WordPress 5.7 offers ‘one-click’ HTTP to HTTPS site upgrade feature

An upcoming upgrade to WordPress will make it much easier for website owners to upgrade from HTTP to HTTPS.

WordPress 5.7 – currently available as a beta release and thanks to go mainstream on March 9 – promises to form the formerly tricky business of migration to a secure instance of the content management system (CMS) a one-step process, because the WordPress core development team explains:

Switching a WordPress site from HTTP to HTTPS has proven to be a pain for all involved. While on the surface, the location address and WordPress address need to be updated, content with embedded HTTP URLs remains unchanged within the database.

With this release, migrating a site to HTTPS is now a one-click interaction. URLs within the database are automatically replaced when the location and WordPress Address are both using HTTPS. Also, Site Health now includes an HTTPS status check.

HTTPS everywhere

WordPress omits figures on the amount of internet sites that serve content over HTTP instead of the safer HTTPS protocol on its official statistics page.

According to httparchive.org, 89.3% of URLs crawled use HTTPS, a figure some suggest could be indicative of the state of deployment of secure site instances of WordPress, the foremost widely used CMS framework on the online .

However, WordPress expert Tim Nash cautioned that “getting reliable stats is hard”, adding that the httparchive figure “ seems too high” albeit installing HTTPS installs of WordPress is becoming easier.

“With most major hosts supporting one click or zero click HTTPS, and also one or zero click WordPress install, the trend for brand spanking new sites is overwhelmingly over HTTPS,” he explained. “Older sites also benefit [from the fact] that for many hosts installing HTTPS is becoming significantly easier.

“It’s quite difficult to run a site over HTTP only lately and obtain traffic [because] browsers are being proactive about warning about sites running HTTP only,” he added.

The new feature in WordPress 5.7 is meant to “build on the work done by hosting companies and browsers and to undertake and reduce the quantity of mixed protocol messages, by proactively changing URLs within the database that aren’t relative”, consistent with Nash.

Ryan Dewhurst, founder and CEO of WPScan, said that WordPress has been gradually pushing users towards HTTPS for nearly two years.

“Since WordPress 5.1 (February 2019), WordPress has included a replacement Site Health page within the admin section,” Dewhurst explained.

“This page includes some basic security checks, including warning the user if they’re not using HTTPS.”

Dewhurst added that the most important challenge for WordPress administrators in migrating to HTTPS from HTTP are the hardcoded URLs utilized in pages, posts, and therefore the theme itself.

“This results in mixed content issues, where the page is loaded over HTTPS but includes HTTP content,” he said.

WordPress 5.7 security enhancements

According to the discharge notes, WordPress 5.7 helps the user overcome any potential HTTPS upgrade challenges by automatically updating all URLs stored within the CMS database.

Improvements within the editor also feature in forthcoming release, which can be the primary major upgrade to the platform in 2021.

Dewhurst concluded: “WordPress 5.7 also will include updates to the jQuery JavaScript library, which has lagged behind within the past, leaving WordPress using older versions, or back ported versions.”

WordPress 5.7 also brings during a new password push button .

“The new interface streamlines this process [that will] allow site admins to quickly reset and automatically start the reset password process for an user ,” Nash told The Daily Swig.

One of the most important changes which will “impact security in years to come” is that the introduction of script attribute functions, consistent with Nash, a WordPress adviser at timnash.co.uk.

“This will allow standardization of the way inline JavaScript and CSS is generated on the location ,” he explained. “This won’t sound particularly interesting, but it’ll allow the passing of, as an example , a nonce to all or any or any inline CSS correctly generated.

“Ultimately this work is meant to permit Content Security Policies within the wp-admin area without having to resort to unsafe-inline,” Nash concluded.