In a Facebook group, we had a question this week, which was a bit tricky to solve. The member had migrated the site to HTTPS. After the migration, some images were not loading anymore. First we asked, if the search and replace on the database was done, so the paths were updated. This was done, but still some images were not loading.
Wrong domain for SSL certifitcate
So I checked the website as a visitor and inspected the certificate. It was issued for the
.com TLD but some files were served from a
.de TLD, which was a bit strange. My first guess was a theme with static paths to the domain. So I asked to send me the
header.php file from the theme to check them. Nothing static there.
Finding the wrong setting in the configuration
I was a bit surprised how some of the assets were serverd from the correct TLD while others were not. But then I had an idea. I suggested to look at the
wp-config.php file for the constant
WP_CONTENT_URL and indeed, the constant was set to the wrong domain.
The wp-config.php looked something like this:
<?php define( 'WP_CONTENT_DIR', '/var/www/example.com/my-content' ); // Do not remove. Removing this line could break your site. Added by Security > Settings > Change Content Directory. define( 'WP_CONTENT_URL', 'http://example.com/my-content' ); // Do not remove. Removing this line could break your site. Added by Security > Settings > Change Content Directory. // BEGIN iThemes Security - Do not modify or remove this line // iThemes Security Config Details: 2 define( 'DISALLOW_FILE_EDIT', true ); // Disable File Editor - Security > Settings > WordPress Tweaks > File Editor // END iThemes Security - Do not modify or remove this line
After seing those lines, I realized, that the website was using iThemes Securtiy, a popular plugin, installed on thousands of sites. The setting responsible for this problematic line can be found at „Security > Settings > Advanched > Change Content Directory“. If you change the
wp-content folder here to a different name, the
wp-config.php wil be changed accorgingly. But if you later switch to SSL, the settings will not be updated with the new site URL.
Fixing the issue
The iThemes Security plugin has another setting called „SSL“. If you activate this setting and enforce SSL for both frontend and backend, the plugin will only set the two constants
FORCE_SSL_ADMIN to the
wp-config.php, but it will not update the
WP_CONTENT_URL accorginly. So you still have to fix that manually.
Using a security plugin is not necessarily a bad idea. But we aware, that it might break some things along the way. On this specific settings, there are three red boxes with warnings about this possibility. Yet many users still just follow some online tutorials blindly and activate any security feature they find useful. I have even seen pages using two security plugins at the same time. If you run into issues with these kind of installation, I would not be surpirsed.
I do not use any security plugin on any of my sites actively. I maintain some pages who do have such plugins (also one with iThemes), but I still don’t recommend them to unexperienced users. The setting to change the name of the content folder is one of the settings, that can possibly cause the most trouble when activated but has a very little effect on the security. It could even prevent other useful countermeasured, such as preventing direct PHP execution from the
wp-content/uploads folder. If you set the PHP execution prevention with iThems, which there is another option for and then change the folder name, the PHP execution prevention is not being updated. This is pretty bad! So you have to change the folder name first, and then active the other PHP execution prevention settings.
So the next time, you use a security plugin, make sure, you really understand the effects of a setting, before you activate them. And if there are big red boxes with warning, better leave the setting alone 😉