Tag: HTTPS

Fix WordPress too many redirects (ERR_TOO_MANY_REDIRECTS)

Posted on By Admin No Comments on Fix WordPress too many redirects (ERR_TOO_MANY_REDIRECTS)

Fix WordPress too many redirects (ERR_TOO_MANY_REDIRECTS)

If you encounter the ERR_TOO_MANY_REDIRECTS error on your WordPress site, it means your browser is stuck in an infinite redirect loop. This prevents your site from loading properly and frustrates visitors. The quick fix usually involves correcting your WordPress URL settings or your server’s redirect rules.

Quick Fix

  1. Access your WordPress database via phpMyAdmin or a similar tool.
  2. Locate the wp_options table.
  3. Find the siteurl and home entries.
  4. Ensure both URLs use the same protocol (http or https) and domain, for example: https://example.com.
  5. Clear your browser cache and cookies.
  6. If you use a caching or redirect plugin, temporarily disable it.

Alternatively, you can add the following lines to your wp-config.php file to hardcode the URLs:

define('WP_HOME','https://example.com');
define('WP_SITEURL','https://example.com');

Replace https://example.com with your actual site URL.

Why This Happens

The ERR_TOO_MANY_REDIRECTS error occurs when your browser is redirected between URLs repeatedly without reaching the final destination. Common causes include:

  • Mismatched URL settings: WordPress URL settings use HTTP while your site forces HTTPS (or vice versa).
  • Conflicting redirect rules: Server-level redirects (in .htaccess or Nginx config) conflict with WordPress or plugin redirects.
  • Plugin conflicts: Plugins that handle redirects or SSL can cause loops if misconfigured.
  • Incorrect SSL setup: Partial SSL implementation or mixed content issues.

Step-by-step Fix for Nginx and Apache (cPanel/Plesk)

1. Check WordPress URL Settings

Make sure WordPress URLs are consistent and correct.

-- Access your database via phpMyAdmin or command line
SELECT option_name, option_value FROM wp_options WHERE option_name IN ('siteurl', 'home');

-- Update URLs if needed
UPDATE wp_options SET option_value = 'https://example.com' WHERE option_name = 'siteurl';
UPDATE wp_options SET option_value = 'https://example.com' WHERE option_name = 'home';

2. Fix wp-config.php (optional)

Add these lines to enforce correct URLs:

define('WP_HOME','https://example.com');
define('WP_SITEURL','https://example.com');

3. Review Apache .htaccess Redirects (cPanel/Plesk)

Check your .htaccess file in the WordPress root directory for conflicting redirects. A typical WordPress .htaccess looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If you have HTTPS redirects, ensure they are correct and not looping:

# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

4. Review Nginx Redirects

Check your Nginx server block configuration for redirect loops. A proper HTTPS redirect looks like this:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    root /var/www/html;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ .php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }
}

5. Disable Redirect or SSL Plugins

Temporarily deactivate plugins like Really Simple SSL, Redirection, or any caching plugins that might cause redirect loops.

6. Clear Browser and Server Cache

Clear your browser cache and cookies. Also clear any server-side caches (e.g., LiteSpeed cache, Varnish, or CDN caches).

Works on

  • Web servers: Apache, Nginx, LiteSpeed
  • Hosting control panels: cPanel, Plesk
  • WordPress versions: 4.x, 5.x, 6.x
  • SSL setups: Let’s Encrypt, commercial SSL certificates

FAQ

Q1: Why does ERR_TOO_MANY_REDIRECTS happen only on some browsers?

Browser cache or cookies can cause this error to appear inconsistently. Clearing cache and cookies usually resolves this.

Q2: Can a plugin cause redirect loops?

Yes. Plugins that manage redirects, SSL, or caching can conflict with server redirects or WordPress settings, causing loops.

Q3: How do I know if my SSL is causing the redirect loop?

If your WordPress URLs use HTTPS but your server redirects HTTP to HTTPS incorrectly or partially, it can cause loops. Verify SSL configuration and redirects.

Q4: Is it safe to hardcode URLs in wp-config.php?

Yes, hardcoding WP_HOME and WP_SITEURL is a quick way to fix URL mismatches but should be used carefully to avoid issues during migrations.

Q5: What if none of these fixes work?

Check your server error logs, disable all plugins and switch to a default theme to isolate the issue. Contact your hosting provider if needed.…

Fixes & Errors

Best HTTP security headers for WordPress (with examples)

Posted on By Admin No Comments on Best HTTP security headers for WordPress (with examples)

Best HTTP Security Headers for WordPress (with Examples)

WordPress security headers are essential HTTP response headers that help protect your website from common web vulnerabilities. Adding the right security headers can prevent attacks like cross-site scripting (XSS), clickjacking, and data injection, improving your site’s overall security posture. This guide explains the best HTTP security headers for WordPress, why they matter, and how to implement them effectively.

Quick Fix: Add These Essential WordPress Security Headers

  1. Content-Security-Policy (CSP): Controls which resources the browser can load.
  2. Strict-Transport-Security (HSTS): Enforces HTTPS connections.
  3. X-Frame-Options: Prevents clickjacking by controlling iframe embedding.
  4. X-Content-Type-Options: Stops MIME type sniffing.
  5. Referrer-Policy: Controls how much referrer information is sent.
  6. Permissions-Policy: Restricts access to browser features.
  7. Expect-CT: Enforces Certificate Transparency to prevent misissued certificates.

Adding these headers to your WordPress site’s server configuration or via plugins will significantly improve your website’s security.

Why This Happens: The Need for WordPress Security Headers

By default, WordPress does not send many HTTP security headers. This leaves your site vulnerable to:

  • Cross-site scripting (XSS): Malicious scripts injected into your pages.
  • Clickjacking: Attackers embedding your site in iframes to trick users.
  • Man-in-the-middle attacks: Without HTTPS enforcement, data can be intercepted.
  • MIME sniffing: Browsers guessing content types, potentially executing malicious files.
  • Data leakage: Referrer headers exposing sensitive URLs.

Security headers instruct browsers on how to handle your site’s content safely, reducing these risks.

Step-by-Step: How to Implement WordPress Security Headers

Depending on your server environment, you can add security headers via your web server configuration or WordPress plugins. Below are examples for Apache, Nginx, and a PHP snippet for WordPress.

1. Apache (.htaccess) Configuration

# Content Security Policy
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';"

# HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# X-Frame-Options to prevent clickjacking
Header set X-Frame-Options "SAMEORIGIN"

# Prevent MIME sniffing
Header set X-Content-Type-Options "nosniff"

# Referrer Policy
Header set Referrer-Policy "no-referrer-when-downgrade"

# Permissions Policy (formerly Feature-Policy)
Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"

# Expect-CT for Certificate Transparency
Header set Expect-CT "max-age=86400, enforce"

2. Nginx Configuration

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

add_header X-Frame-Options "SAMEORIGIN" always;

add_header X-Content-Type-Options "nosniff" always;

add_header Referrer-Policy "no-referrer-when-downgrade" always;

add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

add_header Expect-CT "max-age=86400, enforce" always;

3. WordPress PHP Snippet (functions.php or custom plugin)

function add_security_headers() {
    header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';");
    header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
    header("X-Frame-Options: SAMEORIGIN");
    header("X-Content-Type-Options: nosniff");
    header("Referrer-Policy: no-referrer-when-downgrade");
    header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
    header("Expect-CT: max-age=86400, enforce");
}
add_action('send_headers', 'add_security_headers');

Note: Adjust the Content-Security-Policy directives to match your site’s resources and trusted domains.

Verification: How to Check Your WordPress Security Headers

After implementing the headers, verify they are active using these methods:

  • Browser Developer Tools: Open your site, press F12, go to the Network tab, reload, and inspect the response headers.
  • Online Tools: Use services like securityheaders.com or Mozilla Observatory.
  • Command Line: Run curl -I https://yourdomain.com and look for the security headers in the output.

Works On

Environment Notes
Apache Modify .htaccess or server config files.
Nginx Edit server block configuration files.
LiteSpeed Compatible with Apache directives in .htaccess.
cPanel / Plesk Use built-in editors for Apache/Nginx configs or add PHP snippets.
WordPress Plugins Plugins like “HTTP Headers” or
Speed & Security
Also by the maker of MySurveyReviews.com