search

strangerstudios / paid-memberships-pro

WordPress membership plugin to restrict access to content and charge recurring subscriptions using Stripe, PayPal, and more. Fully open source. 100% GPL.
https://www.paidmembershipspro.com
Other
463 stars 358 forks source link

We should remove the SSL and SSL Seal settings. #1890

Open ideadude opened 2 years ago

ideadude commented 2 years ago

Every site should be set up to run over HTTPS all the time, even if it is not taking payment. Instead of having an option for this, we should just mention this in our set up docs and prereqs.

Related, the SSL Seal embeds are not really being used as much anymore. They used to be required per the SSL cert terms of service, but aren't as far as I know.

Some still like to do this, but it is possible by just editing the page the checkout form is on or we can add an action hook to insert the seals where they used to be.

ZebulanStanphill commented 2 years ago

One issue I've ran into is that, because the "Force SSL" option merely uses filters to override the site url options (rather than just changing the value of the options), some things act a bit weird. I remember being unable to change the site URL actually stored in the db from the WP settings page, and Firefox was reporting mixed content warnings in the JS dev console when it fetched the site favicon.

So I think that, when removing the SSL option, it would be a good idea to simplify the behavior to just altering the actual value stored in the db, rather than using filters. Or perhaps just have the plugin deactivate itself when someone tries to activate it on a non-HTTPS site.

MaryOJob commented 2 years ago

Similar Request

instead of having a user mess with adding a seal, and the majority of SSL certificates being LetsEncrypt these days, perhaps add a couple of default ones? Saves copy/pasting mysterious codes. Low priority feature request.

Moderators Only: #421050

ideadude commented 1 year ago

Let's do this in the 3.0 branch.

ideadude commented 5 months ago

We missed the 3.0 release.

I still feel we don't need the ssl seal option. We can deprecate it, and people can use custom code or the page editor to insert seals if they want.

I feel the Yes options could be combined. Is there any problem if we try both redirects in the php and in JS? Most sites require JS anyway now. Not sure if our Yes (with JS) option now currently also redirects with PHP, but that's good to save a page load when we can.

Things that redirect are tricky. We could reword these options in a way where it's like "you should be using these, but in case you are having issues or handling this yourself somehow, you can disable PMPro's version of things here".

In general 100% of sites using PMPro need a solution for fixing http/https issues. I think we should handle this. We should fork code from Really Simple SSL to make sure we catch all the cases our "nuclear option" (bad name) wasn't catching.

Let's list all of the things we want to do for the sites. Let's get those coded up. Let's figure out if it's 1 or many options and how to group the features. Let's figure out if the payment settings page is still the best place for this or if we need a new SSL/security tab. We could merge some of the merge things and other security/spam related stuff into that new screen. Maybe some privacy stuff too.