I’ve recently stumbled upon the weird issue of WordPress loading its styles and scripts via HTTPS although it wasn’t configured to use SSL. The website did indeed have a SSL certificate installed and usable.
My first thought was that either the caching plugin was serving a wrong version of the files (this proved not to be the case after I disabled the plugin) or WordPress HTTPS was improperly configured / misbehaving. After disabling (and later uninstalling it just to make sure) this was also proved incorrect.
I eventually found some useful information about WordPress’ is_ssl() function. It is supposed to check some server variables/conditions and return true or false depending on wether SSL is used or not. In my case it apparently returned true even though this was not right.
The complete function code is:
function is_ssl() {
if ( isset($_SERVER['HTTPS']) ) {
if ( 'on' == strtolower($_SERVER['HTTPS']) )
return true;
if ( '1' == $_SERVER['HTTPS'] )
return true;
} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
return true;
}
return false;
}
So for true to be returned either $_SERVER[‘HTTPS’] is ‘true’, ‘on’ or ‘1’ (on my server this variable isn’t even set) or $_SERVER[‘SERVER_PORT’] is 443.
The second condition should not happen; after all, we are connecting to the server on port 80. But apparently Apache does manage to make this condition come true in some abstract circumstances: when the same virtual host is served on both ports (80 and 443), but port 443 uses an explicit declaration – NameVirtualhost 10.0.0.56:443 {…} – while the one on port 80 is a generic declaration – NameVirtualhost *:80 {…}.
The easy way to solve this is to make sure correct (and identical, except the SSL part) virtualhost declarations are used for both ports:
<VirtualHost 10.0.0.56:443>
...
SSLCertificateFile path/to/filename
SSLKeyfile path/to/filename
SSLEngine On
</VirtualHost>
<VirtualHost 10.0.0.56:80>
...
</VirtualHost>
