domainname.ch/?wordfence_logHuman=1&hid not in HTTPS

Are you using the current version of Wordfence, 6.0.17? Normally when this script is on an https page, it will automatically use https, but it may have been different in an older version.

If you’re already using 6.0.17, let me know and I’ll see what else we can look at.

Yes I am already using 6.0.17.

I don’t know if it may be the cause the script doesn’t use https, but I recently had to add this code to my wp-config because my host use “reverse proxy”.

if ( isset( $_SERVER[‘HTTP_X_FORWARDED_PROTO’] ) && ‘https’ == $_SERVER[‘HTTP_X_FORWARDED_PROTO’] ) {
$_SERVER[‘HTTPS’] = ‘on’;
}

I followed this https://docs.woothemes.com/document/ssl-and-https/

Is the reverse proxy set to force HTTPS only on the order page?

I took a look at the site, and I see you re-enabled the Wordfence live traffic, and if I try to visit https://site.com/?wordfence_logHuman(…) then I see a “302” redirect from the server, which sends me to the http version. Your host may have to help, to let this URL through via https.

It might be that they (or a plugin you use) would force the other pages of the site to not be served by https, causing the redirect to the http version of the URL.

All my website is with HTTPS, it’s only the order (my account, etc.) page of woocommerce which are with https. I use woocommerce to “force” the https.

Ok — I am not sure if there is a good solution to this, other than switching the whole site to https, so I have passed it it on to the developers.

If you’re able to switch the entire site over to https, so that when people visit by http, they will be redirected to the https version, that may be better overall. Many sites are doing that now, and it shouldn’t make much of a performance difference these days — and you can use your existing certificate. (Your host may be able to help with any technical details.)

If that’s not possible, in the meantime, it may be best to disable the “Live Traffic View” on the Wordfence Options page in this case. You wouldn’t be able to view all of the tabs on Wordfence’s Live Traffic page anymore, except for the logins and logouts — but it stops the code that causes the warning from appearing at all. The code is correct the way it is, and the site tries to load the https version of the URL, but since WordPress redirects scripts that aren’t physical files, I don’t think we can avoid that.

-Matt R
FB965

I am having the same problem with this on one of my sites. The site is HTTP but moves to HTTPS on the WooCommerce pages. I don’t really by the explanation that it can’t be avoided; any script can detect that the current page URL is HTTPS so there must be a way. In the meantime I will disable the “Live Traffic View” as suggested.

jonbeddoes:

Sorry, to clarify, I mean that I don’t think that we can avoid WordPress redirecting the visitor’s browser to the http version, with the way the script is currently loaded.

I’m sure it can be changed by loading the script in a different way, but I had to send the request on to the developers, since there is no way to avoid the redirect to http, without a new release.

When you have Live Traffic enabled, if you use the “Network” tab of Chrome or Firefox’s dev tools, you can find that when viewing the WooCommerce https pages, the script attempts to load using https, and gets a “302” redirect response from the server WordPress, then it loads using regular http after that.

It should be changed in a future version, but I don’t have an estimate of when yet. Disabling the Live Traffic View temporarily is the best temporary fix for now, if you can’t switch the whole site to https. Let us know if you have any other questions!

-Matt R