Changes between Initial Version and Version 17 of Ticket #47577
- Timestamp:
- 10/02/2020 08:08:59 PM (3 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #47577
- Property Focuses administration added
-
Property
Component
changed from
Administration
toSecurity
-
Property
Summary
changed from
Streamline detecting and enabling HTTPS
toDetect HTTPS support and provide guidance
-
Property
Milestone
changed from
Awaiting Review
toFuture Release
- Property Keywords 2nd-opinion removed
-
Ticket #47577 – Description
initial v17 1 1 Of all the WordPress sites today, 63.4% are using HTTPS. While this is already better than the [https://w3techs.com/technologies/details/ce-httpsdefault/all/all average for the entire web], it is far from optimal. More and more modern web APIs require usage of HTTPS, let alone the security implications of not using it. 2 In order to close that gap, it must be easier for administrators to switch their WordPress site to HTTPS, especially if it is already supported by their environment.2 In order to close that gap, WordPress should do better to actively recommend administrators to switch their non-HTTPS site to use HTTPS, especially if their current environment already technically supports it. 3 3 4 In order to provide accurate recommendations to site owners about switching their site to HTTPS, we need to know whether HTTPS is even supported by their server and domain. We have been reliably [https://github.com/xwp/pwa-wp/blob/master/wp-includes/class-wp-https-detection.php detecting HTTPS support in the PWA plugin] for a while, and the samelogic could be used in core.4 In order to provide accurate recommendations to site owners about switching their site to HTTPS, we need to know whether HTTPS is even supported by their server and domain. This has been reliably [https://github.com/xwp/pwa-wp/blob/master/wp-includes/class-wp-https-detection.php detected in the PWA plugin] for a while, and similar logic could be used in core. 5 5 6 6 Based on the result of the HTTPS support detection, we would recommend one of the following: … … 8 8 * If not supported, recommend talking to the web host about enabling HTTPS. 9 9 10 This provide more accurate recommendations for the respective situation a site is in. 11 12 In order to properly enable HTTPS it is also crucial to not have mixed content links. Performing extensive database replacements is unfeasible for WordPress core itself, so we should instead replace URLs in content pointing to `http://` versions of the page with their `https://` counterparts on the fly. While this would be unnecessary for sites that properly have switched all their content to HTTPS, the overhead is minimal and acceptable. Last but not least, if somebody still doesn't want it, those checks should be removable easily because of the filter usage. 10 This provide more accurate recommendations for the respective situation a site is in. Then, in separate follow-up tickets, we should look at simplifying the migration from HTTP to HTTPS itself which today is far too complex for the majority of WordPress users.