Closed isimluk closed 8 years ago
Ok, there is a bigger problem to tackle. The WP provides a function admin_url
. That function returns URL that either starts with https or http. We need to fix what this function returns. This function is used across the plugins and controllers.
Lets disable comments before we get https cert which should be soon from what I have heard from letsencrypt.
Please avoid adding filters and more cruft into the theme if at all possible. Otherwise it will bite is in the future and the site will become un-maintainable.
EDIT: Clarification of the above: We want to run a stock Wordpress site with as few plugins as possible with NO changes to the source code of wordpress. If we really, really, REALLY have to we can make exceptions but we should really think hard about that. Otherwise we will get nightmares, been there done that!
Done
Sorry about being blunt here. But what exactly has been "Done"?
Did we make admin_url() to return http version?
https://codex.wordpress.org/Function_Reference/admin_url
admin_url() function is used by multiple other parts of portal. Not only by capcha. I don't know what else is potentially exposed to users though.
That we will have https, but now we dont need any changes in admin_url(), we will use other type of comments on website. They don't need https.
I'd say this is wontfix
, once we have TLS certs in place it becomes a feature that it returns https
:-)
It's a feature now, we have trusted TLS 1.2 cert in place.
Martin, to which issue I can refer to when looking into TLS 1.2 cert progress?
Ah, I found it #133.
Check-out http://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/
And try to enter your comment. Captcha does not show. Captcha wants to fetch image over https. However, firefox will not show that.
Note: If you have already trusted open-scap's self signed certificate, it will work. However, for a new comer it will not.