Cheating message even when posting as Admin

The ‘cheating’ message comes from wpuf-add-post.php:submit_post() and is the result of it not recognising the nonce _wpnonce sent as part of the post. Since nonce’s are connected to both the user_id and the login session maybe a http session and a https are deemed to be different.

The initial page get is http.However the last POSTs to admin.ajax.php are using https and I suspect this and added with the XFrame problem may be causing your problem.

Why is your server generating a mix of http and https calls? Any idea?

Ahhh. I check of the initial page load reveals this.

var wpuf = {"ajaxurl":"https:\/\/www.culture.info\/wp-admin\/admin-ajax.php","submit_msg":"Submit Post

That would do it. Where does this come from? Well it comes from enqueue_scripts() in wpuf.php.

function enqueue_scripts() {
...
        wp_localize_script( 'wpuf', 'wpuf', array(
            'ajaxurl' => admin_url( 'admin-ajax.php' ),
            'submit_msg' => $submit_msg,
            'update_msg' => $update_msg,
            'postingMsg' => $posting_msg,
            'deleteMsg' => $delete_msg,
            'confirmMsg' => __( 'Are you sure?', 'wpuf' ),
			'delete_confirm_msg' => __('Are you sure to delete this post?', 'wpuf' ),
            'nonce' => wp_create_nonce( 'wpuf_nonce' ),
        ) );
....
}

So the WordPress function admin_url() is the den of our culprit. And who lives behind these doors….Your Site Address as provided by the option ‘Site Address (URL)’ in the WordPress General Settings page.

This wont work properly especially with the media library. However Ve haf vays of making you tock https

This probably has to do with the fact I don’t use https on every page. I HAD enabled https on transactional / submission pages but not on every page. Therefore I had used admin_url() for forcing admin pages to use SSL. I can make the whole site SSL (is that the solution you are suggesting?) but I have found that by making the page with the add-post shortcode https, this resolves the issue.

What do you advise?

Is it works for you that is fine but be wary of problems you haven’t encountered yet, updates to come, and other plugins that may throw spanners into your works. admin_url() and related functions are used everywhere.

Given this I think you have three options.

1. Stay with your present scheme and workarounds but be aware of problems to come.

2. Make everything https by either of the two options given in the link I gave you in the last post. This is the easist, most problem free, secure, and future proof method

3. Use a partial implementation of the rewrite scheme given in the previous link for the parts you want secure.

I am happy to take your advice and revert to making the whole site SSL. I will use the htaccess option.

Thanks again.