Pain relief for mixed-content headaches goes mainstream next week

An upcoming upgrade to WordPress will make it much easier for website owners to upgrade from HTTP to HTTPS.

WordPress 5.7 – currently available as a beta release and due to go mainstream on March 9 – promises to make the formerly tricky business of migration to a secure instance of the content management system (CMS) a one-step process, as the WordPress core development team explains:

Switching a WordPress site from HTTP to HTTPS has proven to be a pain for all involved. While on the surface, the site address and WordPress address have to be updated, content with embedded HTTP URLs remains unchanged in the database.

With this release, migrating a site to HTTPS is now a one-click interaction. URLs in the database are automatically replaced when the Site and WordPress Address are both using HTTPS. Also, Site Health now includes an HTTPS status check.

HTTPS everywhere

WordPress omits figures on the number of websites that serve content over HTTP rather than the more secure HTTPS protocol on its official statistics page.

According to httparchive.org, 89.3% of URLs crawled use HTTPS, a figure some suggest might be indicative of the state of deployment of secure site instances of WordPress, the most widely used CMS framework on the web.

However, WordPress expert Tim Nash cautioned that “getting reliable stats is hard”, adding that the httparchive figure “ seems too high” even though installing HTTPS installs of WordPress is becoming easier.

“With most major hosts supporting one click or zero click HTTPS, and also one or zero click WordPress install, the trend for new sites is overwhelmingly over HTTPS,” he explained. “Older sites also benefit [from the fact] that for most hosts installing HTTPS is becoming significantly easier.

“It's quite difficult to run a site over HTTP only these days and get traffic [because] browsers are being proactive about warning about sites running HTTP only,” he added.

The new feature in WordPress 5.7 is designed to “build on the work done by hosting companies and browsers and to try and reduce the amount of mixed protocol messages, by proactively changing URLs in the database that are not relative”, according to Nash.

Ryan Dewhurst, founder and CEO of WPScan, said that WordPress has been gradually pushing users towards HTTPS for nearly two years.


Catch up on more of the latest WordPress security news


“Since WordPress 5.1 (February 2019), WordPress has included a new Site Health page in the admin section,” Dewhurst explained.

“This page includes some basic security checks, including warning the user if they are not using HTTPS.”

Dewhurst added that the biggest challenge for WordPress administrators in migrating to HTTPS from HTTP are the hardcoded URLs used in pages, posts, and the theme itself.

“This leads to mixed content issues, where the page is loaded over HTTPS but includes HTTP content,” he said.

WordPress 5.7 security enhancements

According to the release notes, WordPress 5.7 helps the user overcome any potential HTTPS upgrade challenges by automatically updating all URLs stored in the CMS database.

Improvements in the editor also feature in forthcoming release, which will be the first major upgrade to the platform in 2021.

Dewhurst concluded: “WordPress 5.7 will also include updates to the jQuery JavaScript library, which has lagged behind in the past, leaving WordPress using older versions, or back ported versions.”

WordPress 5.7 also brings in a new password reset button.

“The new interface streamlines this process [that will] allow site admins to quickly reset and automatically start the reset password process for an end user,” Nash told The Daily Swig.

One of the biggest changes that will "impact security in years to come" is the introduction of script attribute functions, according to Nash, a WordPress security consultant at timnash.co.uk.

“This will allow standardisation of the way inline JavaScript and CSS is generated on the site,” he explained. “This might not sound particularly interesting, but it will allow the passing of, for example, a nonce to all inline CSS correctly generated.

“Ultimately this work is designed to allow Content Security Policies in the wp-admin area without having to resort to unsafe-inline,” Nash concluded.


RELATED WordPress 5.6 lands with new auto-update UI, Site Health enhancements