Thanks Miguel.
If the user is not using SSL for admin then $URL and $URL_HTTP will be the same I think.
In that case if a part of the site is accessed using HTTPS and there is no HTTPS for the admin area, then this wont' work.
But I think that is a rare case - a site that is using HTTPS publicly and no HTTPS for the admin area.
However I'm inclined to go with the following logic:
If the public page is HTTP then access admin-ajax.php using HTTP.
If the public page is HTTPS then access the admin-ajax.php using HTTPS.
The URL should be generated using the admin_url() function.
If a site is not compatible with this setup then it's also not going to be compatible with many other plugins that use AJAX.
So the code would look like this:
public static function wp_head(){
$URL = admin_url('admin-ajax.php?action=wordfence_logHuman&hid=' . wfUtils::encrypt(self::$hitID));
$URL = preg_replace('/^https?:/i', '', $URL);
echo '<script type="text/javascript">var src="' . $URL . '"; var wfHTImg = new Image(); wfHTImg.src=src;</script>';
}
Which generates javascript in the public pages that looks like this:
var src="//test1.com/wp-admin/admin-ajax.php?action=wordfence_logHuman&hid=8EFC33D2CB5D1C0C6F6ED3FC6C9168DC"; var wfHTImg = new Image(); wfHTImg.src=src;
As you can see the var src= URL is a scheme relative URL that would use either HTTP or HTTPS depending on how the page is being accessed.
Would this work for your config?