WordPress: Site not Secure despite SSL Certificate

I’ve recently migrated all my sites to use SSL (I know, it’s long overdue) and despite the SSL-Certificates being valid and working, Chrome and Firefox would show my sites as “not secure”. (No padlock icon.)

After some digging, I discovered that WordPress really doesn’t play very nicely with SSL. Lots of themes, plugins, etc will use hard-coded or generated, absolute, http:// URLs, with no regards to what the site is actually using. Worse, posts may include absolute URLs in links to content.

Instead of fixing all themes, plugins, and content manually (or with a clever script), one easy solution is to include the following line in your .htaccess:

Header always set Content-Security-Policy "upgrade-insecure-requests;"

This will cause the users’ browsers to convert all insecure http-Links to https automatically. So far, it seems to work perfectly fine.

Blogger/Blogspot can’t detect WordPress RSS feed

So I just had an interesting problem where a Blogger/Blogspot blog I help maintain couldn’t detect the RSS feed of a WordPress blog I help maintain.

The error message was “Could not detect a feed for this URL”.

It turns out the problem was two-fold. First: One of the files in the WordPress theme added an empty line at the top of the RSS feed.

Second: I had to update a post on the WordPress blog because *something* in the entire chain was caching the RSS feed!

So, if you have the same problem, run your RSS file through a validator, check if there are any leading empty lines, and make sure to update some post to regenerate the feed to avoid caching.