=== Volixta SSL & Security Headers === Contributors: volixta Tags: security headers, mixed content, ssl, https Requires at least: 5.8 Tested up to: 6.9 Stable tag: 1.1.4 Requires PHP: 7.4 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Add modern security headers, enable SSL/HTTPS, fix mixed content, and force 301 redirects for WordPress. Fast, safe, and easy to use. == Description == Is your WordPress site still serving pages over **HTTP** instead of **HTTPS**? Do you see browser warnings like *"Not Secure"* even though you installed SSL? Are you getting **mixed content errors** in Chrome or Firefox after enabling HTTPS? Is your Site Health report complaining about missing **security headers**? 👉 **Volixta SSL & Security Headers fixes all of these in a few clicks.** Easily **activate SSL**, **force 301 redirects**, repair **mixed content**, and apply recommended **WordPress security headers** like HSTS, CSP, and X-Frame-Options. --- ### 🔐 What does Volixta do? - **Activate SSL automatically**: safely update your WordPress `home` and `siteurl` to use `https://`. - **Force HTTPS with 301 redirect**: adds a safe `.htaccess` block on Apache/LiteSpeed, or falls back to a PHP redirect if needed. - **Fix mixed content**: scans your posts, postmeta, and options for `http://` links and replaces them with `https://` (serialization-safe). - **Apply modern HTTP Security Headers**: HSTS, Content-Security-Policy (`upgrade-insecure-requests`), X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP. - **Nginx friendly**: when `.htaccess` is not available, Volixta shows ready-to-copy Nginx rules. - **Site Health integration**: checks for SSL, redirects, and security headers. --- ### ✅ Why choose Volixta? - **Safe by design** Nothing is applied automatically. You choose what to enable. Each `.htaccess` modification creates a timestamped backup. - **Serialization-safe mixed content fixer** No risk of breaking complex serialized data in `postmeta` or `options`. - **Admin-only processing** Everything runs in the admin area. The frontend only uses the optional PHP redirect when required. - **Localhost aware** Detects local environments (`localhost`, `.local`, `.test`) and provides instructions for enabling trusted HTTPS locally with [mkcert](https://github.com/FiloSottile/mkcert). --- ### 🔎 Typical problems solved **How do I activate SSL in WordPress?** → One click in Volixta updates your site to HTTPS safely. **How do I force HTTPS with 301 redirects?** → Volixta inserts a safe `.htaccess` redirect or uses a PHP fallback. **My Site Health report says “No security headers detected”.** → Apply modern **security headers** in one click. **How can I add WordPress security headers without editing code?** → Configure and apply headers from the plugin interface. **After enabling SSL, my site still shows mixed content errors.** → Run the Mixed Content Scan + Fixer. **I'm on Nginx, so .htaccess doesn't work.** → Volixta provides ready-to-copy Nginx configuration snippets. --- == Installation == 1. Upload to `/wp-content/plugins/` or install from the WordPress plugin directory. 2. Activate the plugin. 3. Open **Volixta SSL & Security** in the admin menu. 4. With a valid SSL certificate: - Click **Activate SSL** to update WordPress URLs to HTTPS. - Click **Enable HTTPS Redirect** to force HTTPS. - Click **Apply Security Headers**. --- == Frequently Asked Questions == = How do I activate SSL in WordPress? = Open Volixta → click **Activate SSL**. The plugin updates your WordPress and Site URL to HTTPS. = How do I add security headers in WordPress? = Go to the **Security Headers** panel and click **Apply Security Headers**. = Does it modify .htaccess? = Yes, but only when you trigger an action manually. Blocks are clearly wrapped: - `# BEGIN Volixta HTTPS Redirect` - `# END Volixta HTTPS Redirect` Each change creates a backup file. = Will it work on Nginx? = Yes. Volixta shows Nginx configuration snippets for redirects and headers. = Does it slow down my site? = No. Everything runs only in the admin panel. On the frontend, only the optional PHP redirect runs when enabled. = Can I use it locally? = Yes. Local environments are detected automatically and instructions are provided to enable HTTPS with mkcert. = Where are settings stored? = Only minimal configuration is stored in `wp_options`: - headers configuration - redirect flag - mixed content scan results --- == Screenshots == 1. Dashboard showing SSL, redirect, headers, and server checks 2. One-click SSL activation and HTTPS redirect 3. Mixed content scan and fixer 4. Security headers configuration panel --- == Changelog == = 1.1.4 – 2026-03-11 = * Updated readme.txt = 1.1.3 – 2026-03-09 = - Removed the Security Hardening module to improve stability and compatibility. = 1.1.2 – 2025-12-10 = - Added new Hardening module: * Secure & HttpOnly cookies (adds COOKIE_SECURE and COOKIE_HTTPONLY to wp-config.php) * Disable directory indexing by inserting “Options -Indexes” into .htaccess * Block user enumeration (?author=ID and REST API `/wp/v2/users`) - Improved PHPCS compliance and sanitization for user enumeration blocking - Updated uninstall routine to remove new hardening options - UI enhancements for Security Hardening settings panel - Updated readme.txt = 1.1.1 = Tested up to WordPress 6.9. = 1.1.0 = Improved SSL detection and code compliance. = 1.0.10 = Updated readme. = 1.0.0 = Initial release. --- == Upgrade Notice == = 1.1.3 = The Security Hardening module has been removed to improve stability and compatibility. Those features will be included in the upcoming **Volixta Security Suite** plugin. --- == Privacy == This plugin does not collect, store, or transmit personal data. --- == Localization == Text domain: `volixta-ssl-security-headers` Load path: `/languages` --- == What’s Next == If you like this plugin, check out our other tools: - [VOLIXTA Booking – The All-in-One WordPress Booking Plugin](https://volixta.com) Manage unlimited staff, services, clients, payments, and locations in one powerful system. - [VOLIXTA Security Suite – Advanced WordPress Security Made Simple](https://volixta.com/volixta-security-suite)