Strange Wordpress/WooCommerce bug affecting sites without SSL certificates

Wordpress site stuck in a redirect loop? Read on.

518536840 ead939d50c o
Credit: włodi

Out of the blue, users on our network running Wordpress and WooCommerce starting reporting strange issues beginning late Thursday evening last week. Some were stuck in a redirect loop unable to access their sites, others were seeing pages load with broken style sheets and missing JavaScript files. What made the phenomenon odd was that nothing had been changed on the sites prior to the issues occurring. Stranger still was that it didn't affect every visitor or even the same visitor every time. 

redirect loop google search Cypress North

After taking a look we noticed that the sites were being redirected to the https:// version of the page periodically. In some cases this was a gobal redirect taking place across the entire site, in other cases the page would load on http:// but the stylesheets and scripts would load on https:// and error out if the site had not been configured to support SSL and did not have a valid SSL certificate. With some trial and error we found the WooCommerce plugin to be the culprit and disabling the plugin immediately resolved the issues. Of course we can't just disable the plugin as the sites rely on it to function.

The Fix

The fix is simple enough but can cause some headaches for site owners. If you're using a version of WooCommerce older than 2.3.12 you'll need to upgrade to the latest version to correct the issue. To do so however, you may also need to upgrade your Wordpress installation to the latest version as well. If you haven't upgraded in a long time, this could pose some issues, especially on the WooCommerce side.

It's likely that in the case where you're overriding WooCommerce templates in your theme, your overrides have become outdated. In recent updates to WooCommerce, breaking changes were introduced into many of the core templates. If you upgrade WooCommerce and do not upgrade your override templates, you'll find that not everything works after the upgrade.

Another option to solve the problem is to purchase an SSL certificate for the domain and set up SSL on the host. That way when requests are redirected it will still work, and there is good reason to use HTTPS everywhere anyway.

There is mention of this bug in the release notes for version 2.3.12 but it claims to only affect Google Chrome for sites behind a load balancer or proxy. In our case, none of the sites affected were behind a load balancer or proxy. They were both running on Linux servers with Nginx/PHP5-FPM.

You may be thinking, if you're doing E-Commerce you should have SSL anyway, and that's mostly true. WooCommerce is a pretty flexible platform though and can be used in a lot of ways. Many people need a product catalog but don't actually need a checkout process. For some, PayPal is enough and the processing is handled off site which does not require an SSL certificate. Regardless, it's probably best to take the opportunity to secure your site if necessary. 

ITWorld DealPost: The best in tech deals and discounts.