hurtstotouchfire
commented
8 years ago How hard would this be? I this this would be a good security enhancement.
Open fabacab opened 8 years ago
hurtstotouchfire
commented
8 years ago How hard would this be? I this this would be a good security enhancement.
fabacab
commented
8 years ago How hard would this be? I this this would be a good security enhancement.
Not hard at all. :) I am a little wary of automating too many sysadmin tasks that make changes to WordPress sites simply because so many such sites are running such sloppy code brought in by other plugins; it's likely that a switch from HTTP to HTTPS will break some things (thanks to CORS and other restrictions).
That said, I am actually really happy to aggressively automate security-related things for sites that opt-in to letting Buoy manage and enforce such changes, but I'm unsure if Buoy itself is the appropriate place to do this; would another plugin be more appropriate? Can we contribute to one or write our own security-automation WordPress plugin and include it in our recommended plugins list to admins (like #130 does)?
Basically, I think no one is going to think of Buoy as a "security enhancing plugin," so when someone installs the Buoy plugin, if it starts making aggressive security re-configurations, I'm afraid it will violate PoLA (Principle of Least Astonishment).
During install time, Buoy should automatically detect if the server it is running on supports HTTPS connections even if the current connection was not made with HTTPS. It can then automatically add the
FORCE_SSL_ADMINconstants to thewp-config.phpfile.Currently, this process is manual for most Buoy admins and is described in our Security advice primer.