littlebizzy / force-https Goto Github PK

View Code? Open in Web Editor NEW

26.0 6.0 8.0 259 KB

HTTPS enforcement for WordPress

Home Page: http://bizzy.in/2tdp3Gg

License: GNU General Public License v3.0

PHP 100.00%

wordpress wordpress-plugin force-https ssl

force-https's Introduction

Force HTTPS

Redirects all HTTP requests to the HTTPS version and fixes insecure links and resources without altering the database (also works with CloudFlare).

Defined Constants

/** Force HTTPS Functions */
define('FORCE_HTTPS', true); // default = true
define('FORCE_HTTPS_EXTERNAL_LINKS', false); // default = false
define('FORCE_HTTPS_EXTERNAL_RESOURCES', true); // default = true
define('FORCE_HTTPS_INTERNAL_LINKS', true); // default = true
define('FORCE_HTTPS_INTERNAL_RESOURCES', true); // default = true

Compatibility

This plugin has been designed for use on SlickStack web servers with PHP 7.2 and MySQL 5.7 to achieve best performance. All of our plugins are meant primarily for single site WordPress installations — for both performance and usability reasons, we strongly recommend avoiding WordPress Multisite for the vast majority of your projects.

Any of our WordPress plugins may also be loaded as "Must-Use" plugins (meaning that they load first, and cannot be deactivated) by using our free Autoloader script in the mu-plugins directory.

Our Philosophy

"Decisions, not options." — WordPress.org

"Everything should be made as simple as possible, but not simpler." — Albert Einstein (et al)

"Write programs that do one thing and do it well... write programs to work together." — Doug McIlroy

"The innovation that this industry talks about so much is bullshit. Anybody can innovate... 99% of it is 'get the work done.' The real work is in the details." — Linus Torvalds

Support Issues

We welcome experienced developers to submit Pull Requests to the Master branch, although opening a new Issue (instead) is usually more helpful so that users can discuss the topic. Please become a LittleBizzy.com Member if your company requires official support, and keep in mind that GitHub is for code development and not customer service.

force-https's People

Contributors

Stargazers

Watchers

Forkers

theperfectwill orca-wpmu deltafactory apinstein tricrosoft wprobot sumonst21 douglas-saylor-killoughlaw

force-https's Issues

Disable nag notices

Suggestion: Wrap the require() calls in the main plugin file in the check for the DISABLE_NAG_NOTICES constant. This saves the file read time.

Can the content filter regex backtracks be optimized?

I have an edge-case scenario but wanted to suggest an improvement because it "could" affect users some day.

I am applying the content filter as an output buffer so that I can also convert non-https links outside of the post content. When applied to a 518K JSON payload, the preg_replace_callback() function fails. I could likely address this by modifying the pcre backtrack/recursion limits on my server.

Your users may trigger a similar edge case only if they have a large post_content field - unlikely, but remotely possible and a nasty gremlin to detect as there are no errors to explain the missing output.

I would submit a patch if/when I raise my regex game.

Plugin exits php when run in script mode

When using a php script to manipulate a WP install, the force-https plugin will still try to load itself, and the start function will die(), thus making it impossible for the main script to ever execute.

I see a related issue #6 but that seems to be a fix that just detects WP_CLI. In my situation I have a custom CLI script.

My suggestion is that the script should only load itself when not in CLI mode.

Remove pass-by-reference in admin-notices-ms.php

As discussed in https://wordpress.org/support/topic/php-7-compatibility-229/, pass-by-reference is deprecated.

Affects lines 85, 86 and possibly elsewhere:
https://github.com/littlebizzy/force-https/blob/1.2.0/admin-notices-ms.php#L85

Why was this plugin removed from WordPress.org

Somewhere you should really tell people why your plugins were removed. You changed all of the ReadMe's on GitHub but didn't say why.

Detect command-line operation

As reported in https://wordpress.org/support/topic/undefined-index-http_host-4/

I suggest adding something like the following to the method checkSSLRedirect in core/core.php:

if ( php_sapi_name() === 'cli' ) {
    return false;
}

Fix links in readme.txt

The readme uses links to a different plugin:

* [Plugin Homepage](https://www.littlebizzy.com/plugins/disable-emojis)
* [Plugin GitHub](https://github.com/littlebizzy/disable-emojis)

Filter in one pass via output buffer (power users)

I support the plugins current approach to replace URLs in specific instances but ran into some cases where exterior page content (driven by dynamic options) used insecure URLs. Until such time where we can track down those loose ends, this snippet fixes mixed content warnings. It may be helpful to others as part of your documentation:

require_once(FHTTPS_PATH.'/core/filters.php');
ob_start( array( FHTTPS_Core_Filters::instance(), 'content' ) );

I implemented it in a custom plugin, executing during the plugins_loaded action with checks to ensure the plugin is active.

Add <source> to content filters

Support locally hosted audio/video element sources. Similar to the existing support for <script> tags at https://github.com/littlebizzy/force-https/blob/1.2.1/core/filters.php#L77

'#<(source)[\s|\t][^>]*?src=[\'"]\K(http://|//)[^\'"]+#i', // source elements

Can't run wp-cli when plugin activated

wp plugin deactivate autoptimize
Warning: Some code is trying to do a URL redirect. Backtrace:
#0  WP_CLI\Utils\wp_redirect_handler(https://) called at [/home/soundsystemsco/public_html/wp-includes/class-wp-hook.php:288]
#1  WP_Hook->apply_filters(https://, Array ([0] => https://,[1] => 301)) called at [/home/soundsystemsco/public_html/wp-includes/plugin.php:203]
#2  apply_filters(wp_redirect, https://, 301) called at [/home/soundsystemsco/public_html/wp-includes/pluggable.php:1199]
#3  wp_redirect(https://, 301) called at [/home/soundsystemsco/public_html/wp-content/plugins/force-https-littlebizzy/core/redirect.php:91]
#4  FHTTPS_Core_Redirect->redirect() called at [/home/soundsystemsco/public_html/wp-content/plugins/force-https-littlebizzy/core/redirect.php:68]
#5  FHTTPS_Core_Redirect->start() called at [/home/soundsystemsco/public_html/wp-includes/class-wp-hook.php:286]
#6  WP_Hook->apply_filters(, Array ([0] => )) called at [/home/soundsystemsco/public_html/wp-includes/class-wp-hook.php:310]
#7  WP_Hook->do_action(Array ([0] => )) called at [/home/soundsystemsco/public_html/wp-includes/plugin.php:453]
#8  do_action(plugins_loaded) called at [/home/soundsystemsco/public_html/wp-settings.php:327]
#9  require(/home/soundsystemsco/public_html/wp-settings.php) called at [phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php:1188]
#10 WP_CLI\Runner->load_wordpress() called at [phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php:1111]
#11 WP_CLI\Runner->start() called at [phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Bootstrap/LaunchRunner.php:23]
#12 WP_CLI\Bootstrap\LaunchRunner->process(WP_CLI\Bootstrap\BootstrapState Object ([WP_CLI\Bootstrap\BootstrapStatestate] => Array ())) called at [phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/bootstrap.php:74]
#13 WP_CLI\bootstrap() called at [phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/wp-cli.php:23]
#14 include(phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/wp-cli.php) called at [phar:///usr/local/bin/wp/php/boot-phar.php:11]
#15 include(phar:///usr/local/bin/wp/php/boot-phar.php) called at [/usr/local/bin/wp:4]

After I disable the forceHTTPS , wp-cli works properly.