[wp-trac] [WordPress Trac] #47577: Detect HTTPS support and provide guidance (was: Streamline detecting and enabling HTTPS)

WordPress Trac noreply at wordpress.org
Fri Oct 2 20:08:59 UTC 2020 

#47577: Detect HTTPS support and provide guidance
------------------------------------------+-----------------------------
 Reporter:  flixos90                      |       Owner:  (none)
     Type:  enhancement                   |      Status:  new
 Priority:  normal                        |   Milestone:  Future Release
Component:  Security                      |     Version:
 Severity:  normal                        |  Resolution:
 Keywords:  needs-unit-tests needs-patch  |     Focuses:  administration
------------------------------------------+-----------------------------
Changes (by flixos90):

 * focuses:   => administration
 * component:  Administration => Security
 * milestone:  Awaiting Review => Future Release
 * keywords:  2nd-opinion needs-unit-tests has-patch => needs-unit-tests
     needs-patch


Old description:

> Of all the WordPress sites today, 63.4% are using HTTPS. While this is
> already better than the [https://w3techs.com/technologies/details/ce-
> httpsdefault/all/all average for the entire web], it is far from optimal.
> More and more modern web APIs require usage of HTTPS, let alone the
> security implications of not using it.
> In order to close that gap, it must be easier for administrators to
> switch their WordPress site to HTTPS, especially if it is already
> supported by their environment.
>
> In order to provide accurate recommendations to site owners about
> switching their site to HTTPS, we need to know whether HTTPS is even
> supported by their server and domain. We have been reliably
> [https://github.com/xwp/pwa-wp/blob/master/wp-includes/class-wp-https-
> detection.php detecting HTTPS support in the PWA plugin] for a while, and
> the same logic could be used in core.
>
> Based on the result of the HTTPS support detection, we would recommend
> one of the following:
> * If supported, recommend to change the WordPress site URL, as that's all
> that's needed.
> * If not supported, recommend talking to the web host about enabling
> HTTPS.
>
> This provide more accurate recommendations for the respective situation a
> site is in.
>
> In order to properly enable HTTPS it is also crucial to not have mixed
> content links. Performing extensive database replacements is unfeasible
> for WordPress core itself, so we should instead replace URLs in content
> pointing to `http://` versions of the page with their `https://`
> counterparts on the fly. While this would be unnecessary for sites that
> properly have switched all their content to HTTPS, the overhead is
> minimal and acceptable. Last but not least, if somebody still doesn't
> want it, those checks should be removable easily because of the filter
> usage.

New description:

 Of all the WordPress sites today, 63.4% are using HTTPS. While this is
 already better than the [https://w3techs.com/technologies/details/ce-
 httpsdefault/all/all average for the entire web], it is far from optimal.
 More and more modern web APIs require usage of HTTPS, let alone the
 security implications of not using it.
 In order to close that gap, WordPress should do better to actively
 recommend administrators to switch their non-HTTPS site to use HTTPS,
 especially if their current environment already technically supports it.

 In order to provide accurate recommendations to site owners about
 switching their site to HTTPS, we need to know whether HTTPS is even
 supported by their server and domain. This has been reliably
 [https://github.com/xwp/pwa-wp/blob/master/wp-includes/class-wp-https-
 detection.php detected in the PWA plugin] for a while, and similar logic
 could be used in core.

 Based on the result of the HTTPS support detection, we would recommend one
 of the following:
 * If supported, recommend to change the WordPress site URL, as that's all
 that's needed.
 * If not supported, recommend talking to the web host about enabling
 HTTPS.

 This provide more accurate recommendations for the respective situation a
 site is in. Then, in separate follow-up tickets, we should look at
 simplifying the migration from HTTP to HTTPS itself which today is far too
 complex for the majority of WordPress users.

--

Comment:

 I've reduced scope of this ticket as mentioned above and opened #51437 and
 #51438 for the above tasks 2. and 3.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47577#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list