WordPress with HTTP *and* HTTPS


I guess the designers of WordPress expect users to use either HTTP *or* HTTPS. But what if you need both or want to support aged links to a site now running HTTPS or know some of your plugins generate fully qualified urls that include the HTTP scheme? None of these is insurmountable. For example, edit the plugin or add redirects to your URL rewrite tool.

So here is another way which will work.

The problem starts in the options table. Here the ‘siteurl’ and ‘home’ options define fully qualified paths to your site. Fully qualified in the sense that these paths include either the HTTP or HTTPS scheme. Whenever some WordPress code uses, say, the function ‘plugins_url()’ one of these paths will be used to construct the url. The effect that the scheme is hard-coded.

The solution is to make the scheme which is used ‘soft’. That is, replace the scheme used in the ‘siteurl’ and ‘home’ options with the scheme of the incoming request.

The good news is that the WordPress ‘get_option()’ function passes the retrieved option through a filter so any option can be adjusted to make sure the scheme returned is the correct one. The bad news is that the ‘get_options()’ function is used VERY early in the WordPress processing sequence. For example, the defines ‘COOKIE_PATH and ‘SITECOOKIE_PATH’ are defined in the file ‘default_contants.php’. As a result, these values are defined before a plugin or theme function can intercept the options and change them. These two defines are important because they define constants needed for the login mechanism.

Fortunately WordPress supports ‘must use’ plugins. These are files of PHP code that exist in the the ./wp-content/mu-plugins folder. Any code in files in this folder will be loaded before WordPress does [almost] anything else. If the option filters are implemented in a ‘must use’ file then nearly everything just works.

The names of the filters executed by the get_option() function have the following pattern: “option_$option_name”. In this case the interest is in changing two of the filters. The code below is the content of a file that will exist in ‘must use’ folder. The name of the file can be anything, it’s name is not important.

The last wrinkle is handling uploaded content. Functions like ‘get_the_post_thumbnail()’ ultimately rely on the constant WP_CONTENT_URL. This constant is defined by setting it to the ‘siteurl’ option value even before must use plugins are executed. As a result the WP_CONTENT_URL will be a path that includes the scheme defined in the options table. This value should not be HTTP or HTTPS. So the trick is to remove the scheme from the entries in the options table. If the value is ‘http://www.lyquidity.com’ it will be ‘//www.lyquidity.com’.

Given this last step a reasonable question might to ask why it’s necessary to add the scheme at all. The answer is the login mechanism mentioned above. The code which sets the ‘COOKIE_PATH and ‘SITECOOKIE_PATH’ constants *requires* that the siteurl starts with HTTP or HTTPS. If it doesn’t the value for these constants cannot be used as a cookie path.


<?php

add_filter('option_home', 'fix_home_option');
add_filter('option_siteurl', 'fix_home_option');
function fix_home_option($option)
{
	// If the option starts with 'http' strip it
	if (strpos($option, 'http') !== false)
	{
		$pos = strpos($option, ':');
		$option = substr($option, $pos + 1);
	}

	// Otherwise add 'http' or 'https' as appropriate
	$option = (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === "off" ? "http:" : "https:") . $option;
	return $option;
}

?>

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

In the long run, without HTTPs you won’t have that trust anymore from users. By today, Google is already looking forward to index HTTPS’d sites with a higher priority than non-HTTPS.
People will expect every site to be enrcrypted in the future, i’d guess.
(After n iterations i expect everyone professional to have a EV certificate, just for reasons of visibility competition)

It’s more practical to use HTTPS now Let’s Encrypt allows us to generate certificates for free. This site is using just such a free Let’s Encrypt certificate.