Changeset 3372072
- Timestamp:
- 10/03/2025 12:30:11 AM (6 months ago)
- File:
-
- 1 edited
-
volixta-ssl-security-headers/trunk/readme.txt (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
volixta-ssl-security-headers/trunk/readme.txt
r3371940 r3372072 1 1 === Volixta SSL & Security Headers === 2 2 Contributors: volixta 3 Tags: ssl, https, security headers, mixed content, redirect 3 Tags: ssl, https, security headers, mixed content, redirect, hsts, nginx, csp 4 4 Requires at least: 5.8 5 5 Tested up to: 6.8 … … 9 9 License URI: https://www.gnu.org/licenses/gpl-2.0.html 10 10 11 E nable HTTPS, 301 redirects, and modern security headers. Fix mixed content and use Nginx snippets—safe, admin-only controls.11 Easily enable SSL/HTTPS in WordPress, force 301 redirects, fix mixed content, and apply modern security headers (HSTS, CSP, X-Frame-Options). Safe, admin-only toolkit. 12 12 13 13 == Description == 14 14 15 Volixta is a small, admin-only toolkit to switch WordPress to HTTPS, enforce a 301 redirect to HTTPS, apply modern HTTP security headers, and fix mixed content safely. 15 Is your WordPress site still serving pages over **HTTP** instead of **HTTPS**? 16 Do you see browser warnings like *"Not Secure"* even though you installed SSL? 17 Are you getting **mixed content errors** in Chrome or Firefox after enabling HTTPS? 18 Or is your Site Health report complaining about missing **security headers**? 16 19 17 **What it does** 18 - **Activate SSL**: switch the `home` and `siteurl` options to `https://`. 19 - **Force HTTPS (301)**: writes a dedicated block into `.htaccess` on Apache/LiteSpeed; falls back to a PHP redirect when needed. 20 - **Security Headers**: apply a curated set (HSTS, CSP “upgrade-insecure-requests”, Permissions-Policy, Referrer-Policy, CORP/COOP/COEP, etc.). Values are editable before applying. 21 - **Mixed Content Fixer**: scan and (optionally) replace your domain’s `http://` → `https://` in posts, post meta, and options (serialization-safe). 22 - **Nginx aware**: shows copy-ready snippets for redirects and headers when `.htaccess` is not applicable. 23 - **Site Health tests**: quick checks for SSL validity, HTTPS redirect, and headers presence. 20 👉 **Volixta SSL & Security Headers fixes all of these in a few clicks.** 24 21 25 **Safety** 26 - Nothing is auto-applied on activation. 27 - `.htaccess` writes are wrapped in clearly marked blocks and a timestamped backup is created before each write. 28 - Mixed-content “Fix” is only available after a “Scan” found items. 22 --- 23 24 ### 🔐 What does Volixta do? 25 - **Activate SSL automatically**: safely update your WordPress `home` and `siteurl` to use `https://`. 26 - **Force HTTPS with 301 redirect**: adds a safe `.htaccess` block on Apache/LiteSpeed, or falls back to a PHP redirect if needed. 27 - **Fix mixed content**: scans your posts, postmeta, and options for `http://` links and replaces them with `https://` (serialization-safe). 28 - **Apply modern HTTP Security Headers**: HSTS, Content-Security-Policy (`upgrade-insecure-requests`), X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP. All values are editable before applying. 29 - **Nginx friendly**: when `.htaccess` is not available, Volixta shows ready-to-use Nginx snippets for redirects and headers. 30 - **Site Health integration**: new tests for SSL validity, HTTPS redirect, and security headers presence. 31 32 📖 Full documentation: [volixta.com/docs](https://volixta.com/docs) 33 34 --- 35 36 ### ✅ Why choose Volixta? 37 - **Safe by design**: 38 Nothing is applied automatically. You choose what to enable. Each `.htaccess` write creates a timestamped backup. 39 - **Serialization-safe mixed content fixer**: no risk of breaking complex data in `postmeta` or `options`. 40 - **Admin-only**: no runtime overhead on the frontend (except optional PHP redirect). 41 - **Localhost aware**: detects local environments (`localhost`, `.local`, `.test`) and shows guided instructions with [mkcert](https://github.com/FiloSottile/mkcert). 42 43 --- 44 45 ### 🔎 Typical problems solved 46 - *“I installed an SSL certificate but Chrome still shows my site as insecure.”* 47 → Enable SSL + 301 redirect with Volixta. 48 49 - *“My Site Health report says ‘No security headers detected’.”* 50 → Apply recommended headers (HSTS, X-Frame-Options, CSP, etc.) in one click. 51 52 - *“After moving to HTTPS, some images/scripts still load over HTTP.”* 53 → Run the Mixed Content Scan + Fixer to update them safely. 54 55 - *“I’m on Nginx, so .htaccess doesn’t work.”* 56 → Copy/paste the Nginx-ready snippets provided by Volixta. 57 58 --- 29 59 30 60 == Installation == 31 1. Upload t he folder to `/wp-content/plugins/` or installfrom the directory.61 1. Upload to `/wp-content/plugins/` or install directly from the directory. 32 62 2. Activate the plugin. 33 3. Open **Volixta SSL & Security** (top-level menu). 34 4. On a site with a valid public SSL: 35 - Click **Activate SSL** (optional if already on `https://`) 36 - Click **Enable HTTPS Redirect** (tries `.htaccess`, otherwise enables PHP fallback) 37 - Click **Apply Security Headers** (creates a backup and writes a headers block) 63 3. Open **Volixta SSL & Security** in the admin menu. 64 4. With a valid SSL certificate: 65 - Click **Activate SSL** (updates WP URLs to `https://`). 66 - Click **Enable HTTPS Redirect** (tries `.htaccess`, otherwise PHP fallback). 67 - Click **Apply Security Headers** (safe `.htaccess` block with backup). 68 69 --- 38 70 39 71 == Frequently Asked Questions == 40 72 41 73 = Does it modify .htaccess? = 42 Yes, but only when you click an action. Blocks are wrapped as:43 - `# BEGIN Volixta HTTPS Redirect` … `# END Volixta HTTPS Redirect`44 - `# BEGIN Volixta Security Headers` … `# END Volixta Security Headers`45 A backup like `.htaccess.bak-YYYYMMDD-HHMMSS` is created before each write.74 Yes, but only when you click an action. Blocks are wrapped clearly: 75 - `# BEGIN Volixta HTTPS Redirect` 76 - `# END Volixta HTTPS Redirect` 77 A backup `.htaccess.bak-YYYYMMDD-HHMMSS` is created each time. 46 78 47 79 = Will it work on Nginx? = 48 `.htaccess` is Apache/LiteSpeed only. On Nginx, the plugin shows copy-ready snippets for redirects and headers. The HTTPS redirect can also use the PHP fallback.80 Yes. `.htaccess` is Apache/LiteSpeed only, but Volixta shows ready-to-copy Nginx snippets for redirects and headers. The HTTPS redirect can also use PHP fallback. 49 81 50 = Does it add runtime overhead on the frontend? = 51 Only if you enable the PHP redirect fallback. Otherwise it’s admin-only. 82 = Does it slow down my site? = 83 No. Everything runs only in the admin panel. On the frontend, only the optional PHP redirect adds minimal overhead. 84 85 = Can I use it locally? = 86 Yes. Local environments are auto-detected. Volixta shows a “Local HTTPS” section with instructions to set up a trusted certificate using `mkcert`. 87 No `.htaccess` or redirects are applied on localhost. 52 88 53 89 = Where are settings stored? = 54 A few options in `wp_options`: the headers configuration, the PHP redirect flag, and the last mixed-content scan result. 90 Only a few options in `wp_options`: 91 - Headers configuration 92 - PHP redirect flag 93 - Last mixed-content scan result 55 94 56 = Does it work on localhost or local development sites? = 57 58 Yes. The plugin automatically detects local environments like `localhost`, `*.local`, or single-label domains. In such cases: 59 60 - A dedicated **“Local HTTPS (mkcert)”** section is shown. 61 - You’ll see guided instructions to install a trusted local certificate using [mkcert](https://github.com/FiloSottile/mkcert). 62 - If HTTPS is already active on your local server, you can click **“Activate HTTPS for WordPress (local)”** to safely update the `home` and `siteurl` options to `https://`. 63 - No `.htaccess` changes or redirects are applied on localhost. 64 - Server-specific actions (like redirect rules) are disabled to avoid unnecessary writes. 95 --- 65 96 66 97 == Screenshots == 67 1. Status dashboard: SSL, redirect, headers, server checks 68 2. SSL activation and HTTPS redirect (301) 69 3. Mixed Content scan and fixer 70 4. Security headers: activation + custom headers configuration 98 1. Dashboard showing SSL, redirect, headers, and server checks 99 2. One-click SSL activation and HTTPS redirect (301) 100 3. Mixed Content scan + fixer with serialization-safe DB replace 101 4. Security headers panel with custom header configuration 102 103 --- 71 104 72 105 == Changelog == … … 80 113 * Automatic `.htaccess` backups 81 114 115 --- 116 82 117 == Upgrade Notice == 83 118 = 1.0.0 = 84 Review the headers configuration before applying on production. A backup of `.htaccess` is created automatically. 119 Review headers configuration before applying. A backup of `.htaccess` is always created. 120 121 --- 85 122 86 123 == Privacy == 87 This plugin does not collect, store, or transmit personal data. It only saves configuration in `wp_options` and writes server-level rules when requested. 124 This plugin does not collect, store, or transmit personal data. Only saves minimal config in `wp_options`. 125 126 --- 88 127 89 128 == Localization == 90 129 Text domain: `volixta-ssl-security-headers` 91 Load path: `/languages` (WordPress.org Language Packs are loaded automatically; no manual loading needed) 130 Load path: `/languages` (WP.org language packs auto-loaded) 131 132 --- 133 134 == What’s Next == 135 136 If you like this plugin, then consider checking out our other plugins: 137 138 - [VOLIXTA Booking – The All-in-One WordPress Booking Plugin](https://volixta.com) 139 Manage unlimited staff, services, clients, payments, and locations in one powerful system. 140 141 - [VOLIXTA Security Suite – Advanced WordPress Security Made Simple](https://volixta.com/volixta-security-suite)
Note: See TracChangeset
for help on using the changeset viewer.