Dealing with WordPress Multi-user and SSL

Summary:

Because there was once an ssl certificate present on a WordPress site, the admin section began redirect to https always. Only once I cleared all memory of the browser did it go back to the default, which is not redirecting. WordPress + Browser issue?

Full details:

I got a wordpress site set up to be the primary site on a multi-site network. It had an pre-existing ssl certificate and was forced to https, meaning, http would redirect to https.

WordPress Multiuser/multi-site (wpmu) uses wildcard subdomains, which simulates a subdomain without any need of registering it at the server. Using wildcard subdomains, the main site of the wpmu, example.com, can control what is shown on {any_words_here}.example.com. The default is to display the base site if an undefined subdomain is visited. So, for example, this allows ww.mysite.com to display the site normally.

Once I had my wpmu network set up, I created a new site, via the wordpress back office. I told wordpress what the name of the site would be, e.g. photos.example.com, and the email address for the administrator.

I then received an email at the above-mentioned address, with a username and password. I clicked on the link (photos.example.com/wp-admin) to take me to the sign-in page. I was greeted by an Insecure Content warning.

This happens because I was being redirected to https://photos.example.com/wp-admin, and the site did not have an ssl certificate. So, I had to get one for it. But, I couldn’t, because the webhost didn’t know that the subdomain existed. (Because it didn’t exist.)

So, I started disabling the redirect to https. I went through my list of ways to force wordpress to https, and undid them all.

Still, I was being redirected to https when I attempted to access the wordpress back office link above. Whereas now, due to my alterations, going to photos.example.com did not switch to https.

I reset my database (after backing it up), and overwrote all of the files for the base wordpress site. I also deleted the base site’s ssl certificate. Still, visiting any wordpress back office on the wpmu network redirected to https.

Finally, I tested it in several browsers. Here’s what was revealed:

Firefox, Firefox Developer Edition and Chrome, which I had previously used to visit these wordpress sites, redirected to https.

Safari, Opera and Brave, which I had not previously used to visit these sites, did not redirect.

I cleared the cache in Firefox and restarted the browser, still getting redirected. Finally, I told the browser to “Forget this site” which erases everything the browser knows about the site. Now it does not redirect, so I am able to get into the WP back office.

So, there is a browser element to this problem, but it must also be aggravated by wordpress. The browser must be telling wordpress that the site has been accessed via https before, and wordpress is deciding to redirect the admin section to https(example.com/wp-admin), and not the homepage of the site (example.com).

In other words, there is some additional security measure set up to force the back office to be loaded as https whenever possible.

Leave a Reply