Hi all,

In order to satisfy my organisation's security requirements, they have asked me to modify our WordPress instance so that the administrator's login page is via https. I was successful in making the entire site https, but some pages that have "http" hard-coded broke (not my fault...I didn't write those pages...) but, more importantly, the site became much slower.

It seems that our administrators would be satisfied if just the administrator's interface was (i.e., where passwords are sent) are within https. The public pages can be sent via http.

I looked around and these instructions here clearly explain what I should do. However, it says under "Further Information", that the steps below that are only for older versions of WordPress. Thus, all I need to do is:

define('FORCE_SSL_ADMIN', true);

I did that, but it isn't working. That is, the public pages use http, but when I go to the administrator's interface, it is still http.

I *guess* that there is something I need to do with my web server's (Apache) configuration. I have one conf file for port 80 and one for port 443. However, neither this page nor others I have looked at which give similar advice explain what I should do.

Am I looking at the wrong place? Is there something wrong with my web server's configuration files? Or is there something wrong elsewhere -- perhaps within WordPress' configuration?

Any help would be appreciated! I'm not sure which part of the system I should be focussing on...

Thank you!

Ray

I've got WP 4.3.1 running on Centos 6, all files in /var/www/html owned by apache, folder (755) and file (644) permissions are correct for everything within.

When I try to update to 4.4 via the Dashboard, I'm prompted for FTP credentials to perform updates.

Odd that the plugins are able to update — usually this problem is caused by files not owned by apache in my experience — but Word Press itself cannot update itself.

Ideas, suggestions?

Dan

Hey! I'm currently developing a digital marketplace and I was wondering, could you host WooCommerce digital downloads on a separate server?

I mean, its an obvious yes, but I want to know if I could do that but also be able to keep the files secure so they cant just be downloaded by going to the url.

I'm currently running WordPress on Ubuntu 14.04 on an Apache server. Yes I have root access. My database is also remotely accessible

Hey! I'm currently developing a digital marketplace and I was wondering, could you host WooCommerce digital downloads on a separate server?

I mean, its an obvious yes, but I want to know if I could do that but also be able to keep the files secure so they cant just be downloaded by going to the url.

I'm currently running WordPress on Ubuntu 14.04 on an Apache server. Yes I have root access. My database is also remotely accessible

https://wordpress.org/plugins/woocommerce/

Hi all,

I’ve searched, and read tons of how-to articles, and I think I’m just missing something somewhere obvious. But this is driving me batty.

I have a working WP 4.5.3 website which (for now) I’d like to avoid linking too, but I can in some kind of private message or email if necessary. This is a standard vanilla WP install–single installation–but using modified themes and about a dozen plugins, and the like.

Anyway, right now the site is set up in a subdir off of \var\www\, named \wpdirectory. There is an .htaccess and index.php file in var\www (i.e. the web root).

Here’s the contents of .htaccess in the root (\var\www):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

And here’s the contents of index.php in the root (\var\www):

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wpdirectory/wp-blog-header.php' );

In the subdirectory and install locale itself (\var\www\wpdirectory), there’s an .htaccess file that reads:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wpdirectory/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wpdirectory/index.php [L]
</IfModule>

# END WordPress

WordPress itself is set with the following values in the panel\db:

WordPress Address (URL): http://somedomain.com/wpdirectory
Site URL: http://somedomain.com

Now, this all works great! Any incoming requests to http://somedomain.com are routing to the WP install (and site) as needed. Fantastic, right?

BUT, now we want to come in and stand up a new WP install in a different subdirectory. Let’s say it’s at var\www\newsite

And we can’t do that, as it stands, because we’re not using \sites-available\website.conf files of any kind. If you hit this box in any way, including by the server IP, your browser traffic is routed to the somedomain.com WP site. That’s not the end of the world as long as only a single domain is pointed at the site, but you can see the obvious issue if we want to come in with a second production domain pointing to a different subdir\installation.

As part of that, it makes sense to go ahead and create a somedomain.com.conf file in Apache and enable it in sites-enabled, and then do the same thing for the new site. We want everything nice and segregated between the two completely different sites and installs, after all, and in the future we can add more sites this way…

So here’s the kind of .conf file we tried to do for the existing somedomain.com website. After all, it’s a good dry run for the upcoming site anyway.

<VirtualHost *:80>

	ServerAdmin support@somedomain.com
	ServerName somedomain.com
	ServerAlias www.somedomain.com

	DocumentRoot /var/www/wpdirectory
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/wpdirectory>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/wpdirectoryerror.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/wpdirectoryaccess.log combined

</VirtualHost>

…And we enable this in apache sites-enabled using the typical console commands, and it appears to work, and then…

We get weird errors on the site. Only the homepage and some of the images and the like appear.

The hosting company’s Linux admins’ suggestion was to go ahead and set up the .conf file, but remove the subdir reference from the .htaccess file in the /wpdirectory subdir itself (we have Apache support, which is good because my kung fu is not strong in Apache). So we wind up with the .htaccess file in the subdir looking like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

This enables us to browse more of the site, but things like images and the like–which are stored in the media library and db with refs like /wpdirectory/wp-content/uploads/blah.jpg–break at this point.

So I’m not sure what to do. I have a staging site, but I’ve been unable to replicate this exact setup there, for a number of reasons (one being that I don’t have a valid domain to point to staging, and even spoofing one in my hosts file and changing the db refs in the staging db to the spoofed domain doesn’t work).

In a perfect world, we can segregate that production domain AND be prepared for the second production and site, which as I said will also be in its own site and subdir. This is a big deal because we have a hard launch date of next week, and if I can’t get this all figured out before then I’m going to have to stand up a new cloud server instance just to run one WP install.

All this indicates, to me, that I’m overlooking something elementary somewhere.

Thanks SO MUCH to anyone who can help. And forgive me if anything seems obvious. As I said, I’m not a LAMP guy. I’m learning what I can as fast as I can.

Hi all,

In order to satisfy my organisation’s security requirements, they have asked me to modify our WordPress instance so that the administrator’s login page is via https. I was successful in making the entire site https, but some pages that have “http” hard-coded broke (not my fault…I didn’t write those pages…) but, more importantly, the site became much slower.

It seems that our administrators would be satisfied if just the administrator’s interface was (i.e., where passwords are sent) are within https. The public pages can be sent via http.

I looked around and these instructions here clearly explain what I should do. However, it says under “Further Information”, that the steps below that are only for older versions of WordPress. Thus, all I need to do is:

define('FORCE_SSL_ADMIN', true);

I did that, but it isn’t working. That is, the public pages use http, but when I go to the administrator’s interface, it is still http.

I *guess* that there is something I need to do with my web server’s (Apache) configuration. I have one conf file for port 80 and one for port 443. However, neither this page nor others I have looked at which give similar advice explain what I should do.

Am I looking at the wrong place? Is there something wrong with my web server’s configuration files? Or is there something wrong elsewhere — perhaps within WordPress’ configuration?

Any help would be appreciated! I’m not sure which part of the system I should be focussing on…

Thank you!

Ray

Hey! I’m currently developing a digital marketplace and I was wondering, could you host WooCommerce digital downloads on a separate server?

I mean, its an obvious yes, but I want to know if I could do that but also be able to keep the files secure so they cant just be downloaded by going to the url.

I’m currently running WordPress on Ubuntu 14.04 on an Apache server. Yes I have root access. My database is also remotely accessible

Hey! I’m currently developing a digital marketplace and I was wondering, could you host WooCommerce digital downloads on a separate server?

I mean, its an obvious yes, but I want to know if I could do that but also be able to keep the files secure so they cant just be downloaded by going to the url.

I’m currently running WordPress on Ubuntu 14.04 on an Apache server. Yes I have root access. My database is also remotely accessible

https://wordpress.org/plugins/woocommerce/

I’ve used WP-super-cache since the first year it was released. At one point I even wrote a plugin to “prime” an entire site into WP-super-cache (since removed, irrelevant now). During the past decade, I’ve tried pretty much every caching plugin out there, and I don’t just try them out, I dive in to the code and go to extreme lengths to debug how effective it works.

Today I am charge for fortune 1000 sites getting hundreds of millions of visitors per year, and my own site has been in the Alexa top 20k highest traffic sites since 2006. Those sites, and my own, run WP-super-cache and the reason is simply that using this plugin we can expect 0 problems, and the maximum performance possible from a non-statically rendered site such as WP.

While other plugins spout a lot of features (translation: bloat and market/adware), and many of those features can be incredibly helpful, they cause many more issues, and constantly need updating and tweaking.

The focus of this plugin is sweetly specific: Maximum performance possible from your server (Apache) by simply creating static versions of urls normally generated by memory and CPU and database hungry php.

As long as this plugin keeps that focus, it will continue to be incomparable to all other solutions for the high-end enterprise level high-traffic sites that rely on it.

Use this plugin, and if it doesn’t work, you need a new web host.

So I was having a lot of issues with setting up Revisr to work with my Bitbucket Server. I followed the guide for how to add an SSH key, and I added it under ~/.ssh, but still nothing worked and I kept getting the Host Key Verification Failed errors. Turns out, the key (for Apache) needed to be added to the apache user’s directory, and then the repository needed to be sync’d as apache to added it to its own Known Hosts list. Please see my steps below. (Also, if you are not able to access apache’s .ssh directory, it may be owned by root, so chown apache:apache)

======================

[root@centos html]# sudo -u apache ssh-keygen -t rsa -b 4096 -C “user@example.com”
Generating public/private rsa key pair.
Enter file in which to save the key (/usr/share/httpd/.ssh/id_rsa):
/usr/share/httpd/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /usr/share/httpd/.ssh/id_rsa.
Your public key has been saved in /usr/share/httpd/.ssh/id_rsa.pub.
The key fingerprint is:
fd:c2:43:01:0c:EX:AM:PL:E9:c6:f3:65:20:ca:b5:8f user@example.com
The key’s randomart image is:
+–[ RSA 4096]—-+
| Removed |
| |
| |
| |
| |
| |
| |
| |
| |
+—————–+
[root@centos html]# cat < /usr/share/httpd/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2RemovedRemoveCAQCh0oXy7pGcXyzpZPrD34Sa9oNUnCWZUHutU70vYztmm4L7sF
WNKIY59JtV21S30oVf4uuvm4dKQ9GASTw3SffdnL6Oge+6tFn+B0PdC1TXAkqhxFPc+PSa/SyfqtP/z6P4mp2l
W6oPn67wAgT3w+dJTnmVFHcusr+CRemovedRemoveddrdOxpI1AeT+Y9fY/hBtG+pKRW6FEZs0LAfXIys+6Q1G
/h12tKdiB1anPKPN+75Zj5nCQQ0Nm90ECb6hdiVUoxknwoSUUbV008JrglC4H9HWHUw2jJJCXlofzyrM6VgMDo
8Bc/PZmtAiueo3D/OpRUf3fErOAKlMKNidvEOMUFbNz/jDdDtN6bfFkJEhAblxkoGP6XqQwnn9Wlkfaxl64LDG
G1bfNflpx62euzj9EUqK3zRemovedRemovedXXXX8GF0v+iUCgWg9M73J+yDJdedRtM3FCwfFYtvzx+2zfdG0r
/Bq70KXr+Ll4dlWBDBjYwSefM9mXW4e/YhTtipPfld7/JwD9kGu/ybPhiy2vm2yhGq7kFk0T3UgV41EhrcY5fU
ceGhe0ftRZm9XsVykQEbLA89xEeij+ZOwf+NafxezTDOUz+j815MKRYlonZoRVtaHU7IUsiV+xmMVfXGFKGkAO
iN3TYkRaFkYxu84mn/3T0V9rHGdVaJtBGw== user@example.com
[root@centos html]# sudo -u apache git push origin master
The authenticity of host ‘[www.example.com]:7999 ([xxx.xx.xx.xxx]:7999)’ can’t be established.
RSA key fingerprint is 12:54:a5:a0:17:EX:AM:PL:Ea:a7:c6:a6:2b:9d:31:bd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[www.example.com]:7999,[xxx.xx.xxx.xxx]:7999’ (RSA) to the list of known hosts.
Everything up-to-date

I was using Simple 301 Redirects, but I had an issue with the clients server, it was due to the php setting max_input_vars. It would not allow me to add more than 500 redirects. Will I have this same issue with this plugin? How are the redirects data stored? Thanks!

I know, this sounds like a newb error. But the codex instructions are simple and I executed them successfully just 6 months ago on a client site. But this week I have tried it in two different locations with failure: a new site, and on a localhost installation. Both are running Apache. My local install is on OS X 10.11.6.

Here are the steps:
1) In Dashboard->Settings, change the WordPress Address (URL) to root, i.e. http://sitename.com/wp –> http://sitename.com
2) Do the same under Site Address (URL).
3) Submit. Ignore error message.
4) Copy index.php and .htaccess to root directory. Change index.php to refer to the subdirectory containing the installation.
require( dirname( __FILE__ ) . '/wp/wp-blog-header.php' );

The site now loads some front page content, but on a white page with no styling. It looks like it is half-transferred. The browser status bar is quite active, sending multiple requests, but nothing visibly changes. This is explained by access-log, showing multiple 404s for things that should be working now, starting with:
POST /wp-cron.php?doing_wp_cron=1473357879.5045380592346191406250 HTTP/1.1" 404 18444

Some other key 404s include (but are by no means limited to):

GET /wp-content/themes/mythemename/css/mythemename.css?ver=1.0.0 HTTP/1.1" 404 19965
GET /wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1" 404 19950

Now, I thought the culprit might be the url redirection, so I turned on trace6 for mod_rewrite in the virtual host configuration in the localhost site. The redirection appears to be successful. For example:

[Thu Sep 08 12:04:39.524223 2016] [rewrite:trace3] [pid 7032] mod_rewrite.c(476): [client 127.0.0.1:52145] 127.0.0.1 - - [prfol.localhost/sid#7f883c020c40
][rid#7f883c042780/initial/redir#1] [perdir /Users/david/Sites/prfol/public_html/] strip per-dir prefix: /Users/david/Sites/prfol/public_html/index.php ->
 index.php, referer: http://prfol.localhost/wp-cron.php?doing_wp_cron=1473357879.5045380592346191406250
[Thu Sep 08 12:04:39.524236 2016] [rewrite:trace3] [pid 7032] mod_rewrite.c(476): [client 127.0.0.1:52145] 127.0.0.1 - - [prfol.localhost/sid#7f883c020c40
][rid#7f883c042780/initial/redir#1] [perdir /Users/david/Sites/prfol/public_html/] applying pattern '^index\\.php$' to uri 'index.php', referer: http://pr
fol.localhost/wp-cron.php?doing_wp_cron=1473357879.5045380592346191406250
[Thu Sep 08 12:04:39.524249 2016] [rewrite:trace1] [pid 7032] mod_rewrite.c(476): [client 127.0.0.1:52145] 127.0.0.1 - - [prfol.localhost/sid#7f883c020c40
][rid#7f883c042780/initial/redir#1] [perdir /Users/david/Sites/prfol/public_html/] pass through /Users/david/Sites/prfol/public_html/index.php, referer: h
ttp://prfol.localhost/wp-cron.php?doing_wp_cron=1473357879.5045380592346191406250

However, I still get the 404 for the top line of this request.
I’ve tried hard refreshes. Clearing the cache. Even using a new browser that has never visited the site.

My .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

My httpd-vhosts.conf for this site:

<VirtualHost *:80>
    ServerAdmin [my email]
    DocumentRoot "/Users/david/Sites/prfol/public_html"
    ServerName prfol.localhost
    ServerAlias www.prfol.localhost
    ErrorLog "/private/var/log/apache2/prfol-error_log"
    CustomLog "/private/var/log/apache2/prfol-access_log" common
    LogLevel debug rewrite:trace6
</VirtualHost>
<Directory "/Users/david/Sites/prfol/public_html">
    Options FollowSymLinks Multiviews
    MultiviewsMatch Any
    AllowOverride All
    Require all granted
</Directory>

After writing this, I realize that WordPress apparently requests its normal URLs, apache applies the redirect rules on them, but then something doesn’t complete.

I’m still convinced that it’s something I have overlooked or skipped. I’m able to revert to the subdirectory by restoring the WordPress Address and Site Address values via phpmyadmin, and deleting the root-level index.php and .htaccess.

Can anyone see what I’m missing? Or else help me find how the redirect is not executed? Perhaps by setting trace on another module?

Thank you!

I’ve been running wordpress.org happily for years on a server with Ubuntu 14.04 and Apache 2.4. Just recently though, I installed a new service (openproject) which uses port 80. So my web URL: http://example.net (say) pointed to openproject rather than wordpress. I changed the port of openproject to 8080 so its the URL is now http://example.net:8080. But now port 80 is unreachable – the URL http://example.net gives me the 403 error with “You don’t have permission to access / on this server.”

It’s so long since I installed wordpress that I’m not sure what permissions, ownerships should be in place to have it work. Currently:

• most wp-* files and directories in /var/www/html have ownership wpadmin:wpadmin, where wpadmin is the wordpress user
• wp-content/ and .htaccess are owned by www-data (the web server)

As far as I know, none of the other files in /etc/apache2/sites-enabled/ have been changed. How can I most easily have wordpress available to me again? Thanks!

With this line in .htaccess RewriteCond %{REQUEST_URI} !?add-to-cart= [NC] i get the following internal server error:
RewriteCond: cannot compile regular expression '?add-to-cart='

Looks like !\?add-to-cart= [NC] fixes the error, but your plugin overwrites the .htaccess file.

Apache 2.4.20

Hi
My public domain is www.example.com, this is a reverse proxy apache.
my website sits on 172.10.10.1/wordpress.
I want to enable the permalinks but i get 404.
My questions:
1. should the reverse proxy pass be 172.10.10.1/wordpress or 172.10.10.1
2. what should i write as the site url and site adress in wp settings?
3. what should be written in the .htaccess file for the rewrite?

Thanks alot
Asaf

Hi,
I have 2 computers on my home network. I have set one up as a server (Ubuntu) to host a WordPress site.

On the server everything works just fine when I go to the WordPress page (localhost). When I try to access this from another computer on the local network the page all I get is a cut down, simple style page (I believe people call this a “naked” theme). But I’m not running any naked theme – so far on the server computer I am running the default theme.

Also when I click on any links all I get is a “Connection Refused” error from the server.

PHP is running fine on the server, as well as MySQL. I thought it was a problem with the file permissions but every folder seems to have read access.

I moved my WordPress site to a brand new server, everything works great….expect FeedWordpress. I migrated everything by the book. I can press to update feeds all I want, but it doesn’t fetch new posts from the feeds.

I tried fixing it by installing missed scheduled posts & WP-Cron control plugins. Didn’t fix the problem.

Any help how to solve this?

Hi friends,
looking into an Apache error:

[Thu Nov 10 15:13:59.913435 2016] [:error] [pid 3407] [client 217.69.133.238:56173] PHP Catchable fatal error: Object of class WP_Error could not be converted to string in /var/www/vini-bulgarini.com/public_html/wp-content/themes/EightDegree/inc/dimox-breadcrumbs.php on line 101, referer: http://www.vini-bulgarini.com/dolce-angelica/

I’ve seen that this page is reachable although if on WP pages it is not present.

I’ve seen on WP database and this page seem present, on “wp_posts”
the “post_status” is “inherit”
the “guid” is “https://www.vini-bulgarini.com/wp-content/uploads/2016/10/dolce-angelica.pdf”
the “post_type” is “attachment”

About this “shadow page” could I simply delete it?
And about the apache error, what could it be?

many many thanks!

Good day,
could somebody please enlighten me? I don’t get what I’m missing to get SSO to run.

I’ve been running on Linux/Ubuntu and Apache 2.4.
Now, I’m running a Windows Server 2012 R2 with Apache 2.4 and php7.

LDAP authentication works fine but I don’t have a clue how to bypass the remote_user variable now.

Our WordPress installation is used as a knowledge base for each department.
The users have to login to see the specific instructions they need.

Therefor we are using a User Access Management tool.

I’d appreciate any help regarding this.

Kind regards
Malte Zwillus

This is a quick question, i’m considering moving from apache to nginx + phpfpm for performance reasons, however i’ve read that using both is better, you get nginx as static web server for the front and apache processing for the back end.

Is this true or should i just go with nginx + phpfpm