id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc	focuses
65521	wpmu_signup_blog_notification() hardcodes http:// in activation email URLs	yaghoot		"## Environment

- WordPress: trunk (latest development version)
- Install type: Multisite, subdomain registration enabled
- HTTPS enabled (SSL termination or `FORCE_SSL_ADMIN`)

## Steps to reproduce

1. Set up a multisite network with **subdomain install** (`SUBDOMAIN_INSTALL` true).
2. Enable site registration so new users can sign up for a site.
3. Run the network over **HTTPS**.
4. Register a new site via the signup flow.
5. Check the activation email sent by `wpmu_signup_blog_notification()`.

## Expected result

Activation email links should use `https://`, e.g.:

`https://newsite.example.com/wp-activate.php?key=...`

## Actual result

Activation email links use hardcoded `http://`, e.g.:

`http://newsite.example.com/wp-activate.php?key=...`

## Notes

- Plugins/themes: N/A — bug is in core (`src/wp-includes/ms-functions.php`).
- The affected code path runs when `is_subdomain_install() && get_current_network_id() === 1`.
- The parallel function `wpmu_signup_user_notification()` already uses `site_url()`, which respects HTTPS.
- Three hardcoded `http://` strings exist in `wpmu_signup_blog_notification()` (activation URL, email body site URL, subject site URL).
- There is an existing `@todo Use *_url() API.` comment on the activation URL line.

## Proposed fix

Replace hardcoded `http://` with `set_url_scheme()`, matching the pattern used in `network_site_url()`.

## Test plan

Add PHPUnit coverage in `tests/phpunit/tests/multisite/wpmuSignupBlogNotification.php` for:

- Filter bypass (`wpmu_signup_blog_notification` returns false)
- Email is sent with activation key in body
- HTTPS scheme used when SSL is on (subdomain install)"	defect (bug)	new	normal	Awaiting Review	Networks and Sites	trunk	normal		has-patch has-unit-tests		multisite