SSL Websites using WordPress - Horizontal Admin Bar reverts to non-SSL links

[Laughter On Water]

Using SSL, Theme Twenty-Seventeen
When I'm at ​https://amateurethicist.com/wp-admin/< whatever > and I hover over any of the vertical menus, I get the expected https linked administrative links. (See green lines depicting correct function.)

When I go to any of the horizontal administrative menu or some of the other links (see red lines depicting incorrect function) I am sent to non SSL links.

I can't be sure, but it seems unintentional, since my browser goes kerflooey when I try to go from https to http via an admin link to view the posted page.

Yeah, it's SSL, but I'm not sure this is a true security issue as much as it's an admin menu/core links thing. If this is a security issue, please let me know and I'll post in the WP HackerOne area. I've included a list of my site's general configurations just in case they'll help.

Diagnostic Glance 0.9.1

WordPress Version: 4.9.4

Listed Themes

[a] Twenty Seventeen - Version 1.4
1 themes present.

Listed Plugins

[ ] Ad Codes Widget - Version 110709
[a] Advanced noCaptcha reCaptcha - Version 2.4
[a] Anti-spam - Version 4.4
[a] Black Studio TinyMCE Widget - Version 2.6.2
[a] BulletProof Security - Version 2.9
[a] Diagnostic Glance - Version 0.9.2
[a] Electric Studio Download Counter - Version 2.4
[a] Fast Secure Contact Form - Version 4.0.56
[a] Google Analyticator - Version 6.5.4
[a] Google XML Sitemaps - Version 4.0.9
[a] Redirection - Version 3.2
[a] Social Media Follow Buttons Bar - Version 4.29
[a] TinyMCE Advanced - Version 4.6.7
[ ] W3 Total Cache - Version 0.9.6
[a] Widget Logic - Version 5.9.0
[a] WPS Hide Login - Version 1.2.5.1
14 active plugins out of 16 present

WordPress Config

Permalink Structure: /%year%/%monthnum%/%postname%/
Category Base: topics
Tag Base: tags
WP Max Memory Limit: 256M
WP Memory Limit: 40M
WP Max Upload Size: 64M
WP Cache: off
WP Debug: off
WP Debug Log: off
WP Debug Display: on
Display Errors: on
Log Errors: off
Error Log Path:
Concatenate Scripts: default*
Allow Multisite: default*
Disable Auto Updates: default*
Enable Core Updates: default*
Disallow File Edit: default*
Disallow File Mods: default*
*default - not explicitly set in wp-config.php,
so wp defaults apply.

Hosting and System Config

Server: Apache
PHP Version: 7.0.28
MySQL Database Version: 5.6.34
PHP Memory Limit: 256M
PHP Max Upload Size: 64M
PHP Post Max Size: 65M
PHP SAPI: cgi-fcgi.

PHP Extensions [ 49 Enabled ]

bcmath, bz2, calendar, cgi-fcgi,
Core, ctype, curl, date,
dom, exif, filter, ftp,
gd, gettext, hash, iconv,
imagick, imap, json, libxml,
mbstring, mcrypt, mysqli, mysqlnd,
openssl, pcntl, pcre, PDO,
pdo_mysql, pdo_sqlite, posix, pspell,
Reflection, session, SimpleXML, soap,
sockets, SPL, sqlite3, standard,
tokenizer, xml, xmlreader, xmlrpc,
xmlwriter, xsl, Zend OPcache, zip,
zlib

Apache Module List Unavailable

You're running PHP as cgi-fcgi.

General Site Statistics

Administrators: 1
Contributors: 1
Nones: 0
Total Users: 2
Published Pages: 2
Draft Pages: 0
Published Posts: 3
Draft Posts: 2
Comments in Moderation: 0
Comments Approved: 0
Comments Spam: 0
Comments Trash: 0
All Comments: 0
Images: 15
Other Media: 0
All Media: 15

[dd32]

Hey, and welcome to Trac.

What are the "WordPress Address (URL)" and "Site Address (URL)" settings set to under Settings -> General?

Based on what I'm seeing when visiting your site, it's likely that the former is set to http instead of https.

[Laughter On Water]

Thanks. This has done the trick. So, not a bug. Except I wonder if core should detect whether you're using SSL or not and jigger the those links appropriately.

Replying to dd32:

Hey, and welcome to Trac.

What are the "WordPress Address (URL)" and "Site Address (URL)" settings set to under Settings -> General?

Based on what I'm seeing when visiting your site, it's likely that the former is set to http instead of https.