Do you have a custom WordPress domain (one without “wordpress” in it) or read blogs like that? This tidbit is for you: sometimes browsers claim that custom domain WordPress blog pages are unsafe even when they’re not.

The crux of the matter is https. If an URL on your site starts with https instead of http, that powerful little “s” can send readers running for the hills screaming.

There are actually two potential sources for problems with https on your site. First, on a custom domain WP site, when readers click on an internal link (linking to another page within your site), if the link’s preceded by https, they’ll be warned by their browser not to continue to that page. Their browser will tell them your page isn’t trustworthy, even though there’s abso-freakin-lutely nothing wrong with it. Hmmm, maybe this is a very yaoi thing: “s” for sadist?

That’s right. With an https link, your readers will find themselves facing a warning like this one:

I mean, who wouldn’t click “back to safety” after receiving Chrome’s portent of doom? For me, it was just one stupid mistake on my part that triggered that terrible window.

Problem #2: Apparently, if a reader’s using a browser that forces an https connection (because that generally makes browsing more secure), they’ll get the same warning, no matter how you write your links — I’ll come back to that bit toward the bottom of the post.

an apparent problem where there’s no real problem

I learned all this after I accidentally (somehow) cut/pasted links with an https prefix into some of my posts and pages. Fortunately, Tierra at Seattle Kifujin let me know that when she clicked on a link, she’d gotten this unsettling message:

joyofyaoi.com  uses an invalid security certificate. The certificate is only valid for the following names: *.wordpress.com, wordpress.com (Error code: ssl_error_bad_cert_domain)

Why? Was there something wrong with the page? Was my site being hijacked? Nope, but when a link starts with https, the “s” is making a claim that the site is secure, so the browser dutifully checks the SSL certificate to verify the claim. However, when you have a custom domain on WP, the browser doesn’t find what it’s looking for. It turns out that custom domain sites on WordPress don’t have valid SSL certificates.

security certificates on wordpress don’t apply to custom domains

Even though my custom domain is joyofyaoi.com, it’s hosted on WP, which only has security certificates for wordpress.com addresses. Without “wordpress” in my domain name, I’m not covered by WP’s security certificates. So any https link to my custom domain (or yours) will turn up as having an invalid security certificate — it will look like an untrustworthy site. And your readers will be subjected to the browser’s rather melodramatic alert.

To my irritation, I don’t have the slightest clue how I managed to open a page with an https address on my site (which then caused the problem when I cut/pasted it as a link), so you may never run into this problem. However, if you run into troubles down the road, it may still be good to understand the how and why of it. You know, just in case. And, there’s still the unavoidable https problem a bit farther down…

the fix

Fortunately, there’s an easy cure for this first https ill — make sure none of your internal links have https prefixes (duh, right?); they should all start with plain old http. When I removed the “s” from links where it had crept in, problem solved.

I dug these examples out of the text editor, but this change can easily be made in the visual editor.

but wait, there’s more — the unavoidable problem: overly zealous secure browsers

So, my site’s glitch turned out to be my error of adding “s” to my “http” in links, but before we figured that out, the nice folks at WP mentioned another way this problem pops up on custom domain WP blogs.

Unfortunately, this version of the falsely-accused-as-a-dangerous-website problem is beyond your control: if your virus or malware-fearing readers are using a browser that forces secure connections (https), they will get the exact same “invalid certificate” message as above, telling them that your site should be avoided like the plague. Here’s how macmanx explained it:

“Working on improving the situation” isn’t exactly heartening, is it?

educate your readers?

I don’t know that there’s anything preventative to be done about the too-enthusiastically-secure browser issue, but if a reader contacts you about your site having a security problem (and you’ve checked to make sure you don’t have any https links), at least you can ask them whether they’re using a browser that forces https connections and explain why those would cause the intimidating security message they’re seeing.

For what it’s worth, I guess that the only thing we can do is to try to see that WP bloggers (especially those with custom domains) and readers know about this mistaken invalid security certificate glitch. Because it’s sad to think that people may leave your blood-sweat-and-tears-generated content (or even your lazy-afternoon content) unread based on a false security warning from their well-intentioned browser…

Or that you, as a reader, might miss out on reading something cool because your browser steers you away from the very page that would have healed all your ills, led you to riches, and brought you enlightenment. Or, maybe even served up a decent chuckle.

I was lucky enough to have kind readers who let me know there was a problem on my site, so I could learn about this problem in WP’s system before too many folks got scared away from my site. Perhaps you will consider sharing this information with your blogging friends and readers, too.