(For reference, my website is "franklincodes.com". Feel free to take a look there to help me troubleshoot)
So I'm trying to log in to wordpress admin so I can make changes to my website. However, when I enter in my login information, I get a message that "The information you’re about to submit is not secure".
On the lock icon near the website domain name, I see a warning sign saying that my connection to the site isn't secure and I need a certificate. My regular website does have a certificate though.
I've asked people about this who've told me that the problem is that my website is sending out requests in HTTP, but the requests should be encrypted first in HTTPS.
I would like to change my website's message requests to HTTPS, but since I can't even log in to my wp-admin, I can't make those changes.
What should I do?
I struggled MIGHTILY with this issue. The main issue is that the login form has hard-coded URLs for http:// elements, and most modern browsers (as of 2024) just totally barf when they encounter http. (The debate as to whether they should behave like this with http will have to wait for another day.)
Anyway, the way I solved exactly the same problem you've described, is to add an .htaccess file into the wp-admin/ folder, per this blog post. Importantly, I added a sixth security header, not referenced in the blog post, of:
Header set Content-Security-Policy: upgrade-insecure-requestsI also added these six security headers to the 'root' .htaccess file, at the very top.Finally, after adding / modifying the .htaccess files, I used WP-CLI to flush the cache:
wp cache flush. Now when I login, I get to the admin dashboard, instead of just getting a blanked-out login form again. Hallelujah!UPDATE:
One of the security headers from the blog I referenced in my original answer --
Header set X-Frame-Options DENY-- began to interfere with my 'JetPack-Boost' plugin's ability to update the CSS cache, so I removed that one from the 'root' .htaccess file -- left it in place for the wp-admin/.htaccess file. JetPack-Boost started working correctly.Even after I implemented these security header fixes within these 2 .htaccess files, cron was displaying some issues that indicated the cron jobs were not running correctly. Also, I had a new 'health information' item, indicating that the site was not using https:, which it was not IN THE DATABASE. To clarify, it was loading everything (including the Dashboard) using the https (443) protocol; but, in the database all the URLs started with http (80). To fix this health information item, I let it update the URLs in the database to https:; but, then, the site became stuck in an SSL redirect loop! To fix this redirect loop error, I added
$_SERVER['HTTPS'] = 'on';to the wp-config.php file (anywhere above the ... "stop editing" line.) This fix also happened to fix the cron job issues as well, and the 'health information' item was resolved.At the end of the day, just adding the
$_SERVER['HTTPS'] = 'on';line to the wp-config.php file may have been all I needed to fix this issue; but, it does not hurt to have some added security headers.