WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#28426 closed enhancement (fixed)

An HTTPS scheme in siteurl is ignored

Reported by: johnbillion Owned by:
Milestone: 4.0 Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: administration Cc:

Description

Scenario: a site where the 'WordPress Address' (siteurl option) uses HTTPS, but the 'Site Address' (home option) uses HTTP. FORCE_SSL_ADMIN is not defined. This situation can arise simply by changing the settings on the General Settings screen.

In this situation, admin_url() does not return an HTTPS URL. This means that the login link, and links in the admin toolbar are plain HTTP when it's expected that they would be HTTPS links. The scheme in the 'WordPress Address' setting is completely ignored.

If this option has an HTTPS scheme, FORCE_SSL_ADMIN should get defined if it is not already.

#27954 recently implemented the front end counterpart to this.

Change History (2)

#1 @nacin
5 years ago

  • Milestone changed from Awaiting Review to 4.0
  • Resolution set to fixed
  • Status changed from new to closed

[28674] fixes this.

#2 @nacin
5 years ago

  • Component changed from Administration to Security
Note: See TracTickets for help on using tickets.