Non secure sudomain site url in site activation email

[umesh.nevase]

I've enabled Network site settings for Both site and user registration.

After creating a subdomain and registering a new user site, I got the email requesting site activation. Both a non-secure site URL and a site activation URL are included in the email. The URL of the new site must be secure. When an email contains a non-secure URL and open in browser, an error message stating "Warning: Potential Security Risk Ahead" appears.

I've also checked for subdirectory install, the activation email also contain nonsecure url for new subdirectory site.

Are we keeping the non secure in URL on purpose? We should have handle it for subdirectory install at least by checking the main site is secure or not.

Also there are inconsistencies for http and https url in activate and signup emails.

[umesh.nevase]

Email for site activation for Subdomain Install

[umesh.nevase]

Email for site activation for Subdirectory Install

[umesh.nevase]

Email for subdirectory site install welcome message

[umesh.nevase]

Email for subdomain site install welcome message

[rollybueno]

Looks like this depends on home settings value. e.g.

On the subdomain install, the URL is fetched by using get_blogaddress_by_id():
https://core.trac.wordpress.org/browser/tags/6.8.1/src/wp-includes/ms-blogs.php#L46. It will try to set the scheme by parsing the home value. If the scheme is empty, it will be using http although it will esc_url() on the return value.

I could be wrong, but can you confirm on your settings?

[umesh.nevase]

I've checked some code and the nonsecure urls are added from WordPress core.
wp-includes/ms-functions.php:972
wp-includes/ms-functions.php:1019
wp-includes/ms-functions.php:1051

Trac ticket: https://core.trac.wordpress.org/ticket/63490

[ozgursar]

Reproduction Report

Environment

• WordPress: 7.0-alpha-61534
• PHP: 8.3.30
• Server: PHP.wasm
• Database: WP_SQLite_Driver (Server: 8.0.38 / Client: 3.51.0)
• Browser: Chrome 144.0.0.0
• OS: macOS
• Theme: Twenty Twenty-Five 1.4
• MU Plugins:
  • Network Email Logger
• Plugins:
  • Test Reports 1.2.1

Steps taken

1. Enabled Network site settings for Both site and user registration
2. Install a mu-plugin to check email-logs within the dashboard
3. Create /wp-content/mu-plugins/email-logger.php with the following content

<?php
/**
 * Plugin Name: Network Email Logger
 * Description: Logs all emails sent across the network
 * Network: true
 */

// Log all emails
add_filter('wp_mail', 'network_log_wp_mail', 999);
function network_log_wp_mail($args) {
    // Store in network option (available across all sites)
    $emails = get_site_option('network_emails_log', array());
    
    $email_data = array(
        'time' => current_time('mysql'),
        'to' => $args['to'],
        'subject' => $args['subject'],
        'message' => $args['message'],
        'headers' => $args['headers'] ?? '',
        'site_id' => get_current_blog_id(),
    );
    
    // Keep last 50 emails
    array_unshift($emails, $email_data);
    $emails = array_slice($emails, 0, 50);
    
    update_site_option('network_emails_log', $emails);
    
    return $args;
}

// Add Network Admin menu to view emails
add_action('network_admin_menu', 'network_email_log_menu');
function network_email_log_menu() {
    add_menu_page(
        'Email Log',
        'Email Log',
        'manage_network',
        'network-email-log',
        'network_email_log_page',
        'dashicons-email'
    );
}

function network_email_log_page() {
    $emails = get_site_option('network_emails_log', array());
    
    echo '<div class="wrap">';
    echo '<h1>Network Email Log</h1>';
    
    if (isset($_POST['clear_log'])) {
        delete_site_option('network_emails_log');
        echo '<div class="notice notice-success"><p>Email log cleared!</p></div>';
        $emails = array();
    }
    
    echo '<form method="post" style="margin-bottom: 20px;">';
    echo '<input type="submit" name="clear_log" class="button" value="Clear Log">';
    echo '</form>';
    
    if (empty($emails)) {
        echo '<p>No emails logged yet.</p>';
    } else {
        foreach ($emails as $email) {
            echo '<div style="border: 1px solid #ccc; padding: 15px; margin-bottom: 20px; background: #f9f9f9;">';
            echo '<p><strong>Time:</strong> ' . esc_html($email['time']) . '</p>';
            echo '<p><strong>Site ID:</strong> ' . esc_html($email['site_id']) . '</p>';
            echo '<p><strong>To:</strong> ' . esc_html(is_array($email['to']) ? implode(', ', $email['to']) : $email['to']) . '</p>';
            echo '<p><strong>Subject:</strong> ' . esc_html($email['subject']) . '</p>';
            echo '<p><strong>Message:</strong></p>';
            echo '<pre style="background: white; padding: 10px; overflow-x: auto;">' . esc_html($email['message']) . '</pre>';
            echo '</div>';
        }
    }
    
    echo '</div>';
}

4. Add a new site (subdomain)
5. Check email logs
6. 🐞 Bug occurs

Expected behavior

• Insecure URLs are present in the email logs.

Screenshots/Screencast with results