Did you see the post from Barry, one of the staff at WP.com that free HTTPS is now active for all custom domains hosted on WordPress.com?
I looked at the URL of my site, which has a custom domain, and I saw the padlock.
Good. Google likes secure sites and sites under HTTPS are just generally better for avoiding hacking. OK, it’s not a big deal because WP.com looks after all the security issues – but still, it’s good.
Then what happened was that I wanted to check on a post I had written a little while ago about HTTPS/SSL coming to WP.com.
I wanted to find the post I had written but I noticed I didn’t have a search form on my site.
So I went into the Admin panel and pulled a Search widget onto the sidebar.
And suddenly the padlock disappeared. When I refreshed the page it appeared for a second and then disappeared. There was no padlock any longer. It was an ex-padlock.
What was going on?
I checked on WhyNoPadlock and the analysis said:
Insecure call. Found on line # 237 in file: photographworks.me/index.html
I entered a search term for HTTPS in the Search box and a warning message came up. It said something like ‘This is an insecure form. Are you sure you want to proceed?’
Huh? It’s just a search term in a Search box!
I pulled the Search form off the sidebar and the padlock returned. Very strange. It seemed I might have found a bug. It couldn’t be something I had introduced, could it?
I don’t think so because I have not implemented custom CSS or any other alterations to the WP code.
I raised the issue with staff and meanwhile today the padlock is back even though the Search box is still there.
So maybe somehow it was just a glitch while things were propagating through the Internet.
However, I checked again with WhyNoPadlock and got the same warning.
So now that’s doubly confusing because the padlock is there.
But there’s another thing going on here and that is that I have been getting warning messages when I comment on some sites. Again it says something like ‘This is an insecure form. Are you sure you want to proceed?”
Rebekah from Tassitus.com and I have discussed this when it has come up on some self-hosted WordPress sites.
So, and here’s a general question: Have you had an alert come up when you have commented or searched on a WordPress site recently?
As I was reading this, I had to go and look at my Tassitus. Padlock was in place, but the Search-widget had gone missing, so I put it back. Padlock still there.
I do get that message, but only on self-hosted blogs. I moved Tassitly from Tap to GoDaddy since I already had hosting there [now it’s tassitly.com]. I’m not sure if I still get it now … must check it out.
Just checked. I still get that message, so it’s not the hosting. I have the nice Iwata theme applied there.
So that’s another thing to cross off the list as the reason. I wonder what it is.
Me too. Not the theme, not the hosting. Iwata has NO widgets so … this still baffles me.
Never happened to me in any of the variants that you describe – though I tried. On a loosely related note, I’ve noticed that WordPress sites don’t fare that well with code validators, so I’m not surprised that things on WP (as everywhere else, I guess) have their kinks…
Yes, I don’t think anything in the ‘real world’ passes the code validation standards. I’m not surprised, because the browser consortium doesn’t implement everything evenly and it’s always evolving.
You’re right, of course. I have the bad habit of always asking for perfection.
Hmm, I had one come up today, now that you mention it; but it was a site I was unfamiliar with, so I just backed out, the same way I’d come in… Glad you brought this up David. Thank you
But I’m not self-hosted either. Hmm):
It seems to be some kind of interaction between the standard of coding the browser expects, and the coding in the form.
I had an email message last night from Barry at WordPress to say that he thinks the team have isolated the issue and resolved it.
LikeLiked by 1 person