Make WordPress Core

Changes between Initial Version and Version 17 of Ticket #47577


Ignore:
Timestamp:
10/02/2020 08:08:59 PM (3 years ago)
Author:
flixos90
Comment:

I've reduced scope of this ticket as mentioned above and opened #51437 and #51438 for the above tasks 2. and 3.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #47577

    • Property Focuses administration added
    • Property Component changed from Administration to Security
    • Property Summary changed from Streamline detecting and enabling HTTPS to Detect HTTPS support and provide guidance
    • Property Milestone changed from Awaiting Review to Future Release
    • Property Keywords 2nd-opinion removed
  • Ticket #47577 – Description

    initial v17  
    11Of all the WordPress sites today, 63.4% are using HTTPS. While this is already better than the [https://w3techs.com/technologies/details/ce-httpsdefault/all/all average for the entire web], it is far from optimal. More and more modern web APIs require usage of HTTPS, let alone the security implications of not using it.
    2 In order to close that gap, it must be easier for administrators to switch their WordPress site to HTTPS, especially if it is already supported by their environment.
     2In order to close that gap, WordPress should do better to actively recommend administrators to switch their non-HTTPS site to use HTTPS, especially if their current environment already technically supports it.
    33
    4 In order to provide accurate recommendations to site owners about switching their site to HTTPS, we need to know whether HTTPS is even supported by their server and domain. We have been reliably [https://github.com/xwp/pwa-wp/blob/master/wp-includes/class-wp-https-detection.php detecting HTTPS support in the PWA plugin] for a while, and the same logic could be used in core.
     4In order to provide accurate recommendations to site owners about switching their site to HTTPS, we need to know whether HTTPS is even supported by their server and domain. This has been reliably [https://github.com/xwp/pwa-wp/blob/master/wp-includes/class-wp-https-detection.php detected in the PWA plugin] for a while, and similar logic could be used in core.
    55
    66Based on the result of the HTTPS support detection, we would recommend one of the following:
     
    88* If not supported, recommend talking to the web host about enabling HTTPS.
    99
    10 This provide more accurate recommendations for the respective situation a site is in.
    11 
    12 In order to properly enable HTTPS it is also crucial to not have mixed content links. Performing extensive database replacements is unfeasible for WordPress core itself, so we should instead replace URLs in content pointing to `http://` versions of the page with their `https://` counterparts on the fly. While this would be unnecessary for sites that properly have switched all their content to HTTPS, the overhead is minimal and acceptable. Last but not least, if somebody still doesn't want it, those checks should be removable easily because of the filter usage.
     10This provide more accurate recommendations for the respective situation a site is in. Then, in separate follow-up tickets, we should look at simplifying the migration from HTTP to HTTPS itself which today is far too complex for the majority of WordPress users.