Security, Site Health: Improve accuracy in messaging about HTTPS support.

Following up on [49904], this changeset focuses mainly on improving the guidance about the current state of HTTPS in Site Health. * Correct the existing copy to indicate that both the Site Address and the WordPress Address need to be changed to fully switch to HTTPS. * Link to the respective input fields via anchor links rather than to the overall General Settings screen. * Show different copy if the site is using HTTPS for the WordPress Address (for example to have only the administration panel in HTTPS), but not for the Site Address. * Inform the user about potential problems even when the site is already using HTTPS, for example if the SSL certificate was no longer valid. * Always rely on fresh information for determining HTTPS support issues in Site Health, and therefore change the `https_status` test to become asynchronous. * Rename the new private `wp_is_owned_html_output()` function to a more appropriate `wp_is_local_html_output()`. Props adamsilverstein, flixos90, johnjamesjacoby, timothyblynjacobs. See #47577. git-svn-id: https://develop.svn.wordpress.org/trunk@50072 602fd350-edb4-49c9-b593-d223f7449a82
2026-04-04 12:44:31 +00:00 · 2021-01-29 19:09:49 +00:00
parent b44dd453ed
commit 4e0bc3bc93
6 changed files with 189 additions and 49 deletions
--- a/src/wp-includes/https-detection.php
+++ b/src/wp-includes/https-detection.php
@@ -9,28 +9,53 @@
 /**
 * Checks whether the website is using HTTPS.
 *
- * This is based on whether the home and site URL are using HTTPS.
+ * This is based on whether both the home and site URL are using HTTPS.
 *
 * @since 5.7.0
+ * @see wp_is_home_url_using_https()
+ * @see wp_is_site_url_using_https()
 *
 * @return bool True if using HTTPS, false otherwise.
 */
 function wp_is_using_https() {
-	if ( 'https' !== wp_parse_url( home_url(), PHP_URL_SCHEME ) ) {
+	if ( ! wp_is_home_url_using_https() ) {
 		return false;
 	}

+	return wp_is_site_url_using_https();
+}
+
+/**
+ * Checks whether the current site URL is using HTTPS.
+ *
+ * @since 5.7.0
+ * @see home_url()
+ *
+ * @return bool True if using HTTPS, false otherwise.
+ */
+function wp_is_home_url_using_https() {
+	return 'https' === wp_parse_url( home_url(), PHP_URL_SCHEME );
+}
+
+/**
+ * Checks whether the current site's URL where WordPress is stored is using HTTPS.
+ *
+ * This checks the URL where WordPress application files (e.g. wp-blog-header.php or the wp-admin/ folder) are
+ * accessible.
+ *
+ * @since 5.7.0
+ * @see site_url()
+ *
+ * @return bool True if using HTTPS, false otherwise.
+ */
+function wp_is_site_url_using_https() {
 	// Use direct option access for 'siteurl' and manually run the 'site_url'
-	// filter because site_url() will adjust the scheme based on what the
+	// filter because `site_url()` will adjust the scheme based on what the
 	// current request is using.
 	/** This filter is documented in wp-includes/link-template.php */
 	$site_url = apply_filters( 'site_url', get_option( 'siteurl' ), '', null, null );

-	if ( 'https' !== wp_parse_url( $site_url, PHP_URL_SCHEME ) ) {
-		return false;
-	}
-
-	return true;
+	return 'https' === wp_parse_url( $site_url, PHP_URL_SCHEME );
 }

 /**
@@ -104,7 +129,7 @@ function wp_update_https_detection_errors() {
 	if ( ! is_wp_error( $response ) ) {
 		if ( 200 !== wp_remote_retrieve_response_code( $response ) ) {
 			$support_errors->add( 'bad_response_code', wp_remote_retrieve_response_message( $response ) );
-		} elseif ( false === wp_is_owned_html_output( wp_remote_retrieve_body( $response ) ) ) {
+		} elseif ( false === wp_is_local_html_output( wp_remote_retrieve_body( $response ) ) ) {
 			$support_errors->add( 'bad_response_source', __( 'It looks like the response did not come from this site.' ) );
 		}
 	}
@@ -159,7 +184,7 @@ function wp_cron_conditionally_prevent_sslverify( $request ) {
 * @param string $html Full HTML output string, e.g. from a HTTP response.
 * @return bool|null True/false for whether HTML was generated by this site, null if unable to determine.
 */
-function wp_is_owned_html_output( $html ) {
+function wp_is_local_html_output( $html ) {
 	// 1. Check if HTML includes the site's Really Simple Discovery link.
 	if ( has_action( 'wp_head', 'rsd_link' ) ) {
 		$pattern = esc_url( site_url( 'xmlrpc.php?rsd', 'rpc' ) ); // See rsd_link().