Make WordPress Core


Ignore:
Timestamp:
01/29/2021 07:09:49 PM (3 years ago)
Author:
flixos90
Message:

Security, Site Health: Improve accuracy in messaging about HTTPS support.

Following up on [49904], this changeset focuses mainly on improving the guidance about the current state of HTTPS in Site Health.

  • Correct the existing copy to indicate that both the Site Address and the WordPress Address need to be changed to fully switch to HTTPS.
  • Link to the respective input fields via anchor links rather than to the overall General Settings screen.
  • Show different copy if the site is using HTTPS for the WordPress Address (for example to have only the administration panel in HTTPS), but not for the Site Address.
  • Inform the user about potential problems even when the site is already using HTTPS, for example if the SSL certificate was no longer valid.
  • Always rely on fresh information for determining HTTPS support issues in Site Health, and therefore change the https_status test to become asynchronous.
  • Rename the new private wp_is_owned_html_output() function to a more appropriate wp_is_local_html_output().

Props adamsilverstein, flixos90, johnjamesjacoby, timothyblynjacobs.
See #47577.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-site-health.php

    r50041 r50072  
    109109            // Don't run https test on development environments.
    110110            if ( $this->is_development_environment() ) {
    111                 unset( $tests['direct']['https_status'] );
     111                unset( $tests['async']['https_status'] );
    112112            }
    113113
     
    14991499     */
    15001500    public function get_test_https_status() {
     1501        // Enforce fresh HTTPS detection results. This is normally invoked by using cron, but for Site Health it should
     1502        // always rely on the latest results.
     1503        wp_update_https_detection_errors();
     1504
    15011505        $result = array(
    15021506            'label'       => __( 'Your website is using an active HTTPS connection' ),
     
    15221526
    15231527        if ( ! wp_is_using_https() ) {
     1528            // If the website is not using HTTPS, provide more information about whether it is supported and how it can
     1529            // be enabled.
    15241530            $result['status'] = 'critical';
    15251531            $result['label']  = __( 'Your website does not use HTTPS' );
    15261532
    1527             if ( is_ssl() ) {
    1528                 $result['description'] = sprintf(
    1529                     '<p>%s</p>',
    1530                     sprintf(
    1531                         /* translators: %s: URL to General Settings screen. */
    1532                         __( 'You are accessing this website using HTTPS, but your <a href="%s">WordPress Address</a> is not set up to use HTTPS by default.' ),
    1533                         esc_url( admin_url( 'options-general.php' ) )
    1534                     )
    1535                 );
     1533            if ( wp_is_site_url_using_https() ) {
     1534                if ( is_ssl() ) {
     1535                    $result['description'] = sprintf(
     1536                        '<p>%s</p>',
     1537                        sprintf(
     1538                            /* translators: %s: URL to Settings > General > Site Address. */
     1539                            __( 'You are accessing this website using HTTPS, but your <a href="%s">Site Address</a> is not set up to use HTTPS by default.' ),
     1540                            esc_url( admin_url( 'options-general.php' ) . '#home' )
     1541                        )
     1542                    );
     1543                } else {
     1544                    $result['description'] = sprintf(
     1545                        '<p>%s</p>',
     1546                        sprintf(
     1547                            /* translators: %s: URL to Settings > General > Site Address. */
     1548                            __( 'Your <a href="%s">Site Address</a> is not set up to use HTTPS.' ),
     1549                            esc_url( admin_url( 'options-general.php' ) . '#home' )
     1550                        )
     1551                    );
     1552                }
    15361553            } else {
    1537                 $result['description'] = sprintf(
    1538                     '<p>%s</p>',
    1539                     sprintf(
    1540                         /* translators: %s: URL to General Settings screen. */
    1541                         __( 'Your <a href="%s">WordPress Address</a> is not set up to use HTTPS.' ),
    1542                         esc_url( admin_url( 'options-general.php' ) )
    1543                     )
    1544                 );
     1554                if ( is_ssl() ) {
     1555                    $result['description'] = sprintf(
     1556                        '<p>%s</p>',
     1557                        sprintf(
     1558                            /* translators: 1: URL to Settings > General > WordPress Address, 2: URL to Settings > General > Site Address. */
     1559                            __( 'You are accessing this website using HTTPS, but your <a href="%1$s">WordPress Address</a> and <a href="%2$s">Site Address</a> are not set up to use HTTPS by default.' ),
     1560                            esc_url( admin_url( 'options-general.php' ) . '#siteurl' ),
     1561                            esc_url( admin_url( 'options-general.php' ) . '#home' )
     1562                        )
     1563                    );
     1564                } else {
     1565                    $result['description'] = sprintf(
     1566                        '<p>%s</p>',
     1567                        sprintf(
     1568                            /* translators: 1: URL to Settings > General > WordPress Address, 2: URL to Settings > General > Site Address. */
     1569                            __( 'Your <a href="%1$s">WordPress Address</a> and <a href="%2$s">Site Address</a> are not set up to use HTTPS.' ),
     1570                            esc_url( admin_url( 'options-general.php' ) . '#siteurl' ),
     1571                            esc_url( admin_url( 'options-general.php' ) . '#home' )
     1572                        )
     1573                    );
     1574                }
    15451575            }
    15461576
     
    15621592                );
    15631593            }
     1594        } elseif ( ! wp_is_https_supported() ) {
     1595            // If the website is using HTTPS, but HTTPS is actually not supported, inform the user about the potential
     1596            // problems.
     1597            $result['status'] = 'critical';
     1598            $result['label']  = __( 'There are problems with the HTTPS connection of your website' );
     1599
     1600            $https_detection_errors = get_option( 'https_detection_errors' );
     1601            if ( ! empty( $https_detection_errors['ssl_verification_failed'] ) ) {
     1602                $result['description'] = sprintf(
     1603                    '<p>%s</p>',
     1604                    sprintf(
     1605                        /* translators: %s: URL to Settings > General > WordPress Address. */
     1606                        __( 'Your <a href="%s">WordPress Address</a> is set up to use HTTPS, but the SSL certificate appears to be invalid.' ),
     1607                        esc_url( admin_url( 'options-general.php' ) . '#siteurl' )
     1608                    )
     1609                );
     1610            } else {
     1611                $result['description'] = sprintf(
     1612                    '<p>%s</p>',
     1613                    sprintf(
     1614                        /* translators: %s: URL to Settings > General > WordPress Address. */
     1615                        __( 'Your <a href="%s">WordPress Address</a> is set up to use HTTPS, but your website appears to be unavailable when using an HTTPS connection.' ),
     1616                        esc_url( admin_url( 'options-general.php' ) . '#siteurl' )
     1617                    )
     1618                );
     1619            }
     1620            $result['description'] .= sprintf(
     1621                '<p>%s</p>',
     1622                __( 'Talk to your web host about resolving this HTTPS issue for your website.' )
     1623            );
    15641624        }
    15651625
     
    22012261                    'test'  => 'utf8mb4_support',
    22022262                ),
    2203                 'https_status'              => array(
    2204                     'label' => __( 'HTTPS status' ),
    2205                     'test'  => 'https_status',
    2206                 ),
    22072263                'ssl_support'               => array(
    22082264                    'label' => __( 'Secure communication' ),
     
    22482304                    'has_rest'          => true,
    22492305                    'async_direct_test' => array( WP_Site_Health::get_instance(), 'get_test_loopback_requests' ),
     2306                ),
     2307                'https_status'         => array(
     2308                    'label'             => __( 'HTTPS status' ),
     2309                    'test'              => rest_url( 'wp-site-health/v1/tests/https-status' ),
     2310                    'has_rest'          => true,
     2311                    'async_direct_test' => array( WP_Site_Health::get_instance(), 'get_test_https_status' ),
    22502312                ),
    22512313                'authorization_header' => array(
     
    26152677        // Don't run https test on development environments.
    26162678        if ( $this->is_development_environment() ) {
    2617             unset( $tests['direct']['https_status'] );
     2679            unset( $tests['async']['https_status'] );
    26182680        }
    26192681
Note: See TracChangeset for help on using the changeset viewer.