div class="misc-pub-section misc-pub-section-last" style="border-top: 1px solid #EEE;"><label>Force SSL: <input type="checkbox" value="1" name="force_ssl" id="force_ssl"'.(($checked) ? ' checked="checked"' : '').' /></label></div>';
565
  }
566
 
567
  /**
@@ -570,7 +1004,7 @@ if ( !class_exists('WordPressHTTPS') ) {
570
  * @param int $post_id
571
  * @return int $post_id
572
  */
573
- function post_save( $post_id ) {
574
  if ( array_key_exists('wordpress-https', $_POST) ) {
575
  if ( !wp_verify_nonce($_POST['wordpress-https'], plugin_basename(__FILE__))) {
576
  return $post_id;
@@ -590,50 +1024,36 @@ if ( !class_exists('WordPressHTTPS') ) {
590
  }
591
  }
592
 
593
- $forceSSL = (( $_POST['force_ssl'] == 1 ) ? true : false);
594
- if ( $forceSSL ) {
595
  update_post_meta($post_id, 'force_ssl', 1);
596
  } else {
597
  delete_post_meta($post_id, 'force_ssl');
598
  }
599
 
600
- return $forceSSL;
601
  }
602
  return $post_id;
603
  }
604
 
605
  /**
606
- * Filters HTTPS urls from bloginfo function
607
- *
608
- * @param string $result
609
- * @param string $show
610
- * @return string $result
611
- */
612
- function bloginfo($result = '', $show = '') {
613
- if ( $show == 'stylesheet_url' || $show == 'template_url' || $show == 'wpurl' || $show == 'home' || $show == 'siteurl' || $show == 'url' ) {
614
- $result = $this->replace_https($result);
615
- }
616
- return $result;
617
- }
618
-
619
- /**
620
- * Add admin panel menu option
621
  *
622
  * @param none
623
  * @return void
624
  */
625
- function menu() {
626
  add_options_page('WordPress HTTPS Settings', 'WordPress HTTPS', 'manage_options', 'wordpress-https', array(&$this, 'settings'));
627
  }
628
 
629
  /**
630
- * Add plugin links to Manage Plugins page in admin panel
631
  *
632
  * @param array $links
633
  * @param string $file
634
  * @return array $links
635
  */
636
- function plugin_links($links, $file) {
637
  if ( strpos($file, basename( __FILE__)) === false ) {
638
  return $links;
639
  }
@@ -646,80 +1066,12 @@ if ( !class_exists('WordPressHTTPS') ) {
646
  }
647
 
648
  /**
649
- * Start output buffering
650
  *
651
  * @param none
652
  * @return void
653
  */
654
- function buffer_start() {
655
- if ( get_option('wordpress-https_externalurls') == 1 && get_option('wordpress-https_bypass') != 1 ) {
656
- @ini_set('allow_url_fopen', 1);
657
- }
658
- ob_start(array(&$this, 'process'));
659
- }
660
-
661
- /**
662
- * End output buffering
663
- *
664
- * @param none
665
- * @return void
666
- */
667
- function buffer_end() {
668
- ob_end_flush();
669
- }
670
-
671
- /**
672
- * Replaces HTTP URL to HTTPS URL
673
- *
674
- * @param string $string
675
- * @return string $string
676
- */
677
- function replace_http_url($string) {
678
- preg_match_all('/(http|https):\/\/[\/-\w\.#?=\+&;]+/im', $string, $url);
679
- $url = $url[0][0];
680
-
681
- // If URL matches home_url, but lacks www, add www
682
- if ( strpos(get_option('home'), '://www.') !== false && strpos($url, '://www.') === false && parse_url($url, PHP_URL_HOST) != NULL ) {
683
- $url_host = parse_url($url, PHP_URL_HOST);
684
- $url_host_www = 'www.' . $url_host;
685
- if ( strpos(get_option('home'), $url_host_www) !== false ) {
686
- $string = str_replace($url_host, $url_host_www, $string);
687
- }
688
- }
689
-
690
- // Replace the HTTPS version of the domain with $this->https_url for Shared SSL
691
- $string = str_replace($this->replace_http($this->http_url), $this->https_url, $string);
692
- $string = str_replace($this->http_url, $this->https_url, $string);
693
- return $string;
694
- }
695
-
696
- /**
697
- * Replace HTTPS with HTTP
698
- *
699
- * @param string $string
700
- * @return string $string
701
- */
702
- function replace_https($string) {
703
- return str_replace('https://', 'http://', $string);
704
- }
705
-
706
- /**
707
- * Replace HTTP with HTTPS
708
- *
709
- * @param string $string
710
- * @return string $string
711
- */
712
- function replace_http($string) {
713
- return str_replace('http://', 'https://', $string);
714
- }
715
-
716
- /**
717
- * Settings page in admin panel
718
- *
719
- * @param none
720
- * @return void
721
- */
722
- function settings() {
723
  if ( !current_user_can('manage_options') ) {
724
  wp_die( __('You do not have sufficient permissions to access this page.') );
725
  }
@@ -732,46 +1084,65 @@ if ( !class_exists('WordPressHTTPS') ) {
732
  $_POST[$key] = 0;
733
  update_option($key, $_POST[$key]);
734
  } else {
735
- if ( $key == 'wordpress-https_sharedssl_host' ) {
736
- if ( isset($_POST[$key]) ) {
737
- $url = parse_url($_POST[$key]);
 
738
  }
739
- if ( sizeof($url) > 1 ) {
740
- $_POST[$key] = 'https://' . $url['host'] . @$url['path'];
741
- if ( substr($_POST[$key], -1, 1) == '/' ) {
742
- $_POST[$key] = substr($_POST[$key], 0, strlen($_POST[$key])-1);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
743
  }
744
- } else if ( $_POST['wordpress-https_sharedssl'] == 1 ) {
745
- $errors[] = '<strong>Shared SSL Host</strong> - Invalid host.';
746
- update_option('wordpress-https_sharedssl', 0);
747
  }
748
- } else if ( $key == 'wordpress-https_sharedssl_admin' ) {
749
  if ( force_ssl_admin() || force_ssl_login() ) {
750
- $errors[] = '<strong>Shared SSL Admin</strong> - FORCE_SSL_ADMIN and FORCE_SSL_LOGIN can not be set to true in your wp-config.php.';
751
  $_POST[$key] = 0;
 
 
 
752
  }
753
- } else if ( $key == 'wordpress-https_externalurls' && @ini_get('allow_url_fopen') != 1 ) {
754
- $errors[] = '<strong>External HTTPS Elements</strong> - PHP configuration error: allow_url_fopen must be enabled.';
755
- $_POST[$key] = 0;
756
- } else if ( $key == 'wordpress-https_disable_autohttps' && version_compare(get_bloginfo('version'), '3.0', '<') ) {
757
- $_POST[$key] = 0;
758
  }
759
 
760
  update_option($key, $_POST[$key]);
761
  }
762
  }
763
 
 
 
 
 
764
  if ( array_key_exists('ajax', $_POST) ) {
765
  while(@ob_end_clean());
766
  ob_start();
767
  if ( sizeof( $errors ) > 0 ) {
768
- echo "<div class=\"error below-h2 fade\" id=\"message\">\n\t<ul>\n";
769
  foreach ( $errors as $error ) {
770
  echo "\t\t<li><p>".$error."</p></li>\n";
771
  }
772
  echo "\t</ul>\n</div>\n";
773
  } else {
774
- echo "<div class=\"updated below-h2 fade\" id=\"message\"><p>Settings saved.</p></div>\n";
 
 
 
775
  }
776
  exit();
777
  }
@@ -785,47 +1156,65 @@ if ( !class_exists('WordPressHTTPS') ) {
785
  <?php
786
  if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
787
  if ( sizeof( $errors ) > 0 ) {
788
- echo "<div class=\"error below-h2 fade\" id=\"message\">\n\t<ul>\n";
789
  foreach ( $errors as $error ) {
790
  echo "\t\t<li><p>".$error."</p></li>\n";
791
  }
792
  echo "\t</ul>\n</div>\n";
793
  } else {
794
- echo "\t\t<div class=\"updated below-h2 fade\" id=\"message\"><p>Settings saved.</p></div>\n";
795
  }
796
  } else {
797
- echo "\t<div id=\"message-wrap\"><div id=\"message-body\"></div></div>\n";
798
  }
799
  ?>
800
 
801
  <div id="wphttps-sidebar">
802
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
803
  <div class="wphttps-widget" id="wphttps-updates">
804
  <h3 class="wphttps-widget-title">Developer Updates</h3>
805
- <div class="wphttps-widget-content"><img alt="Loading..." src="<?php echo parse_url($this->plugin_url, PHP_URL_PATH); ?>/css/images/wpspin_light.gif" class="loading" id="updates-loading" /></div>
 
 
806
  </div>
807
 
808
  <div class="wphttps-widget" id="wphttps-support">
809
  <h3 class="wphttps-widget-title">Support</h3>
810
- <div class="wphttps-widget-content">
811
- <p>Have you tried everything and your website is still giving you partially encrypted errors?</p>
812
- <p>If you haven't already, check out the <a href="http://wordpress.org/extend/plugins/wordpress-https/faq/" target="_blank">Frequently Asked Questions</a>.</p>
813
- <p>Still not fixed? Having other problems? Please <a href="http://wordpress.org/tags/wordpress-https#postform" target="_blank">start a support topic</a> and I'll do my best to assist you.</p>
814
  </div>
815
  </div>
816
 
817
  <div class="wphttps-widget" id="wphttps-donate">
818
  <h3 class="wphttps-widget-title">Donate</h3>
819
- <div class="wphttps-widget-content">
820
- <p>If you found this plugin useful, or I've already helped you with your website, please considering buying me a <a href="http://en.wikipedia.org/wiki/Newcastle_Brown_Ale" target="_blank">beer</a> or two.</p>
821
  <p>Donations help alleviate the time spent developing and supporting this plugin and are greatly appreciated.</p>
822
 
823
- <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
824
- <input type="hidden" name="cmd" value="_s-xclick">
825
- <input type="hidden" name="hosted_button_id" value="N9NFVADLVUR7A">
826
- <input type="image" src="https://www.paypal.com/en_US/i/btn/btn_donate_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
827
- <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
828
- </form>
829
  </div>
830
  </div>
831
 
@@ -836,57 +1225,58 @@ if ( !class_exists('WordPressHTTPS') ) {
836
  <form name="form" id="wordpress-https" action="options-general.php?page=wordpress-https" method="post">
837
  <?php settings_fields('wordpress-https'); ?>
838
 
839
- <fieldset>
840
- <label for="wordpress-https_internalurls"><input name="wordpress-https_internalurls" type="checkbox" id="wordpress-https_internalurls" value="1"<?php echo ((get_option('wordpress-https_internalurls')) ? ' checked="checked"' : ''); ?> /> <strong>Internal HTTPS Elements</strong></label>
841
- <p>Force internal elements to HTTPS when viewing a secure page.</p>
842
- <p class="description">Fixes most partially encrypted errors.</p>
843
- </fieldset>
844
-
845
- <fieldset>
846
- <label for="wordpress-https_externalurls"><input name="wordpress-https_externalurls" type="checkbox" id="wordpress-https_externalurls" value="1"<?php echo ((get_option('wordpress-https_externalurls')) ? ' checked="checked"' : ''); ?> /> <strong>External HTTPS Elements</strong></label>
847
- <p>Attempt to automatically force external elements to HTTPS when viewing a secure page. External elements are any element not hosted on your domain.</p>
848
- <p class="description">Warning: This option checks that the external element can be loaded via HTTPS while the page is loading. Depending on the amount of external elements, this could affect the load times of your pages.</p>
849
- </fieldset>
850
-
851
- <fieldset>
852
- <label for="wordpress-https_bypass"><input name="wordpress-https_bypass" type="checkbox" id="wordpress-https_bypass" value="1"<?php echo ((get_option('wordpress-https_bypass')) ? ' checked="checked"' : ''); ?> /> <strong>Bypass External Check</strong></label>
853
- <p>Disable the option to check if an external element can be loaded over HTTPS.</p>
854
- <p class="description">Warning: Bypassing the HTTPS check for external elements may cause elements to not load at all. Only enable this option if you know that all external elements can be loaded over HTTPS.</p>
855
- </fieldset>
856
-
857
- <?php if ( version_compare(get_bloginfo('version'), '3.0', '>=') ) { ?>
858
- <fieldset>
859
- <label for="wordpress-https_disable_autohttps"><input name="wordpress-https_disable_autohttps" type="checkbox" id="wordpress-https_disable_autohttps" value="1"<?php echo ((get_option('wordpress-https_disable_autohttps')) ? ' checked="checked"' : ''); ?> /> <strong>Disable Automatic HTTPS</strong></label>
860
- <p>Prevents WordPress 3.0+ from making all links HTTPS when viewing a secure page.</p>
861
- <p class="description">When a page is viewed via HTTPS in WordPress 3.0+, all internal page, category and post links are forced to HTTPS. This option will disable that.</p>
862
- </fieldset>
863
-
864
- <?php } ?>
865
- <fieldset>
866
- <label for="wordpress-https_exclusive_https"><input name="wordpress-https_exclusive_https" type="checkbox" id="wordpress-https_exclusive_https" value="1"<?php echo ((get_option('wordpress-https_exclusive_https')) ? ' checked="checked"' : ''); ?> /> <strong>Force SSL Exclusively</strong></label>
867
- <p>Exclusively force SSL on posts and pages with the `Force SSL` option checked. All others are redirected to HTTP.</p>
868
- <p class="description">WordPress HTTPS adds a 'Force SSL' checkbox to each post and page right above the publish button (<a href="<?php echo $this->plugin_url; ?>/screenshot-2.png" class="thickbox">screenshot</a>). When selected, the post or page will be forced to HTTPS. With this option enabled, all posts and pages without 'Force SSL' checked will be redirected to HTTP.</p>
869
- </fieldset>
870
-
871
- <fieldset>
872
- <label for="wordpress-https_sharedssl"><input name="wordpress-https_sharedssl" type="checkbox" id="wordpress-https_sharedssl" value="1"<?php echo ((get_option('wordpress-https_sharedssl')) ? ' checked="checked"' : ''); ?> /> <strong>Shared SSL</strong></label>
873
- <p>Enable this option if you are using a Shared SSL certificate and your Shared SSL Host is something other than '<?php echo $this->replace_http($this->http_url); ?>/'.</p>
874
- <label><strong>Shared SSL Host</strong> <input name="wordpress-https_sharedssl_host" type="text" id="wordpress-https_sharedssl_host" value="<?php echo get_option('wordpress-https_sharedssl_host'); ?>" /></label>
875
- </fieldset>
876
-
877
- <fieldset>
878
- <label for="wordpress-https_sharedssl_admin"><input name="wordpress-https_sharedssl_admin" type="checkbox" id="wordpress-https_sharedssl_admin" value="1"<?php echo ((get_option('wordpress-https_sharedssl_admin')) ? ' checked="checked"' : ''); ?> /> <strong>Force Shared SSL Admin</strong></label>
879
- <p>Enable this option if you are using a Shared SSL certificate and you only want to access your admin panel over HTTPS.</p>
880
- <p class="description">Notice: FORCE_SSL_ADMIN and FORCE_SSL_LOGIN can not be set to true in your wp-config.php.</p>
881
- </fieldset>
882
 
883
  <?php if ( get_option('show_on_front') == 'posts' ) { ?>
884
- <fieldset>
885
- <label for="wordpress-https_frontpage"><input name="wordpress-https_frontpage" type="checkbox" id="wordpress-https_frontpage" value="1"<?php echo ((get_option('wordpress-https_frontpage')) ? ' checked="checked"' : ''); ?> /> <strong>HTTPS Front Page</strong></label>
886
- <p>It appears you are using your latest posts for your home page. If you would like that page to have SSL enforced, enable this option.</p>
887
- </fieldset>
 
 
 
 
 
 
888
 
889
  <?php } ?>
 
 
890
  <p class="button-controls">
891
  <input type="submit" name="Submit" value="Save Changes" class="button-primary" />
892
  <img alt="Waiting..." src="<?php echo parse_url($this->plugin_url, PHP_URL_PATH); ?>/css/images/wpspin_light.gif" class="waiting" id="submit-waiting" />
@@ -895,28 +1285,16 @@ if ( !class_exists('WordPressHTTPS') ) {
895
  </div>
896
  </div>
897
 
 
 
898
  <?php
899
  }
900
  } // End WordPressHTTPS Class
901
  }
902
 
903
- if ( class_exists('WordPressHTTPS') ) {
 
904
  $wordpress_https = new WordPressHTTPS();
905
- register_activation_hook( __FILE__, array(&$wordpress_https, 'install'));
906
- }
907
-
908
- // Use WordPress HTTPS wp_set_auth_cookie method for WordPress' wp_set_auth_cookie pluggable function if using Shared SSL
909
- if ( $wordpress_https->shared_ssl && !function_exists('wp_set_auth_cookie') ) {
910
- function wp_set_auth_cookie($user_id, $remember, $secure) {
911
- global $wordpress_https;
912
- return $wordpress_https->wp_set_auth_cookie($user_id, $remember, $secure);
913
- }
914
- }
915
-
916
- // Use WordPress HTTPS auth_redirect method for WordPress' auth_redirect pluggable function if using Shared SSL
917
- if ( $wordpress_https->shared_ssl && !function_exists('auth_redirect') ) {
918
- function auth_redirect() {
919
- global $wordpress_https;
920
- return $wordpress_https->auth_redirect();
921
- }
922
  }
4
  Plugin URI: http://mvied.com/projects/wordpress-https/
5
  Description: WordPress HTTPS is intended to be an all-in-one solution to using SSL on WordPress sites.
6
  Author: Mike Ems
7
+ Version: 2.0
8
  Author URI: http://mvied.com/
9
  */
10
 
15
  * @package WordPressHTTPS
16
  * @copyright Copyright 2011
17
  *
 
 
18
  */
19
  if ( !class_exists('WordPressHTTPS') ) {
20
  class WordPressHTTPS {
21
 
22
  /**
23
+ * Plugin Version
24
  *
25
  * @var int
26
  */
27
+ public $version = '2.0';
28
+
29
+ /**
30
+ * Debug Mode
31
+ *
32
+ * Enabled debug output to the browser's console.
33
+ *
34
+ * @var boolean
35
+ */
36
+ public $debug = false;
37
+
38
+ /**
39
+ * Log Entries
40
+ *
41
+ * @var array
42
+ */
43
+ public $log = array();
44
 
45
  /**
46
  * Plugin URL
47
  *
48
  * @var string
49
  */
50
+ public $plugin_url;
51
 
52
  /**
53
  * HTTP URL
54
  *
55
  * @var string
56
  */
57
+ public $http_url;
58
 
59
  /**
60
  * HTTPS URL
61
  *
62
  * @var string
63
  */
64
+ public $https_url;
65
 
66
  /**
67
+ * SSL Port
68
+ *
69
+ * @var int
70
+ */
71
+ public $ssl_port;
72
+
73
+ /**
74
+ * Different SSL Host
75
+ *
76
+ * Set to true if the secure host is set to a a host that is not the default WordPress host.
77
  *
78
  * @var boolean
79
  */
80
+ public $diff_host = false;
81
 
82
  /**
83
+ * Force SSL Admin
84
+ *
85
+ * Set to true if the admin panel is being forced to use the secure host.
86
+ *
87
+ * @var boolean
88
+ */
89
+ public $ssl_admin = false;
90
+
91
+ /**
92
+ * Default Options
93
  *
94
  * @var array
95
  */
96
+ protected $options_default = array(
97
+ 'wordpress-https_external_urls' => array(), // External URL's that are okay to rewrite to HTTPS
98
+ 'wordpress-https_unsecure_external_urls' => array(), // External URL's that are okay to rewrite to HTTPS
99
+ 'wordpress-https_exclusive_https' => 0, // Exclusively force SSL on posts and pages with the `Force SSL` option checked.
100
+ 'wordpress-https_frontpage' => 0, // Force SSL on front page
101
+ 'wordpress-https_ssl_host' => 0, // Hostname for SSL Host
102
+ 'wordpress-https_ssl_port' => 0, // Port number for SSL Host
103
+ 'wordpress-https_ssl_admin' => 0 // Force SSL Over Administration Panel (The same as FORCE_SSL_ADMIN)
 
 
 
104
  );
105
 
106
  /**
107
+ * Initialize (PHP4)
108
  *
109
  * @param none
110
  * @return void
111
  */
112
+ public function WordPressHTTPS() {
113
  $argcv = func_get_args();
114
  call_user_func_array(array(&$this, '__construct'), $argcv);
115
  }
116
 
117
  /**
118
+ * Initialize (PHP5+)
119
  *
120
  * @param none
121
  * @return void
122
  */
123
+ public function __construct() {
124
  // Assign plugin_url
125
  if ( version_compare( get_bloginfo('version'), '2.8', '>=' ) ) {
126
  $this->plugin_url = plugins_url('', __FILE__);
128
  $this->plugin_url = WP_PLUGIN_URL . '/' . plugin_basename(dirname(__FILE__));
129
  }
130
 
131
+ // HTTP URL
132
  $this->http_url = 'http://' . parse_url(get_option('home'), PHP_URL_HOST);
133
+ // HTTPS URL
134
  $this->https_url = $this->replace_http($this->http_url);
135
+ // SSL Port
136
+ $this->ssl_port = ((get_option('wordpress-https_ssl_port') > 0) ? get_option('wordpress-https_ssl_port') : null);
137
+ // Force SSL Admin
138
+ $this->ssl_admin = ((get_option('wordpress-https_ssl_admin') > 0) ? true : false);
139
+
140
+ // If using a different host for SSL
141
+ if ( get_option('wordpress-https_ssl_host') && get_option('wordpress-https_ssl_host') != $this->https_url ) {
142
+ // Assign HTTPS URL to SSL Host
143
+ $this->diff_host = true;
144
+ $this->https_url = get_option('wordpress-https_ssl_host');
145
+
146
+ // Prevent WordPress' canonical redirect when using a different SSL Host
147
+ if ( $this->is_ssl() ) {
148
+ remove_filter('template_redirect', 'redirect_canonical');
149
+ }
150
+
151
+ // Add SSL Host to allowed redirect hosts
152
+ add_filter('allowed_redirect_hosts' , array(&$this, 'allowed_redirect_hosts'), 10, 1);
153
 
154
+ // Remove SSL Host authentication cookies on logout
 
 
 
 
 
 
 
 
155
  add_action('clear_auth_cookie', array(&$this, 'clear_auth_cookie'));
 
156
 
157
+ // Set authentication cookie
158
+ if ( $this->is_ssl() ) {
159
+ add_action('set_auth_cookie', array(&$this, 'set_cookie'), 10, 5);
160
+ }
161
+
162
+ // Fix admin_url on login page
163
+ if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->is_ssl() ) {
164
+ add_filter('admin_url', array(&$this, 'replace_http_url'));
165
+ }
166
+
167
+ // Filter site_url in admin panel
168
+ if ( is_admin() && $this->is_ssl() ) {
169
+ add_filter('site_url', array(&$this, 'replace_http_url'));
170
+ add_action('wp_redirect', array(&$this, 'wp_redirect_admin'), 1, 1);
171
+ }
172
  }
173
 
174
+ // Add SSL Port to HTTPS URL
175
+ if ( $this->ssl_port ) {
176
+ $this->https_url = $this->add_port($this->https_url);
177
  }
178
 
179
+ $this->log('HTTP URL: ' . $this->http_url);
180
+ $this->log('HTTPS URL: ' . $this->https_url);
181
+
182
+ // Redirect admin/login pages. This is not pluggable due to the redirect methods used in wp-login.php
183
+ if ( ( is_admin() || $GLOBALS['pagenow'] == 'wp-login.php' ) && $this->ssl_admin ) {
184
+ add_action('wp_redirect', array(&$this, 'wp_redirect_admin'), 1, 1);
185
+ if ( !$this->is_ssl() ) {
186
+ $this->redirect('https');
187
+ }
188
  }
189
 
190
  // Start output buffering
191
+ add_action('wp', array(&$this, 'buffer_start'));
192
+ add_action('admin_init', array(&$this, 'buffer_start'));
193
+
194
+ // Check if the page needs to be redirected
195
+ add_action('template_redirect', array(&$this, 'redirect_check'));
196
 
197
+ // Admin panel
198
  if ( is_admin() ) {
199
  // Add admin menus
200
  add_action('admin_menu', array(&$this, 'menu'));
207
  // Load on Settings page
208
  if ( @$_GET['page'] == 'wordpress-https' ) {
209
  wp_enqueue_script('jquery-form', $this->plugin_url . '/js/jquery.form.js', array('jquery'), '2.47', true);
210
+ wp_enqueue_script('jquery-tooltip', $this->plugin_url . '/js/jquery.tooltip.js', array('jquery'), '1.3', true);
211
+ wp_enqueue_script('wordpress-https', $this->plugin_url . '/js/admin.php', array('jquery'), $this->version, true);
212
+ wp_enqueue_style('wordpress-https', $this->plugin_url . '/css/admin.css', $this->version, true);
213
 
214
  if ( function_exists('add_thickbox') ) {
215
  add_thickbox();
225
  add_action('save_post', array(&$this, 'post_save'));
226
  }
227
 
 
 
 
228
  // Filter HTTPS from links in WP 3.0+
229
+ if ( version_compare(get_bloginfo('version'), '3.0', '>') && !is_admin() && strpos(get_option('home'), 'https://') === false ) {
230
+ add_filter('page_link', array(&$this, 'replace_https_url'));
231
+ add_filter('post_link', array(&$this, 'replace_https_url'));
232
+ add_filter('category_link', array(&$this, 'replace_https_url'));
233
+ add_filter('get_archives_link', array(&$this, 'replace_https_url'));
234
+ add_filter('tag_link', array(&$this, 'replace_https_url'));
235
+ add_filter('search_link', array(&$this, 'replace_https_url'));
236
+ add_filter('home_url', array(&$this, 'replace_https_url'));
237
  add_filter('bloginfo', array(&$this, 'bloginfo'), 10, 2);
238
  add_filter('bloginfo_url', array(&$this, 'bloginfo'), 10, 2);
239
 
240
+ // If the whole site is not HTTPS, set links to the front-end to HTTP from within the admin panel
241
  } else if ( is_admin() && $this->is_ssl() && strpos(get_option('home'), 'https://') === false ) {
242
+ add_filter('page_link', array(&$this, 'replace_https_url'));
243
+ add_filter('post_link', array(&$this, 'replace_https_url'));
244
+ add_filter('category_link', array(&$this, 'replace_https_url'));
245
+ add_filter('get_archives_link', array(&$this, 'replace_https_url'));
246
+ add_filter('tag_link', array(&$this, 'replace_https_url'));
247
+ add_filter('search_link', array(&$this, 'replace_https_url'));
248
  }
249
 
250
+ // Change all page and post links to HTTPS in the admin panel when using different SSL Host
251
+ if ( $this->diff_host && is_admin() ) {
252
+ add_filter('page_link', array(&$this, 'replace_http_url'));
253
+ add_filter('post_link', array(&$this, 'replace_http_url'));
254
+ }
255
  }
256
 
257
  /**
258
+ * Install
259
+ *
260
  * Operations performed when plugin is activated.
261
  *
262
  * @param none
263
  * @return void
264
  */
265
+ public function install() {
266
  // Set default options
267
  foreach ( $this->options_default as $option => $value ) {
268
  if ( get_option($option) === false ) {
269
  add_option($option, $value);
270
  }
271
  }
272
+ // Run plugin updates
273
+ $this->update();
274
  }
275
 
276
  /**
277
+ * Uninstall
 
278
  *
279
+ * Operations performed when plugin is deleted.
 
 
280
  *
281
+ * @param none
282
+ * @return void
 
283
  */
284
+ public function uninstall() {
285
+ // Delete options
286
+ foreach ( $this->options_default as $option => $value ) {
287
+ if ( get_option($option) !== false ) {
288
+ delete_option($option);
289
+ }
290
  }
291
+ // Delete force_ssl custom_field from posts and pages
292
+ delete_metadata('post', null, 'force_ssl', null, true);
293
+ }
294
 
295
+ /**
296
+ * Update
297
+ *
298
+ * Updates plugin from one version to another
299
+ *
300
+ * @param none
301
+ * @return void
302
+ */
303
+ protected function update() {
304
+ // Version < 2.0
305
+ if ( get_option('wordpress-https_sharedssl') ) {
306
+ $shared_ssl = ((get_option('wordpress-https_sharedssl') == 1) ? true : false);
307
+
308
+ $options = array(
309
+ 'wordpress-https_sharedssl' => get_option('wordpress-https_sharedssl'),
310
+ 'wordpress-https_sharedssl_host' => get_option('wordpress-https_sharedssl_host'),
311
+ 'wordpress-https_sharedssl_admin' => get_option('wordpress-https_sharedssl_admin')
312
+ );
313
+
314
+ foreach( $options as $option => $value) {
315
+ if ( $shared_ssl && $value ) {
316
+ if ( $option == 'wordpress-https_sharedssl_host' ) {
317
+ if ( $ssl_port = parse_url($value, PHP_URL_PORT) ) {
318
+ update_option('wordpress-https_ssl_port', $ssl_port);
319
+ $value = str_replace(':' . $ssl_port, '', $value);
320
+ }
321
+ update_option('wordpress-https_ssl_host', $value);
322
+ }
323
+ if ( $option == 'wordpress-https_sharedssl_admin' ) {
324
+ update_option('wordpress-https_ssl_admin', $value);
325
+ delete_option($option);
326
+ }
327
+ }
328
+ delete_option($option);
329
+ }
330
  }
331
+ }
332
 
333
+ /**
334
+ * Log
335
+ *
336
+ * Adds a string to an array of log entries
337
+ *
338
+ * @param none
339
+ * @return void
340
+ */
341
+ public function log( $string ) {
342
+ $this->log[] = $string;
343
+ }
344
+
345
+ /**
346
+ * Warnings
347
+ *
348
+ * Returns an array of warnings to notify the user of on the settings page
349
+ *
350
+ * @param none
351
+ * @return void
352
+ */
353
+ public function warnings() {
354
+ $warnings = array();
355
+ $i = 0;
356
+
357
+ // Warnings about unsecure external URL's
358
+ $unsecure_external_urls = (array)get_option('wordpress-https_unsecure_external_urls');
359
+ foreach( $unsecure_external_urls as $admin => $urls ) {
360
+ if ( $urls && sizeof($urls) > 0 ) {
361
+ $warnings[$i]['label'] = 'Unsecure External Content';
362
+ $warnings[$i]['warnings'] = $urls;
363
+ }
364
  }
365
+ $i++;
366
 
367
+ return $warnings;
368
+ }
369
 
370
+ /**
371
+ * Finds the URL in a string
372
+ *
373
+ * @param string $string
374
+ * @return string $url
375
+ */
376
+ static function get_url($string) {
377
+ preg_match_all('/(http|https):\/\/[\/-\w\.,#?=\+&%;:\d]+/i', $string, $url);
378
+ $url = @$url[0][0];
379
+ return $url;
380
+ }
381
 
382
+ /**
383
+ * Replace HTTPS with HTTP
384
+ *
385
+ * @param string $string
386
+ * @return string $string
387
+ */
388
+ static function replace_https($string) {
389
+ return str_replace('https://', 'http://', $string);
390
+ }
391
 
392
+ /**
393
+ * Replace HTTP with HTTPS
394
+ *
395
+ * @param string $string
396
+ * @return string $string
397
+ */
398
+ static function replace_http($string) {
399
+ return str_replace('http://', 'https://', $string);
400
+ }
401
+
402
+ /**
403
+ * Determines if URL is local or external
404
+ *
405
+ * @param string $url
406
+ * @return boolean
407
+ */
408
+ function is_local($url) {
409
+ $url_parts = parse_url($url);
410
+ if ( strpos($this->http_url, $url_parts['host']) !== false || strpos($this->https_url, $url_parts['host']) !== false ) {
411
+ return true;
412
  } else {
413
+ return false;
 
 
 
 
414
  }
415
  }
416
 
417
  /**
418
+ * Adds the SSL Port to URL in a string
419
  *
420
+ * @param string $string
421
+ * @return string $string
422
  */
423
+ function add_port($string) {
424
+ $url = $this->get_url($string);
425
+ if ( $this->ssl_port && strpos($url, ':' . $this->ssl_port) === false ) {
426
+ $url_host = parse_url($url, PHP_URL_HOST);
427
+ $url_host_port = parse_url($url, PHP_URL_HOST) . ':' . $this->ssl_port;
428
+ $string = str_replace($url_host, $url_host_port, $string);
429
+ }
430
+ return $string;
 
 
 
 
 
 
431
  }
432
 
433
  /**
434
+ * Remove the SSL Port from URL in a string
435
  *
436
+ * @param string $string
437
+ * @return string $string
438
  */
439
+ function remove_port($string) {
440
+ $url = $this->get_url($string);
 
 
 
441
 
442
+ if ( $this->is_local($url) && $port = parse_url($url, PHP_URL_PORT) ) {
443
+ $string = str_replace($url, str_replace(':' . $port, '', $url), $string);
 
444
  }
445
+ return $string;
446
+ }
447
 
448
+ /**
449
+ * Replaces HTTP Host with HTTPS Host
450
+ *
451
+ * @param string $string
452
+ * @return string $string
453
+ */
454
+ function replace_http_url($string) {
455
+ $url_original = $this->get_url($string);
456
+ if ( $this->is_local($url_original) ) {
457
+ $url_parts = parse_url($url_original);
458
+ $url = str_replace($url_parts['host'], parse_url($this->https_url, PHP_URL_HOST), $url_original);
459
+ if ( $this->diff_host ) {
460
+ $https_url_path = parse_url($this->https_url, PHP_URL_PATH);
461
+ if ( strpos($url_parts['path'], $https_url_path) === false ) {
462
+ $url = str_replace($url_parts['path'], $https_url_path . $url_parts['path'], $url);
463
+ }
464
  }
465
+ $url = $this->remove_port($url);
466
+ $url = $this->add_port($url);
467
+ $url = $this->replace_http($url);
468
+ $string = str_replace($url_original, $url, $string);
469
+ } else if ( $url_parts == null ) {
470
+ $this->log('[ERROR] Unabled to parse URL: ' . $url_original);
471
  }
472
 
473
+ return $string;
474
+ }
475
 
476
+ /**
477
+ * Replaces HTTPS Host with HTTP Host
478
+ *
479
+ * @param string $string
480
+ * @return string $string
481
+ */
482
+ public function replace_https_url($string) {
483
+ $url_original = $this->get_url($string);
484
+ if ( $this->is_local($url_original) ) {
485
+ $url_parts = parse_url($url_original);
486
+ $url = str_replace($url_parts['host'], parse_url($this->http_url, PHP_URL_HOST), $url_original);
487
+ if ( $this->diff_host ) {
488
+ $https_url_path = parse_url($this->https_url, PHP_URL_PATH);
489
+ if ( strpos($url_parts['path'], $https_url_path) !== false ) {
490
+ $url = str_replace($https_url_path, '', $url);
491
+ }
492
+ }
493
+ $url = $this->remove_port($url);
494
+ $url = $this->replace_https($url);
495
+ $string = str_replace($url_original, $url, $string);
496
+ } else if ( $url_parts == null ) {
497
+ $this->log('[ERROR] Unabled to parse URL: ' . $url_original);
498
+ }
499
 
500
+ return $string;
501
+ }
502
 
503
+ /**
504
+ * Checks to see if an external file exists
505
+ *
506
+ * @param string $url
507
+ * @return boolean
508
+ */
509
+ static function get_file_contents($url) {
510
+ if ( @ini_get('allow_url_fopen') ) {
511
+ $content = @file_get_contents($url);
512
+ return $content;
513
+ } else if ( function_exists('curl_init') ) {
514
+ $ch = curl_init();
515
+
516
+ curl_setopt($ch, CURLOPT_URL, $url);
517
+ curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
518
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
519
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
520
+ curl_setopt($ch, CURLOPT_HEADER, false);
521
+ curl_setopt($ch, CURLOPT_ENCODING, 'gzip,deflate');
522
+
523
+ $content = curl_exec($ch);
524
+ curl_close($ch);
525
+ return $content;
526
  }
527
+ return false;
528
+ }
529
 
530
+ /**
531
+ * Start output buffering
532
+ *
533
+ * @param none
534
+ * @return void
535
+ */
536
+ public function buffer_start() {
537
+ ob_start(array(&$this, 'process'));
538
  }
539
 
540
  /**
541
+ * Process
542
+ *
543
+ * Processes the output buffer to fix HTML output
544
  *
545
  * @param string $buffer
546
  * @return string $buffer
547
  */
548
+ public function process($buffer) {
549
+ $processed_urls = array();
550
+ // Post = 2, Admin = 1, Other = 0
551
+ $location = ((is_admin()) ? 1 : ((is_page() || is_home()) ? 2 : 0));
552
+
553
+ $external_urls = get_option('wordpress-https_external_urls');
554
+ if ( !is_array($external_urls) ) {
555
+ $external_urls = array();
556
+ }
557
+
558
+ $unsecure_external_urls = get_option('wordpress-https_unsecure_external_urls');
559
+ if ( !is_array($unsecure_external_urls) ) {
560
+ $unsecure_external_urls = array();
561
+ }
562
+
563
+ // Fix any occurrence of the HTTPS version of the regular domain when using different SSL Host
564
+ if ( $this->diff_host ) {
565
+ $url = $this->replace_http($this->http_url);
566
+ $count = substr_count($buffer, $url);
567
+ if ( $count > 0 ) {
568
+ $this->log('[FIXED] Updated ' . $count . ' Occurences of URL: ' . $url . ' => ' . $this->replace_https_url($url));
569
+ $buffer = str_replace($url, $this->replace_https_url($url), $buffer);
570
+ }
571
+ }
572
+
573
  if ( $this->is_ssl() ) {
 
574
  if ( is_admin() ) {
575
+ preg_match_all('/\<(script|link|img)[^>]+[\'"]((http|https):\/\/[^\'"]+)[\'"][^>]*>/im', $buffer, $matches);
576
  } else {
577
+ preg_match_all('/\<(script|link|img|form|input|embed|param)[^>]+[\'"]((http|https):\/\/[^\'"]+)[\'"][^>]*>/im', $buffer, $matches);
578
  }
579
+ for ($i = 0; $i < sizeof($matches[0]); $i++) {
 
 
 
580
  $html = $matches[0][$i];
581
  $type = $matches[1][$i];
582
  $url = $matches[2][$i];
583
  $scheme = $matches[3][$i];
584
+ $updated = false;
585
 
586
  if ( $type == 'img' || $type == 'script' || $type == 'embed' ||
587
  ( $type == 'link' && ( strpos($html, 'stylesheet') !== false || strpos($html, 'pingback') !== false ) ) ||
588
+ ( $type == 'form' && strpos($html, 'wp-pass.php') !== false ) ||
589
+ ( $type == 'form' && strpos($html, 'commentform') !== false ) ||
590
  ( $type == 'input' && strpos($html, 'image') !== false ) ||
591
  ( $type == 'param' && strpos($html, 'movie') !== false )
592
  ) {
593
+ // Fix image tags in the admin panel
594
  if ( is_admin() && $type == 'img' ) {
595
+ if ( strpos($url, $this->http_url) !== false && $this->diff_host ) {
596
+ $updated = true;
597
+ $processed_urls[$url] = $this->replace_http_url($url);
598
+ $buffer = str_replace($html, str_replace($url, $processed_urls[$url], $html), $buffer);
599
  }
600
  } else {
601
+ // If local
602
+ if ( $this->is_local($url) ) {
603
+ $updated = true;
604
+ $processed_urls[$url] = $this->replace_http_url($url);
605
+ $buffer = str_replace($html, str_replace($url, $processed_urls[$url], $html), $buffer);
606
+ // If external and not HTTPS
607
+ } else if ( strpos($url, 'https://') === false ) {
608
+ if ( !in_array($url, $external_urls) && !in_array($url, $unsecure_external_urls[$location]) ) {
609
+ if ( $this->get_file_contents($this->replace_http($url)) !== false ) {
610
+ // Cache this URL as available over HTTPS for future reference
 
 
 
611
  $external_urls[] = $url;
612
  update_option('wordpress-https_external_urls', $external_urls);
613
+ } else {
614
+ // If not available over HTTPS, mark as an unsecure external URL
615
+ $unsecure_external_urls[$location][] = $url;
616
+ update_option('wordpress-https_unsecure_external_urls', $unsecure_external_urls);
617
  }
618
  }
619
+
620
+ if ( in_array($url, $external_urls) ) {
621
+ $updated = true;
622
+ $processed_urls[$url] = $this->replace_http($url);
623
+ $buffer = str_replace($html, str_replace($url, $processed_urls[$url], $html), $buffer);
624
+ } else {
625
+ $processed_urls[$url] = $url;
626
+ }
627
+ }
628
+
629
+ if ( $updated == false && strpos($url, 'https://') === false ) {
630
+ $this->log('[WARNING] Unsecure Element: <' . $type . '> - ' . $url);
631
  }
632
  }
633
  }
634
+
635
+ if ( $updated && $url != $processed_urls[$url] ) {
636
+ $this->log('[FIXED] Element: <' . $type . '> - ' . $url . ' => ' . $processed_urls[$url]);
637
+ }
638
  }
639
 
640
+ // Fix any CSS background images or imports
641
+ preg_match_all('/(import|background)[:]?[^u]*url\([\'"]?(http:\/\/[^)]+)[\'"]?\)/im', $buffer, $matches);
642
+ for ($i = 0; $i < sizeof($matches[0]); $i++) {
643
  $css = $matches[0][$i];
644
+ $url = $matches[2][$i];
645
+ $processed_urls[$url] = $this->replace_http_url($url);
646
+ $buffer = str_replace($css, str_replace($url, $processed_urls[$url], $css), $buffer);
647
+ $this->log('[FIXED] CSS: ' . $url . ' => ' . $processed_urls[$url]);
648
  }
649
 
650
+ // Look for any relative paths that should be udpated to the SSL Host path
651
+ if ( $this->diff_host ) {
652
+ preg_match_all('/\<(script|link|img|input|form|embed|param|a)[^>]+(src|href|action|data|movie)=[\'"](\/[^\'"]*)[\'"][^>]*>/im', $buffer, $matches);
653
 
654
+ for ($i = 0; $i < sizeof($matches[0]); $i++) {
655
  $html = $matches[0][$i];
656
  $type = $matches[1][$i];
657
+ $attr = $matches[2][$i];
658
+ $url = $matches[3][$i];
659
+ if ( $type != 'input' || ( $type == 'input' && $attr == 'image' ) ) {
660
+ $processed_urls[$url] = $this->https_url . $url;
661
+ $buffer = str_replace($html, str_replace($url, $processed_urls[$url], $html), $buffer);
662
+ $this->log('[FIXED] Element: <' . $type . '> - ' . $url . ' => ' . $processed_urls[$url]);
663
  }
664
  }
665
  }
666
  }
667
 
668
  // Update anchor and form tags to appropriate URL's
669
+ preg_match_all('/\<(a|form)[^>]+[\'"]((http|https):\/\/[^\'"]+)[\'"][^>]*>/im', $buffer, $matches);
670
 
671
+ for ($i = 0; $i < sizeof($matches[0]); $i++) {
672
  $html = $matches[0][$i];
673
  $type = $matches[1][$i];
674
  $url = $matches[2][$i];
675
  $scheme = $matches[3][$i];
676
+ $updated = false;
677
 
678
  unset($force_ssl);
679
 
680
+ if ( $this->is_local($url) ) {
681
+ $url_parts = parse_url($url);
682
+ if ( $this->diff_host ) {
683
+ $url_parts['path'] = str_replace(parse_url($this->https_url, PHP_URL_PATH), '', $url_parts['path']);
684
+ }
685
+ $url_parts['path'] = str_replace(parse_url(get_option('home'), PHP_URL_PATH), '', $url_parts['path']);
686
+
687
+ if ( preg_match("/page_id=([\d]+)/", parse_url($url, PHP_URL_QUERY), $postID) ) {
688
+ $post = $postID[1];
689
+ } else if ( $post = get_page_by_path($url_parts['path']) ) {
690
+ $post = $post->ID;
691
+ } else if ( $url_parts['path'] == '/' ) {
692
+ if ( get_option('show_on_front') == 'posts' ) {
693
+ $post = true;
694
+ $force_ssl = (( get_option('wordpress-https_frontpage') == 1 ) ? true : false);
695
+ } else {
696
+ $post = get_option('page_on_front');
697
+ }
698
+ } else if ( ( strpos($url_parts['path'], 'wp-admin') !== false || strpos($url_parts['path'], 'wp-login') !== false ) && ( $this->is_ssl() || $this->ssl_admin )) {
699
  $post = true;
700
+ $force_ssl = true;
 
 
701
  }
 
702
 
703
+ if ( $post ) {
704
+ // Always change links to HTTPS when logged in via different SSL Host
705
+ if ( $type == 'a' && $this->diff_host && $this->ssl_admin && is_user_logged_in() ) {
706
+ $force_ssl = true;
707
+ } else if ( is_int($post) ) {
708
+ $force_ssl = (( !isset($force_ssl) ) ? get_post_meta($post, 'force_ssl', true) : $force_ssl);
709
+ }
710
+
711
+ if ( $force_ssl == true ) {
712
+ $updated = true;
713
+ $processed_urls[$url] = $this->replace_http_url($url);
714
+ $buffer = str_replace($html, str_replace($url, $processed_urls[$url], $html), $buffer);
715
+ } else if ( get_option('wordpress-https_exclusive_https') == 1 ) {
716
+ $updated = true;
717
+ $processed_urls[$url] = $this->replace_https_url($url);
718
+ $buffer = str_replace($html, str_replace($url, $processed_urls[$url], $html), $buffer);
719
+ }
720
+ }
721
 
722
+ if ( $updated && $url != $processed_urls[$url] ) {
723
+ $this->log('[FIXED] Element: <' . $type . '> - ' . $url . ' => ' . $processed_urls[$url]);
 
 
724
  }
725
  }
726
  }
727
 
728
+ // If an unsecure element has been removed from the site, remove it from $unsecure_external_urls to clear warnings
729
+ if ( is_array($unsecure_external_urls[$location]) ) {
730
+ $unsecure_external_urls[$location] = array_values($unsecure_external_urls[$location]);
731
+ for( $i = 0; $i < sizeof($unsecure_external_urls[$location]); $i++ ) {
732
+ $removed = true;
733
+ foreach( $processed_urls as $original_url => $new_url ) {
734
+ // If unsecure_external_url was found in processed_urls, it has not been removed
735
+ if ( $unsecure_external_urls[$location][$i] == $original_url ) {
736
+ $removed = false;
737
+ }
738
+ }
739
+ if ( $removed ) {
740
+ $this->log('[FIXED] Removed Unsecure URL: ' . $unsecure_external_urls[$location][$i]);
741
+ unset($unsecure_external_urls[$location][$i]);
742
+ update_option('wordpress-https_unsecure_external_urls', $unsecure_external_urls);
743
+ }
744
 
745
+ }
746
+ }
 
 
747
 
748
+ // Add debug console logging. It's not pretty, but it works.
749
+ if ( $this->debug && sizeof($this->log) > 0 ) {
750
+ $code = "<script type=\"text/javascript\">\n\tif ( typeof console === 'object' ) {\n";
751
+
752
+ array_unshift($this->log, '[BEGIN WordPress HTTPS Debug Log]');
753
+ array_push($this->log, '[END WordPress HTTPS Debug Log]');
754
+ foreach( $this->log as $log_entry ) {
755
+ if ( is_array($log_entry) ) {
756
+ $log_entry = json_encode($log_entry);
757
+ } else {
758
+ $log_entry = "'" . $log_entry . "'";
759
+ }
760
+ $code .= "\t\tconsole.log(" . $log_entry . ");\n";
761
  }
762
+ $code .= "\t}\n</script>\n";
763
+ $buffer = str_replace("</body>", $code . "\n</body>", $buffer);
764
  }
765
 
766
  return $buffer;
767
  }
768
 
769
+ /**
770
+ * Filters HTTPS urls from bloginfo function
771
+ *
772
+ * @param string $result
773
+ * @param string $show
774
+ * @return string $result
775
+ */
776
+ public function bloginfo($result = '', $show = '') {
777
+ if ( $show == 'stylesheet_url' || $show == 'template_url' || $show == 'wpurl' || $show == 'home' || $show == 'siteurl' || $show == 'url' ) {
778
+ $result = $this->replace_https_url($result);
779
+ }
780
+ return $result;
781
+ }
782
+
783
  /**
784
  * Checks if the current page is SSL
785
  *
786
  * @param none
787
  * @return bool
788
  */
789
+ public function is_ssl() {
790
  // Some extra checks for proxies and Shared SSL
791
+ if ( is_ssl() && strpos($_SERVER['HTTP_HOST'], parse_url($this->https_url, PHP_URL_HOST)) === false ) {
792
+ return false;
793
+ } else if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' ) {
794
+ return true;
795
+ } else if ( $this->diff_host && !is_ssl() && isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && strpos($this->https_url, 'https://' . $_SERVER['HTTP_X_FORWARDED_SERVER']) !== false ) {
796
  return true;
797
+ } else if ( $this->diff_host && !is_ssl() && strpos($_SERVER['HTTP_HOST'], parse_url($this->https_url, PHP_URL_HOST)) !== false && (!$this->ssl_port || $_SERVER['SERVER_PORT'] == $this->ssl_port) ) {
798
  return true;
799
  }
800
  return is_ssl();
801
  }
802
 
803
  /**
804
+ * Redirect Check
805
+ *
806
  * Checks if the current page needs to be redirected
807
  *
808
  * @param none
809
  * @return void
810
  */
811
+ public function redirect_check() {
812
  global $post;
813
  if ( is_front_page() && get_option('show_on_front') == 'posts' ) {
814
  if ( get_option('wordpress-https_frontpage') == 1 && !$this->is_ssl() ) {
815
+ $scheme = 'https';
816
+ } else if ( get_option('wordpress-https_frontpage') != 1 && get_option('wordpress-https_exclusive_https') == 1 && $this->is_ssl() && ( !$this->diff_host || ( $this->diff_host && $this->ssl_admin && !is_user_logged_in() ) ) ) {
817
+ $scheme = 'http';
818
  }
819
  } else if ( ( is_single() || is_page() || is_front_page() || is_home() ) && $post->ID > 0 ) {
820
+ $force_ssl = get_post_meta($post->ID, 'force_ssl', true);
821
+ $force_ssl = apply_filters('force_ssl', $force_ssl, $post->ID );
822
+ if ( !$this->is_ssl() && $force_ssl ) {
823
+ $scheme = 'https';
824
+ } else if ( get_option('wordpress-https_exclusive_https') == 1 && !$force_ssl && ( !$this->diff_host || ( $this->diff_host && $this->ssl_admin && !is_user_logged_in() ) ) ) {
825
+ $scheme = 'http';
826
  }
827
  }
828
+
829
+ if ( $scheme ) {
830
+ $this->redirect($scheme);
831
+ }
832
+ }
833
+
834
+ /**
835
+ * Fix wp_redirect in admin/login when using a different SSL Host
836
+ *
837
+ * @param string $url
838
+ * @return string $url
839
+ */
840
+ public function wp_redirect_admin( $url ) {
841
+ $url = $this->replace_http_url($url);
842
+
843
+ // Fix redirect_to
844
+ preg_match('/redirect_to=([^&]+)/i', $url, $redirect);
845
+ $redirect_url = $redirect[1];
846
+ $url = str_replace($redirect_url, urlencode($this->replace_http_url(urldecode($redirect_url))), $url);
847
+ return $url;
848
  }
849
 
850
  /**
853
  * @param string $scheme Either http or https
854
  * @return void
855
  */
856
+ public function redirect($scheme = 'https') {
857
  if ( !$this->is_ssl() && $scheme == 'https' ) {
858
  $url = parse_url($this->https_url);
859
  $url['scheme'] = $scheme;
864
  $url = false;
865
  }
866
  if ( $url ) {
867
+ $destination = $url['scheme'] . '://' . $url['host'] . (( $url['port'] ) ? ':' . $url['port'] : '') . (( $this->diff_host ) ? $url['path'] : '') . $_SERVER['REQUEST_URI'];
868
  if ( function_exists('wp_redirect') ) {
869
  wp_redirect($destination, 301);
870
+
871
+ // The only time this is called is when forcing an SSL redirect to the login page from the __construct method
872
  } else {
873
  // End all output buffering and redirect
874
  while(@ob_end_clean());
875
+
876
+ // If redirecting to an admin page
877
+ if ( strpos($destination, 'wp-admin') !== false || strpos($destination, 'wp-login') !== false ) {
878
+ $destination = $this->wp_redirect_admin($destination);
879
+ }
880
+
881
  header("Location: " . $destination);
882
  }
883
  exit();
884
  }
885
  }
886
 
887
+ /**
888
+ * Add SSL Host host to allowed redirect hosts
889
+ *
890
+ * @param array $content
891
+ * @return array $content
892
+ */
893
+ public function allowed_redirect_hosts($content) {
894
+ $content[] = parse_url($this->https_url, PHP_URL_HOST);
895
+ return $content;
896
+ }
897
+
898
+ /**
899
+ * Set Cookie
900
+ *
901
+ * Set authentication cookie when using different SSL Host
902
+ *
903
+ * @param none
904
+ * @return void
905
+ */
906
+ public function set_cookie($cookie, $expire, $expiration, $user_id, $scheme) {
907
+ if( $scheme == 'logged_in' ) {
908
+ $cookie_name = LOGGED_IN_COOKIE;
909
+ } elseif ( $secure ) {
910
+ $cookie_name = SECURE_AUTH_COOKIE;
911
+ $scheme = 'secure_auth';
912
+ } else {
913
+ $cookie_name = AUTH_COOKIE;
914
+ $scheme = 'auth';
915
+ }
916
+
917
+ $cookie_domain = COOKIE_DOMAIN;
918
+ $cookie_path = COOKIEPATH;
919
+ $cookie_path_site = SITECOOKIEPATH;
920
+ $cookie_path_plugins = PLUGINS_COOKIE_PATH;
921
+ $cookie_path_admin = ADMIN_COOKIE_PATH;
922
+
923
+ if ( $this->diff_host && $this->is_ssl() ) {
924
+ // Cookie paths defined to accomodate different SSL Host
925
+ $cookie_domain = parse_url($this->https_url, PHP_URL_HOST);
926
+ $cookie_path = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . $cookie_path;
927
+ $cookie_path_site = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . $cookie_path_site;
928
+ $cookie_path_plugins = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . $cookie_path_plugins;
929
+ $cookie_path_admin = $cookie_path_site . 'wp-admin';
930
+ }
931
+
932
+ // Cookie paths defined to accomodate different SSL Host
933
+ if ( version_compare(phpversion(), '5.2.0', '>=') ) {
934
+ if ( $scheme == 'logged_in' ) {
935
+ setcookie($cookie_name, $cookie, $expire, $cookie_path, null, $secure, true);
936
+ if ( $cookie_path != $cookie_path_site ) {
937
+ setcookie($cookie_name, $cookie, $expire, $cookie_path_site, null, $secure, true);
938
+ }
939
+ } else {
940
+ setcookie($cookie_name, $cookie, $expire, $cookie_path_plugins, null, false, true);
941
+ setcookie($cookie_name, $cookie, $expire, $cookie_path_admin, null, false, true);
942
+ }
943
+ } else {
944
+ if ( !empty($cookie_domain) ) {
945
+ $cookie_domain .= '; HttpOnly';
946
+ }
947
+
948
+ if ( $scheme == 'logged_in' ) {
949
+ setcookie($cookie_name, $cookie, $expire, $cookie_path, null, $secure);
950
+ if ( $cookie_path != $cookie_path_site ) {
951
+ setcookie($cookie_name, $cookie, $expire, $cookie_path_site, null, $secure);
952
+ }
953
+ } else {
954
+ setcookie($cookie_name, $cookie, $expire, $cookie_path_plugins, null);
955
+ setcookie($cookie_name, $cookie, $expire, $cookie_path_admin, null);
956
+ }
957
+ }
958
+ }
959
+
960
+ /**
961
+ * Clear Authentication Cookie
962
+ *
963
+ * Clear authentication cookies when using a different SSL Host
964
+ *
965
+ * @param none
966
+ * @return void
967
+ */
968
+ public function clear_auth_cookie() {
969
+ $cookie_domain = parse_url($this->https_url, PHP_URL_HOST);
970
+ $cookie_path = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . COOKIEPATH;
971
+ $cookie_path_site = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . SITECOOKIEPATH;
972
+ $cookie_path_plugins = rtrim(parse_url($this->https_url, PHP_URL_PATH), '/') . PLUGINS_COOKIE_PATH;
973
+ $cookie_path_admin = $cookie_path_site . 'wp-admin';
974
+
975
+ setcookie(AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_admin);
976
+ setcookie(AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_plugins);
977
+ setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_admin);
978
+ setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, $cookie_path_plugins);
979
+ setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, $cookie_path);
980
+ setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, $cookie_path_site);
981
+ }
982
+
983
  /**
984
  * Add 'Force SSL' checkbox to add/edit post pages
985
  *
986
  * @param none
987
  * @return void
988
  */
989
+ public function post_checkbox() {
990
  global $post;
991
 
992
  wp_nonce_field(plugin_basename(__FILE__), 'wordpress-https');
995
  if ( $post->ID ) {
996
  $checked = get_post_meta($post->ID, 'force_ssl', true);
997
  }
998
+ echo '<div class="misc-pub-section misc-pub-section-wphttps"><label>Force SSL: <input type="checkbox" value="1" name="force_ssl" id="force_ssl"'.(($checked) ? ' checked="checked"' : '').' /></label></div>';
999
  }
1000
 
1001
  /**
1004
  * @param int $post_id
1005
  * @return int $post_id
1006
  */
1007
+ public function post_save( $post_id ) {
1008
  if ( array_key_exists('wordpress-https', $_POST) ) {
1009
  if ( !wp_verify_nonce($_POST['wordpress-https'], plugin_basename(__FILE__))) {
1010
  return $post_id;
1024
  }
1025
  }
1026
 
1027
+ $force_ssl = (( $_POST['force_ssl'] == 1 ) ? true : false);
1028
+ if ( $force_ssl ) {
1029
  update_post_meta($post_id, 'force_ssl', 1);
1030
  } else {
1031
  delete_post_meta($post_id, 'force_ssl');
1032
  }
1033
 
1034
+ return $force_ssl;
1035
  }
1036
  return $post_id;
1037
  }
1038
 
1039
  /**
1040
+ * Admin panel menu option
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1041
  *
1042
  * @param none
1043
  * @return void
1044
  */
1045
+ public function menu() {
1046
  add_options_page('WordPress HTTPS Settings', 'WordPress HTTPS', 'manage_options', 'wordpress-https', array(&$this, 'settings'));
1047
  }
1048
 
1049
  /**
1050
+ * Plugin links on Manage Plugins page in admin panel
1051
  *
1052
  * @param array $links
1053
  * @param string $file
1054
  * @return array $links
1055
  */
1056
+ public function plugin_links($links, $file) {
1057
  if ( strpos($file, basename( __FILE__)) === false ) {
1058
  return $links;
1059
  }
1066
  }
1067
 
1068
  /**
1069
+ * Settings Page
1070
  *
1071
  * @param none
1072
  * @return void
1073
  */
1074
+ public function settings() {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1075
  if ( !current_user_can('manage_options') ) {
1076
  wp_die( __('You do not have sufficient permissions to access this page.') );
1077
  }
1084
  $_POST[$key] = 0;
1085
  update_option($key, $_POST[$key]);
1086
  } else {
1087
+ if ( $key == 'wordpress-https_ssl_host' && $_POST[$key] != '' ) {
1088
+ // Add scheme if it doesn't exist so that parse_url does not fail
1089
+ if ( strpos($url, 'http://') === false && strpos($url, 'https://') === false ) {
1090
+ $_POST[$key] = $this->replace_http('http://' . $_POST[$key]);
1091
  }
1092
+ $port = ((isset($_POST['wordpress-https_ssl_port'])) ? $_POST['wordpress-https_ssl_port'] : $this->ssl_port);
1093
+ $url = parse_url($_POST[$key]);
1094
+ $_POST[$key] = 'https://' . $url['host'] . (($port) ? ':' . $port : '') . @$url['path'];
1095
+
1096
+ // If secure host is set to a different host
1097
+ if ( $_POST[$key] != $this->https_url ) {
1098
+ if ( $this->get_file_contents($_POST[$key]) ) {
1099
+ // Remove trailing slash
1100
+ if ( substr($_POST[$key], -1, 1) == '/' ) {
1101
+ $_POST[$key] = substr($_POST[$key], 0, strlen($_POST[$key])-1);
1102
+ }
1103
+ $this->log('[SETTINGS] Updated SSL Host: ' . $this->https_url . ' => ' . $_POST[$key]);
1104
+
1105
+ // If secure domain has changed and currently on SSL, logout user
1106
+ if ( $this->is_ssl() ) {
1107
+ $logout = true;
1108
+ }
1109
+ } else {
1110
+ $errors[] = '<strong>SSL Host</strong> - Invalid host.';
1111
+ $_POST[$key] = '';
1112
  }
 
 
 
1113
  }
1114
+ } else if ( $key == 'wordpress-https_ssl_admin' ) {
1115
  if ( force_ssl_admin() || force_ssl_login() ) {
1116
+ $errors[] = '<strong>SSL Admin</strong> - FORCE_SSL_ADMIN and FORCE_SSL_LOGIN can not be set to true in your wp-config.php.';
1117
  $_POST[$key] = 0;
1118
+ // If forcing SSL Admin and currently not SSL, logout user
1119
+ } else if ( !$this->is_ssl() ) {
1120
+ $logout = true;
1121
  }
 
 
 
 
 
1122
  }
1123
 
1124
  update_option($key, $_POST[$key]);
1125
  }
1126
  }
1127
 
1128
+ if ( $logout ) {
1129
+ wp_logout();
1130
+ }
1131
+
1132
  if ( array_key_exists('ajax', $_POST) ) {
1133
  while(@ob_end_clean());
1134
  ob_start();
1135
  if ( sizeof( $errors ) > 0 ) {
1136
+ echo "<div class=\"error below-h2 fade wphttps-message\" id=\"message\">\n\t<ul>\n";
1137
  foreach ( $errors as $error ) {
1138
  echo "\t\t<li><p>".$error."</p></li>\n";
1139
  }
1140
  echo "\t</ul>\n</div>\n";
1141
  } else {
1142
+ echo "<div class=\"updated below-h2 fade wphttps-message\" id=\"message\"><p>Settings saved.</p></div>\n";
1143
+ if ( $logout ) {
1144
+ echo "<script type=\"text/javascript\">window.location.reload();</script>";
1145
+ }
1146
  }
1147
  exit();
1148
  }
1156
  <?php
1157
  if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
1158
  if ( sizeof( $errors ) > 0 ) {
1159
+ echo "\t<div class=\"error below-h2 fade wphttps-message\" id=\"message\">\n\t<ul>\n";
1160
  foreach ( $errors as $error ) {
1161
  echo "\t\t<li><p>".$error."</p></li>\n";
1162
  }
1163
  echo "\t</ul>\n</div>\n";
1164
  } else {
1165
+ echo "\t\t<div class=\"updated below-h2 fade wphttps-message\" id=\"message\"><p>Settings saved.</p></div>\n";
1166
  }
1167
  } else {
1168
+ echo "\t<div class=\"wphttps-message-wrap\"id=\"message-wrap\"><div id=\"message-body\"></div></div>\n";
1169
  }
1170
  ?>
1171
 
1172
  <div id="wphttps-sidebar">
1173
 
1174
+ <?php if ( sizeof($this->warnings()) > 0 ) { ?>
1175
+ <div class="wphttps-widget" id="wphttps-warnings">
1176
+ <h3 class="wphttps-widget-title">Warnings</h3>
1177
+ <div class="wphttps-widget-content inside">
1178
+ <?php
1179
+ foreach( $this->warnings() as $warning ) {
1180
+ $warning_id = 'warnings-' . strtolower(str_replace(' ', '-', $warning['label']));
1181
+ echo "\t\t\t\t\t<strong>" . $warning['label'] . "</strong><a class=\"warning-help wphttps-icon\" href=\"#" . $warning_id . "-tooltip\">Help</a>\n";
1182
+ echo "\t\t\t\t\t<ul id=\"" . $warning_id . "\">";
1183
+ foreach ( $warning['warnings'] as $warning ) {
1184
+ echo "\t\t\t\t\t\t<li><span class=\"warning-url\">" . $warning . "</span></li>\n";
1185
+ }
1186
+ echo "\t\t\t\t\t</ul>\n\n";
1187
+ }
1188
+ ?>
1189
+ </div>
1190
+ </div>
1191
+
1192
+ <?php } ?>
1193
+
1194
  <div class="wphttps-widget" id="wphttps-updates">
1195
  <h3 class="wphttps-widget-title">Developer Updates</h3>
1196
+ <div class="wphttps-widget-content inside">
1197
+ <img alt="Loading..." src="<?php echo parse_url($this->plugin_url, PHP_URL_PATH); ?>/css/images/wpspin_light.gif" class="loading" id="updates-loading" />
1198
+ </div>
1199
  </div>
1200
 
1201
  <div class="wphttps-widget" id="wphttps-support">
1202
  <h3 class="wphttps-widget-title">Support</h3>
1203
+ <div class="wphttps-widget-content inside">
1204
+ <p>Having problems getting your site secure? If you haven't already, check out the <a href="http://wordpress.org/extend/plugins/wordpress-https/faq/" target="_blank">Frequently Asked Questions</a>.</p>
1205
+ <p>Still not fixed? Please <a href="http://wordpress.org/tags/wordpress-https#postform" target="_blank">start a support topic</a> and I'll do my best to assist you.</p>
 
1206
  </div>
1207
  </div>
1208
 
1209
  <div class="wphttps-widget" id="wphttps-donate">
1210
  <h3 class="wphttps-widget-title">Donate</h3>
1211
+ <div class="wphttps-widget-content inside">
1212
+ <p>If you found this plugin useful, or I've already helped you, please considering buying me a <a href="http://en.wikipedia.org/wiki/Newcastle_Brown_Ale" target="_blank">beer</a> or two.</p>
1213
  <p>Donations help alleviate the time spent developing and supporting this plugin and are greatly appreciated.</p>
1214
 
1215
+ <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=N9NFVADLVUR7A" target="_blank" id="wphttps-donate-link">
1216
+ <img alt="Donate" src="https://www.paypal.com/en_US/i/btn/btn_donate_SM.gif" width="74" height="21" />
1217
+ </a>
 
 
 
1218
  </div>
1219
  </div>
1220
 
1225
  <form name="form" id="wordpress-https" action="options-general.php?page=wordpress-https" method="post">
1226
  <?php settings_fields('wordpress-https'); ?>
1227
 
1228
+ <h3 class="title">General Settings</h3>
1229
+ <table class="form-table">
1230
+ <tr valign="top">
1231
+ <th scope="row">SSL Host</th>
1232
+ <td>
1233
+ <fieldset>
1234
+ <label for="wordpress-https_ssl_host">
1235
+ <input name="wordpress-https_ssl_host" type="text" id="wordpress-https_ssl_host" class="regular-text code" value="<?php echo str_replace('https://', '', $this->remove_port($this->https_url)); ?>" />
1236
+ </label>
1237
+ <label for="wordpress-https_ssl_port">Port
1238
+ <input name="wordpress-https_ssl_port" type="text" id="wordpress-https_ssl_port" class="small-text" value="<?php echo $this->ssl_port; ?>" />
1239
+ </label>
1240
+ </fieldset>
1241
+ </td>
1242
+ </tr>
1243
+ <tr valign="top">
1244
+ <th scope="row">Force SSL Exclusively</th>
1245
+ <td>
1246
+ <fieldset>
1247
+ <input name="wordpress-https_exclusive_https" type="checkbox" id="wordpress-https_exclusive_https" value="1"<?php echo ((get_option('wordpress-https_exclusive_https')) ? ' checked="checked"' : ''); ?> />
1248
+ <label for="wordpress-https_exclusive_https">
1249
+ Posts and pages without <a href="<?php echo parse_url($this->plugin_url, PHP_URL_PATH); ?>/screenshot-2.png" class="thickbox">Force SSL</a> enabled will be redirected to HTTP.
1250
+ </label>
1251
+ </fieldset>
1252
+ </td>
1253
+ </tr>
1254
+ <tr valign="top">
1255
+ <th scope="row">Force SSL Administration</th>
1256
+ <td>
1257
+ <fieldset>
1258
+ <label for="wordpress-https_ssl_admin">
1259
+ <input name="wordpress-https_ssl_admin" type="checkbox" id="wordpress-https_ssl_admin" value="1"<?php echo ((get_option('wordpress-https_ssl_admin')) ? ' checked="checked"' : ''); ?> />
1260
+ </label>
1261
+ </fieldset>
1262
+ </td>
1263
+ </tr>
 
 
 
 
 
 
 
1264
 
1265
  <?php if ( get_option('show_on_front') == 'posts' ) { ?>
1266
+ <tr valign="top">
1267
+ <th scope="row">HTTPS Front Page</th>
1268
+ <td>
1269
+ <fieldset>
1270
+ <label for="wordpress-https_frontpage">
1271
+ <input name="wordpress-https_frontpage" type="checkbox" id="wordpress-https_frontpage" value="1"<?php echo ((get_option('wordpress-https_frontpage')) ? ' checked="checked"' : ''); ?> />
1272
+ </label>
1273
+ </fieldset>
1274
+ </td>
1275
+ </tr>
1276
 
1277
  <?php } ?>
1278
+ </table>
1279
+
1280
  <p class="button-controls">
1281
  <input type="submit" name="Submit" value="Save Changes" class="button-primary" />
1282
  <img alt="Waiting..." src="<?php echo parse_url($this->plugin_url, PHP_URL_PATH); ?>/css/images/wpspin_light.gif" class="waiting" id="submit-waiting" />
1285
  </div>
1286
  </div>
1287
 
1288
+ <div class="wphttps-tooltip-body" id="warnings-unsecure-external-content-tooltip">Unsecure External Content are URL's being loaded on secure pages that can not be loaded securely. It is recommended that you remove these elements by disabling or editing the plugin or theme that requires them.</div>
1289
+
1290
  <?php
1291
  }
1292
  } // End WordPressHTTPS Class
1293
  }
1294
 
1295
+ // Instantiate class if we're in WordPress
1296
+ if ( class_exists('WordPressHTTPS') && function_exists('get_bloginfo') ) {
1297
  $wordpress_https = new WordPressHTTPS();
1298
+ register_activation_hook(__FILE__, array(&$wordpress_https, 'install'));
1299
+ register_uninstall_hook(__FILE__, array(&$wordpress_https, 'uninstall'));
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1300
  }