Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

SSL Insecure Content Fixer


2.7.2, 2018-12-04

  • fixed: was missing some hard-coded link elements (e.g. stylesheets) when href was the first attribute

2.7.1, 2018-11-21

  • tested: WordPress 5.0

2.7.0, 2018-06-30

  • added: fix for responsive images loaded by JavaScript from image data attributes
  • fixed: call to undefined function hash_equals() on environments with obsolete PHP versions (i.e. < 5.6)
  • fixed: don't run the fixer when a WooCommerce download request is detected

2.6.0, 2018-05-08

  • added: new filter ssl_insecure_content_pcre_version_permissive allowing sites that can't update PCRE beyond 7.2 to function
  • added: fix for plugins / themes overriding avatars and breaking them with insecure content
  • changed: no longer sets a cookie on test or settings pages

2.5.0, 2017-11-23

  • changed: .htaccess rules file for non-WP test script now supports Apache v2.4; thanks, Andreas Schneider!
  • added: option to only fix content resource links for the current website; thanks, Luke Driscoll!
  • added: support for KeyCDN https detection via the X-Forwarded-Scheme header

2.4.0, 2017-05-14

  • fixed: don't capture content on admin pages when mode is Capture or Capture All
  • added: filter ssl_insecure_content_disable_capture for disabling Capture mode on selected pages / scripts

2.3.0, 2017-05-01

  • added: support for Windows Azure with ARR
  • added: filter ssl_insecure_content_domain_exclusions for domains that can be excluded from content cleaning (ignored for enqueued scripts)

2.2.3, 2017-02-01

  • fixed: breaks Visual Composer back end editing due to a regular expression problem (now you have two!)
  • changed: Capture no longer captures AJAX requests; new mode Capture All introduced to capture AJAX requests too
  • added: prerequisites check, to ensure that plugin can run successfully

2.2.2, 2017-01-21

  • fixed: make protocol header tests case-insensitive (thanks, waja!)
  • added: support for Amazon CloudFront CloudFront-Forwarded-Proto header (thanks, gmazovec!)
  • added: clean up responsive image srcset links to external images (WordPress already handles local images)

2.2.1, 2016-11-19

  • fixed: improve accessibility of admin pages
  • removed: update message display forced on multisite; just leave that for WordPress to handle (it does it so well)

2.2.0, 2016-09-09

  • added: stop WooCommerce cached widgets from http showing on https
  • added: fix Gravity Forms confirmation content

2.1.6, 2016-02-02

  • fixed: malware warning with GOTMLS vulnerability scanner

2.1.5, 2015-12-12

  • changed: remove some more clutter from server environment report in tests
  • removed: translations no longer in zip file; now delivered automatically as language packs when required

2.1.4, 2015-10-24

  • added: French translation (thanks, Houzepha Taheraly!)
  • added: can define SSLFIX_PLUGIN_NO_HTTPS_DETECT in wp-config.php to prevent the proxy fix, e.g. to overcome plugin conflicts
  • added: fix inline CSS background image rules, e.g. in Capture level
  • added: indicate whether WordPress HTTPS detection is successful with tick/cross

2.1.3, 2015-10-05

  • added: Chinese (simplified) translation (thanks, 漠伦!)

2.1.2, 2015-09-05

  • fixed: HTTPS detection for host 123-reg

2.1.1, 2015-08-11

  • fixed: HTTPS detection doesn't work unless SSL Tests page was just visited
  • added: show update notice on plugin admin page

2.1.0, 2015-07-30

  • SECURITY FIX: restrict access to AJAX test script; don't disclose server environment with system information
  • changed: always show server environment on test results
  • added: Bulgarian translation (thanks, Ivan Arnaudov!)
  • added: .htaccess file for AJAX SSL Tests, fixes conflict with some security plugins

2.0.0, 2015-07-26

  • changed: handle media loaded by calling wp_get_attachment_image(), wp_get_attachment_image_src(), etc. via AJAX
  • changed: in multisite, test tools (and settings) are only available to super admins
  • added: settings page for controlling behaviour
  • added: Simple, Content, Widgets, Capture, and Off modes for fixes
  • added: fix for WooCommerce + Google Chrome HTTP_HTTPS bug (fixed in WooCommerce v2.3.13)
  • added: load translation (if anyone fancies supplying some!)

1.8.0, 2014-02-02

  • changed: use script/style source filters instead of iterating over script/style dependency objects
  • changed: only handle links for wp_get_attachment_image(), wp_get_attachment_image_src(), etc. on front end (i.e. not in admin)
  • changed: refactor for code simplification
  • added: fix data returned from wp_upload_dir() (fixes Contact Form 7 CAPTCHA images)
  • added: Tools menu link to is_ssl() test

1.7.1, 2013-03-13

  • fixed: is_ssl() test checks to ensure test page was actually loaded via HTTPS

1.7.0, 2013-03-13

  • added: simple test to see whether is_ssl() is working, and try to diagnose when it isn't

1.6.0, 2013-01-05

  • added: handle images and other media loaded by calling wp_get_attachment_image(), wp_get_attachment_image_src(), etc.

1.5.0, 2012-11-09

  • added: handle properly enqueued admin stylesheets for admin over HTTPS

1.4.1, 2012-09-21

  • fixed: handle uppercase links properly (i.e. HTTP://)

1.4.0, 2012-09-13

1.3.0, 2012-07-22

  • removed: fix for links-shortcode (fixed in v1.3)

1.2.0, 2012-07-21

  • removed: fix for youtube-feeder (fixed in v2.0.0); NB: v2.0.0 of that plugin still loads Youtube videos over http, so you will still get insecure content errors on pages with embedded videos until plugin author applies a fix.

1.1.0, 2012-05-17

  • added: fix for youtube-feeder stylesheet

1.0.0, 2012-04-19

  • initial release