Secure All the Things

Forcing SSL in your WordPress site is “all the rage” lately. And for good reason. Security is a serious issue and SSL isn’t a silver bullet by any means, but it helps. But the biggest reason why web owners want to move to SSL is this source right here:

We hope to see more websites using HTTPS in the future. Let’s all make the web more secure!

Now, if you or I said that it’d be interesting and fun, but when the source is “Mother Google” herself, then everyone sits up and pays attention. So making the switch is beneficial for all the right reasons. But there are a few caveats to keep in mind.


    Forcing SSL on your site will slow the server response time down just a tad. That’s why we love our WPEngine hosting. It handles it so well that we hardly notice the difference at all.
    So, if it’s slower, why should I do it? Well, if you’re on a cheap shared host then you might want to consider NOT doing it. Page speed is another “ranking factor” in the Google page rank machine. While they don’t share their secret sauce with anyone, I think it’s a pretty safe bet to say that Page Speed is probably a more significant rank factor than SSL. But, as I mentioned, if you have a great and fast hosting platform you don’t really have a reason NOT to force SSL.

We’re On It!

We wouldn’t be “WordImpress” if we weren’t pushing ahead with all the most important web development trends. So this week you’ll notice that everywhere you go on our entire site you’ll feel the warm glow of that all too friendly Green Padlock. But getting there wasn’t as straight forward as we had hoped. There were a couple issues we needed to work out to ensure the green lock and we thought it’d be valuable to pass them along.

Forcing SSL in WordPress

WordPress-SSL-Mixed-Content-SettingsClifford Paulick wrote an excellent piece at ManageWP on implementing SSL on your site and cleaning up unsecure items. Rather than repeat all of that here, you should go over there and read it top to bottom. It’s really helpful.

One thing I really want to point out about the article though is his section on plugins and themes. Paulick says that once you know your plugin or theme is causing unsecure content errors, you need to wonder whether it’s worth keeping at all:

Before working on fixing it, you have to ask yourself, “Do I really need this?” because if this is wrong, I bet other things are wrong. Sometimes an uninstall can be healthy.

I’m in full agreement. If you are securing your site and you find that a plugin is forcing http on SSL encrypted pages then you really should just move on from that plugin, as a rule. There are exceptions. I wrote about my experience contributing to a plugin so it loaded it’s resources correctly. That author still hasn’t updated his plugin with the code I gave him, but other users can benefit from it. But often, the fix isn’t that simple.

But, there’s two things Mr. Paulick doesn’t discuss, they are: loading resources from your theme, and a bug in WordPress which can cause some trouble for you.

Cleaning up Your Theme

The first thing we needed to clean up was a couple stray image resources in our theme that were coded using http. WordPress has several great functions for themes that check for SSL encryption before spitting out the code. Specifically:




Using these to call your images ensure that whether the page is encrypted or not, you’ll never see that dreaded YELLOW or demonic RED padlock of death! If you are outputting an image directly in a template file, it should look something like this:

For Parent themes:

<img src="<?php echo get_template_directory_uri(); ?>/assets/img/your-image.jpg">

For Child themes:

<img src="<?php echo get_stylesheet_directory_uri(); ?>/assets/img/your-image.jpg">

Dealing with the Attachments Bug

Along our journey of getting all our t’s crossed and i’s dotted Devin stumbled on a bug in WordPress core that’s been documented going on 4 years now! The bug is that the the Media Uploader doesn’t check whether your site is using SSL or not, and so it outputs the image source as the non-secure url (i.e. http). WordPress has other functions that could be used to fix that. If you read the thread you’ll see they were hoping to fix this for WordPress 4.0, but it’s been pushed back to 4.1, which is currently slated for this December. If so, this section is just a quick bandaid. Either way, we thought it’s a pretty cool fix.

This function grabs all the attachments on your page or post, checks them against the current “protocol” (meaning https or not) and updates their url accordingly. Pretty smart stuff, wish we thought of it! Grab it here and put it in your favorite Core Functionality plugin.

Wrapping it Up

So, in summary, forcing SSL sitewide is a really good idea. You may want to take your hosting platform into consideration, but all in all, work out the bugs, clean up the files, enable it and you and your visitors and Google will all be much happier in the longrun.

Matt is Head of Support and Community Outreach at He's the author of many free WordPress plugins, a popular blogger at his website, an admin of the Advanced WordPress Facebook group, co-organizer of the San Diego WordPress Meetup, and a frequent WordCamp speaker and attender.

Follow Matt:

3 Responses to “Image URLs and Forcing SSL in WordPress”

  1. jeremyclarke

    FWIW the bug was fixed in 4.2!

    • Matt Cromwell

      Ya I mentioned that it was slated to be repaired in 4.1 in the article, but I always meant to swing back around and double check. Thanks for the heads up!

  2. Rob from Press Wizards

    FYI I’d revisit this topic now… with HTTP/2 (which requires SSL), especially with something like Cloudflare, pagespeed over HTTP/2 increases dramatically.


Leave a Reply