Fixing WordPress redirect loops and insecure links under HTTPS

I tried to switch my blog over to HTTPS and encountered two problems:

  • My stylesheet broke because get_stylesheet_uri() (and other links) were yielding http:// links, which were blocked by the browser
  • Attempting to log in would produce a redirect loop

This was in spite of my database and config files *all* having https URLs, not http. Mysterious and upsetting.

The problem turned out to be that (as far as I can tell) my blog is run on a server behind an SSL-terminating proxy that speaks HTTP to the server. WordPress's is_ssl() function checks the value of $_SERVER['HTTPS'] to see if it is being accessed via HTTPS. WP then (apparently) writes URLs to match this instead of using the literal base URL (this seems stupid) and also generates redirects to try to match the base URL. Both of these cause the observed breakage.

My fix was to add $_SERVER['HTTPS'] = 'on' to my wp-config.


Comments are closed.