Links from admin panel to site don't use HTTPS
|Reported by:||F30||Owned by:|
Since version 3.0, Wordpress automatically changes all links to an 'https://' url if a request is made via SSL, even if the site address is set to an 'http://' url. This is important in dual-stack setups, when you want a site to be accessible via both HTTP and HTTPS.
However, this (as far as I have figured out) doesn't work for links which point from somewhere in the administration panel somewhere in the site, the most visible of the being the 'Visit Site' link at the top. This means that if you as a site administrator use those links, you are suddenly making unencrypted requests without even noticing it very much.
In a situation where you rely on SSL security, your cookie information is being exposed. Although the cookie submitted via HTTP is not valid for the admin panel, a possible attacker could take over your frontend session and e.g. post comments under your identity. It also creates some inconvenience as you have to log in again when changing back to the admin panel.
Since it seems to be a common setup only to do administration via SSL (wp-config even has an 'FORCE_SSL_ADMIN' option), it might be hard to figure out if all site links can or should be changed to 'https', too.
But the current behavior is at least annoying and in my opinion also not secure for users.
Change History (5)
- Keywords close added
- Milestone changed from Awaiting Review to Future Release