WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 6 months ago

#52799 new enhancement

Easy HTTPS Redirects in WordPress Dashboard

Reported by: sarmstead Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Site Health Keywords:
Focuses: Cc:

Description

In 5.7 we introduced a way to automatically update database URLs in the Tools > Site Health section. Great work everybody!

In addition to updating URLs, I propose that 5.8 adds a button to force HTTPS redirects in the .htaccess file at the site root. This feature would add the following code to the # BEGIN WordPress / # END WordPress block in the .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Why do this? Adding this enhancement can make securing a WordPress site much easier for users who don't want to fuss with code to keep their site from returning pages with http://.

Change History (4)

This ticket was mentioned in Slack in #core by sarmstead. View the logs.


6 months ago

#2 @SergeyBiryukov
6 months ago

  • Focuses coding-standards removed

#3 follow-up: @juliobox
6 months ago

Hey
I think WordPress won't do that because the way to redirect http on https depends on host
Here is a french blog post about this https://reskator.fr/2019/forcer-la-connexion-en-https/
You will find a bunch of code depending on your host, and all hosts are not present here, so…

#4 in reply to: ↑ 3 @sarmstead
6 months ago

Replying to juliobox:

Hey
I think WordPress won't do that because the way to redirect http on https depends on host
Here is a french blog post about this https://reskator.fr/2019/forcer-la-connexion-en-https/
You will find a bunch of code depending on your host, and all hosts are not present here, so…

I love your thoughts here, thanks @juliobox! I totally forgot about Nginx configurations, along with all the quirks that come along with hosting providers. In this sense, it would certainly be difficult for us to adjust forcing SSL for all environments.

One alternative might be to detect the recommended providers (https://wordpress.org/hosting/). It still might be hard to determine if they are using Apache or Nginx, since some hosts allow for both.

What other options might we have to help users force SSL on their site?

Note: See TracTickets for help on using tickets.