Opened 5 years ago
Last modified 5 months ago
#49515 new feature request
SSL requirement during installation with SQL command through admin if mixed content
Reported by: | bjornenio | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Upgrade/Install | Keywords: | needs-patch dev-feedback |
Focuses: | ui, administration | Cc: |
Description
Would it not be a good idea to highlight / warn the user if they try to use http instead of https?
Furthermore, it would be very beneficial if wp admin offered a solution in terms of a SQL command for fixing mixed content if SSL is added after the fact.
This might already be in the pipeline?
Change History (7)
#3
follow-up:
↓ 4
@
4 years ago
This seems like a good idea to me. However, the check using
$_SERVER['HTTPS']
wouldn't be optimal. As stated in https://www.php.net/manual/en/reserved.variables.server.php this is set to a non-empty value if the script was queried through the HTTPS protocol. Ideally, you'd want to check for the capability of a secured connection, not if the user is already using it.
My approach would be to test the given site-url for SSL capabilities, by using something like fsockopen(). If the url can be accessed through a secure connection ask the user if it wants to use that instead. If it's not possible, just proceed with the install.
#4
in reply to:
↑ 3
@
4 years ago
Replying to WiZZarD_:
Ideally, you'd want to check for the capability of a secured connection, not if the user is already using it.
My first minimal approach was to check if https is used and if not display a warning. Additionally I was wrong and we could in fact use is_ssl
but without the load balancer fix. See: https://developer.wordpress.org/reference/functions/is_ssl/
My approach would be to test the given site-url for SSL capabilities, by using something like fsockopen(). If the url can be accessed through a secure connection ask the user if it wants to use that instead. If it's not possible, just proceed with the install.
That would be a better approach. Not just detect the missing https, but detecting a possible https connection and offer a redirect to the https version.
But what about people who forgot to install the SSL certificate (or there is something wrong with it)? I think we should warn if there is no https used in every case and offer a direct link to https if it is already available.
The first one is easy as we could just use is_ssl()
.
I was not successful in detecting a possible https connection. Maybe someone can chime in with a code snippet.
#6
@
3 years ago
@flixos90 Is there a chance to get this in 5.8 as a follow-up to your https related tickets in 5.7?
Are wp_is_using_https()
and wp_is_https_supported()
available in the Install process?
I think this is a good idea! We couldn't use
is_ssl
on the install page, because the option is not written at this moment, so I looked for available solutions to look if the page is available through https and find this:Source: https://stackoverflow.com/a/16076965
It is checking if the variable is activated stating https support or in case of a load balancer and similar staff (reverse proxy, etc.) it checks different variables for those.
If this would be added to the install page we could either redirect to the https version or display a warning, stating that https is vailable too.
This looks like plugin territory for me. And there are already many plugins for that already available:
https://wordpress.org/plugins/search/ssl+mixed+content/