Fixing SSL on sites using iThemes Security

In a Facebook group, we had a question this week, which was a bit tricky to solve. The member had migrated the site to HTTPS. After the migration, some images were not loading anymore. First we asked, if the search and replace on the database was done, so the paths were updated. This was done, but still some images were not loading.

Wrong domain for SSL certifitcate

So I checked the website as a visitor and inspected the certificate. It was issued for the .com TLD but some files were served from a .de TLD, which was a bit strange. My first guess was a theme with static paths to the domain. So I asked to send me the functions.php and header.php file from the theme to check them. Nothing static there.

Finding the wrong setting in the configuration

I was a bit surprised how some of the assets were serverd from the correct TLD while others were not. But then I had an idea. I suggested to look at the wp-config.php file for the constant WP_CONTENT_URL and indeed, the constant was set to the wrong domain. The wp-config.php looked something like this:

define( 'WP_CONTENT_DIR', '/var/www/' ); // Do not remove. Removing this line could break your site. Added by Security > Settings > Change Content Directory.
define( 'WP_CONTENT_URL', '' ); // Do not remove. Removing this line could break your site. Added by Security > Settings > Change Content Directory.
// BEGIN iThemes Security - Do not modify or remove this line
// iThemes Security Config Details: 2
define( 'DISALLOW_FILE_EDIT', true ); // Disable File Editor - Security > Settings > WordPress Tweaks > File Editor
// END iThemes Security - Do not modify or remove this line

After seing those lines, I realized, that the website was using iThemes Securtiy, a popular plugin, installed on thousands of sites. The setting responsible for this problematic line can be found at „Security > Settings > Advanched > Change Content Directory“. If you change the wp-content folder here to a different name, the wp-config.php wil be changed accorgingly. But if you later switch to SSL, the settings will not be updated with the new site URL.

Fixing the issue

The iThemes Security plugin has another setting called „SSL“. If you activate this setting and enforce SSL for both frontend and backend, the plugin will only set the two constants FORCE_SSL_LOGIN and FORCE_SSL_ADMIN to the wp-config.php, but it will not update the WP_CONTENT_URL accorginly. So you still have to fix that manually.


Using a security plugin is not necessarily a bad idea. But we aware, that it might break some things along the way. On this specific settings, there are three red boxes with warnings about this possibility. Yet many users still just follow some online tutorials blindly and activate any security feature they find useful. I have even seen pages using two security plugins at the same time. If you run into issues with these kind of installation, I would not be surpirsed.

I do not use any security plugin on any of my sites actively. I maintain some pages who do have such plugins (also one with iThemes), but I still don’t recommend them to unexperienced users. The setting to change the name of the content folder is one of the settings, that can possibly cause the most trouble when activated but has a very little effect on the security. It could even prevent other useful countermeasured, such as preventing direct PHP execution from the wp-content/uploads folder. If you set the PHP execution prevention with iThems, which there is another option for and then change the folder name, the PHP execution prevention is not being updated. This is pretty bad! So you have to change the folder name first, and then active the other PHP execution prevention settings.

So the next time, you use a security plugin, make sure, you really understand the effects of a setting, before you activate them. And if there are big red boxes with warning, better leave the setting alone 😉

Veröffentlicht von

Bernhard is a full time web developer who likes to write WordPress plugins in his free time and is an active member of the WP Meetups in Berlin and Potsdam.

Schreibe einen Kommentar

Pflichtfelder sind mit * markiert.