HTTP / HTTPS fix for WordPress

So, one of those pesky LaneCC blog network users had a problem with a syndicated blog post that included an iframe embedded YouTube video losing the HTTPS today.  I looked into it and found an additional filter to add to the plugin, so we’re up to v1.1.  Woo Hoo!  Anyway, you can still get it on GIT.

If you have a WordPress website hosted on a secure server (HTTPS) and you try to put a YouTube video in a post or page, the video stopped showing up about 3 months ago.  This is because web browsers started to recognize that showing non-secure content (HTTP) on a secure web page makes the secure web page not secure anymore.  It used to be that you would just get a little warning in your browser saying that a page had mixed content and you could continue on at your own risk.  Apparently that wasn’t good enough, so the browsers just started blocking the non-secure content.  Bummer.

HttpsIn my day job at Lane Community College, one of my duties is to manage a blog network built around WordPress MU.  Luckily I’m just the guy that handles updates and things like that.  Some other guy has to field the several hundred potentially irritated people that can’t get videos to show up on their blogs.

So, here’s the tech version of what happened.  WordPress uses something called OEMBEDs.  This allows you to simply copy and paste the URL of a video on the YouTube website into a WordPress page or post and have that video show up.  Rather than having to use shortcodes, or plugins, or some other intermediate step, you just use the address of the movie.  Pretty slick, when it works.  As I mentioned above, it breaks when you’re on a secure server though.  What happens is that WordPress, as of about v3.6, looks at the OEMBED for YouTube and recognizes of you’re trying to embed an HTTPS link.  Then it sends a request to YouTube with the address of the video.  What breaks is when YouTube sends the video back it uses HTTP, even though you requested it using HTTPS.  Stupid.  

So, after that long, but very informative explanation, here’s the fix.  You simply install a plugin that adds a filter to WordPress.  When it sees something coming in with an HTTP address, it rewrites it as HTTPS.  Kind of a brute force way of dealing with a silly problem, but it’s working.

The plugin I wrote isn’t available on, but you can get it here on GIT.