#28426 closed enhancement (fixed)
An HTTPS scheme in siteurl is ignored
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 4.0 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | |
| Focuses: | administration | Cc: |
Description
Scenario: a site where the 'WordPress Address' (siteurl option) uses HTTPS, but the 'Site Address' (home option) uses HTTP. FORCE_SSL_ADMIN is not defined. This situation can arise simply by changing the settings on the General Settings screen.
In this situation, admin_url() does not return an HTTPS URL. This means that the login link, and links in the admin toolbar are plain HTTP when it's expected that they would be HTTPS links. The scheme in the 'WordPress Address' setting is completely ignored.
If this option has an HTTPS scheme, FORCE_SSL_ADMIN should get defined if it is not already.
#27954 recently implemented the front end counterpart to this.
Change History (2)
Note: See
TracTickets for help on using
tickets.
[28674] fixes this.