1<?php
2/**
3 * HTTPS migration functions.
4 *
5 * @package WordPress
6 * @since 5.7.0
7 */
8
9/**
10 * Checks whether WordPress should replace old HTTP URLs to the site with their HTTPS counterpart.
11 *
12 * If a WordPress site had its URL changed from HTTP to HTTPS, by default this will return `true`, causing WordPress to
13 * add frontend filters to replace insecure site URLs that may be present in older database content. The
14 * {@see 'wp_should_replace_insecure_home_url'} filter can be used to modify that behavior.
15 *
16 * @since 5.7.0
17 *
18 * @return bool True if insecure URLs should replaced, false otherwise.
19 */
20function wp_should_replace_insecure_home_url() {
21 $should_replace_insecure_home_url = wp_is_using_https()
22 && get_option( 'https_migration_required' )
23 // For automatic replacement, both 'home' and 'siteurl' need to not only use HTTPS, they also need to be using
24 // the same domain.
25 && wp_parse_url( home_url(), PHP_URL_HOST ) === wp_parse_url( site_url(), PHP_URL_HOST );
26
27 /**
28 * Filters whether WordPress should replace old HTTP URLs to the site with their HTTPS counterpart.
29 *
30 * If a WordPress site had its URL changed from HTTP to HTTPS, by default this will return `true`. This filter can
31 * be used to disable that behavior, e.g. after having replaced URLs manually in the database.
32 *
33 * @since 5.7.0
34 *
35 * @param bool $should_replace_insecure_home_url Whether insecure HTTP URLs to the site should be replaced.
36 */
37 return apply_filters( 'wp_should_replace_insecure_home_url', $should_replace_insecure_home_url );
38}
39
40/**
41 * Replaces insecure HTTP URLs to the site in the given content, if configured to do so.
42 *
43 * This function replaces all occurrences of the HTTP version of the site's URL with its HTTPS counterpart, if
44 * determined via {@see wp_should_replace_insecure_home_url()}.
45 *
46 * @since 5.7.0
47 *
48 * @param string $content Content to replace URLs in.
49 * @return string Filtered content.
50 */
51function wp_replace_insecure_home_url( $content ) {
52 if ( ! wp_should_replace_insecure_home_url() ) {
53 return $content;
54 }
55
56 $https_url = home_url( '', 'https' );
57 $http_url = str_replace( 'https://', 'http://', $https_url );
58
59 // Also replace potentially escaped URL.
60 $escaped_https_url = str_replace( '/', '\/', $https_url );
61 $escaped_http_url = str_replace( '/', '\/', $http_url );
62
63 return str_replace(
64 array(
65 $http_url,
66 $escaped_http_url,
67 ),
68 array(
69 $https_url,
70 $escaped_https_url,
71 ),
72 $content
73 );
74}
75
76/**
77 * Update the 'home' and 'siteurl' option to use the HTTPS variant of their URL.
78 *
79 * If this update does not result in WordPress recognizing that the site is now using HTTPS (e.g. due to constants
80 * overriding the URLs used), the changes will be reverted. In such a case the function will return false.
81 *
82 * @since 5.7.0
83 *
84 * @return bool True on success, false on failure.
85 */
86function wp_update_urls_to_https() {
87 // Get current URL options.
88 $orig_home = get_option( 'home' );
89 $orig_siteurl = get_option( 'siteurl' );
90
91 // Get current URL options, replacing HTTP with HTTPS.
92 $home = str_replace( 'http://', 'https://', $orig_home );
93 $siteurl = str_replace( 'http://', 'https://', $orig_siteurl );
94
95 // Update the options.
96 update_option( 'home', $home );
97 update_option( 'siteurl', $siteurl );
98
99 if ( ! wp_is_using_https() ) {
100 /*
101 * If this did not result in the site recognizing HTTPS as being used,
102 * revert the change and return false.
103 */
104 update_option( 'home', $orig_home );
105 update_option( 'siteurl', $orig_siteurl );
106 return false;
107 }
108
109 // Otherwise the URLs were successfully changed to use HTTPS.
110 return true;
111}
112
113/**
114 * Updates the 'https_migration_required' option if needed when the given URL has been updated from HTTP to HTTPS.
115 *
116 * If this is a fresh site, a migration will not be required, so the option will be set as `false`.
117 *
118 * This is hooked into the {@see 'update_option_home'} action.
119 *
120 * @since 5.7.0
121 * @access private
122 *
123 * @param mixed $old_url Previous value of the URL option.
124 * @param mixed $new_url New value of the URL option.
125 */
126function wp_update_https_migration_required( $old_url, $new_url ) {
127 // Do nothing if WordPress is being installed.
128 if ( wp_installing() ) {
129 return;
130 }
131
132 // Delete/reset the option if the new URL is not the HTTPS version of the old URL.
133 if ( untrailingslashit( (string) $old_url ) !== str_replace( 'https://', 'http://', untrailingslashit( (string) $new_url ) ) ) {
134 delete_option( 'https_migration_required' );
135 return;
136 }
137
138 // If this is a fresh site, there is no content to migrate, so do not require migration.
139 $https_migration_required = get_option( 'fresh_site' ) ? false : true;
140
141 update_option( 'https_migration_required', $https_migration_required );
142}
143