Make WordPress Core

Opened 13 years ago

Closed 12 years ago

Last modified 5 years ago

#16869 closed defect (bug) (duplicate)

Links from admin panel to site don't use HTTPS

Reported by: f30's profile F30 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: Administration Keywords:
Focuses: Cc:


Since version 3.0, Wordpress automatically changes all links to an 'https://' url if a request is made via SSL, even if the site address is set to an 'http://' url. This is important in dual-stack setups, when you want a site to be accessible via both HTTP and HTTPS.

However, this (as far as I have figured out) doesn't work for links which point from somewhere in the administration panel somewhere in the site, the most visible of the being the 'Visit Site' link at the top. This means that if you as a site administrator use those links, you are suddenly making unencrypted requests without even noticing it very much.

In a situation where you rely on SSL security, your cookie information is being exposed. Although the cookie submitted via HTTP is not valid for the admin panel, a possible attacker could take over your frontend session and e.g. post comments under your identity. It also creates some inconvenience as you have to log in again when changing back to the admin panel.

Since it seems to be a common setup only to do administration via SSL (wp-config even has an 'FORCE_SSL_ADMIN' option), it might be hard to figure out if all site links can or should be changed to 'https', too.
But the current behavior is at least annoying and in my opinion also not secure for users.

Change History (6)

#1 follow-up: @filosofo
13 years ago

  • Keywords close added
  • Milestone changed from Awaiting Review to Future Release

Related: #15330

I suggest closing this ticket as a duplicate of that one.

#2 in reply to: ↑ 1 @F30
13 years ago

Replying to filosofo:

Related: #15330

I suggest closing this ticket as a duplicate of that one.

I agree with that, #15330 also implies this particular problem.

However, the patch from over there (which is already applied in 3.1) doesn't cover the subject of the links so far.

#3 @filosofo
13 years ago

I basically agree, but I think it might be best to keep the discussion in one place.

#4 @AJ Acevedo
12 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

#5 @ocean90
12 years ago

  • Keywords close removed
  • Milestone Future Release deleted

This ticket was mentioned in Slack in #core-js by dsifford. View the logs.

5 years ago

Note: See TracTickets for help on using tickets.