Switching a WordPress site from HTTP to HTTPS has historically been a tedious task. While on the surface the Site Address and WordPress Address have to be updated, existing content still remains using HTTP URLs where hard-coded in the database. Furthermore, updating _two_ URLs to migrate to HTTPS is still a fairly unintuitive step which is not clearly explained.
This changeset simplifies migration from HTTP to HTTPS and, where possible, makes it a one-click interaction.
* Automatically replace insecure versions of the Site Address (`home_url()`) with its HTTPS counterpart on the fly if the site has been migrated from HTTP to HTTPS. This is accomplished by introducing a `https_migration_required` option and enabling it when the `home_url()` is accordingly changed.
* A new `wp_replace_insecure_home_url()` function is hooked into various pieces of content to replace URLs accordingly.
* The migration only kicks in when the Site Address (`home_url()`) and WordPress Address (`site_url()`) match, which is the widely common case. Configurations where these differ are often maintained by more advanced users, where this migration routine would be less essential - something to potentially iterate on in the future though.
* The migration does not actually update content in the database. More savvy users that prefer to do that can prevent the migration logic from running by either deleting the `https_migration_required` option or using the new `wp_should_replace_insecure_home_url` filter.
* For fresh sites that do not have any content yet at the point of changing the URLs to HTTPS, the migration will also be skipped since it would not be relevant.
* Expose a primary action in the Site Health recommendation, if HTTPS is already supported by the environment, built on top of the HTTPS detection mechanism from [49904]. When clicked, the default behavior is to update `home_url()` and `site_url()` in one go to their HTTPS counterpart.
* A new `wp_update_urls_to_https()` function takes care of the update routine.
* A new `update_https` meta capability is introduced to control access.
* If the site's URLs are controlled by constants, this update is not automatically possible, so in these scenarios the user is informed about that in the HTTPS status check in Site Health.
* Allow hosting providers to modify the URLs linked to in the HTTPS status check in Site Health, similar to how that is possible for the URLs around updating the PHP version.
* A `WP_UPDATE_HTTPS_URL` environment variable or `wp_update_https_url` filter can be used to provide a custom URL with guidance about updating the site to use HTTPS.
* A `WP_DIRECT_UPDATE_HTTPS_URL` environment variable or `wp_direct_update_https_url` filter can be used to provide a custom URL for the primary CTA to update the site to use HTTPS.
Props flixos90, timothyblynjacobs.
Fixes#51437.
Built from https://develop.svn.wordpress.org/trunk@50131
git-svn-id: http://core.svn.wordpress.org/trunk@49810 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a feature so Admins can send users a 'password reset' email. This doesn't change the password or force a password change. It only emails the user the password reset link.
The feature appears in several places:
* A "Send Reset Link" button on user profile screen.
* A "Send password reset" option in the user list bulk action dropdown.
* A "Send password reset" quick action when hovering over a username in the user list.
Props Ipstenu, DrewAPicture, eventualo, wonderboymusic, knutsp, ericlewis, afercia, JoshuaWold, johnbillion, paaljoachim, hedgefield.
Fixes#34281.
Built from https://develop.svn.wordpress.org/trunk@50129
git-svn-id: http://core.svn.wordpress.org/trunk@49808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces a filter-based Robots API, providing central control over the `robots` meta tag.
* Introduces `wp_robots()` function which should be called anywhere a `robots` meta tag should be included.
* Introduces `wp_robots` filter which allows adding or modifying directives for the `robots` meta tag. The `wp_robots()` function is entirely filter-based, i.e. if no filter is added to `wp_robots`, no directives will be present, and therefore the entire `robots` meta tag will be omitted.
* Introduces the following `wp_robots` filter functions which replace similar existing functions that were manually rendering a `robots` meta tag:
* `wp_robots_noindex()` replaces `noindex()`, which has been deprecated.
* `wp_robots_no_robots()` replaces `wp_no_robots()`, which has been deprecated.
* `wp_robots_sensitive_page()` replaces `wp_sensitive_page_meta()`, which has been deprecated. Its rendering of the `referrer` meta tag has been moved to another new function `wp_strict_cross_origin_referrer()`.
Migration to the new functions is straightforward. For example, a call to `add_action( 'wp_head', 'wp_no_robots' )` should be replaced with `add_filter( 'wp_robots', 'wp_robots_no_robots' )`.
Plugins and themes that render their own `robots` meta tags are encouraged to switch to rely on the `wp_robots` filter in order to use the central management layer now provided by WordPress core.
Props adamsilverstein, flixos90, timothyblynjacobs, westonruter.
See #51511.
Built from https://develop.svn.wordpress.org/trunk@49992
git-svn-id: http://core.svn.wordpress.org/trunk@49693 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings the accessibility improvements previously made for other areas of the admin in WordPress 5.3 to the installation screens too.
Follow-up to [46241-46244], [46247], [46248], [46293], [46425].
Props Maigret, audrasjb.
Fixes#51854.
Built from https://develop.svn.wordpress.org/trunk@49907
git-svn-id: http://core.svn.wordpress.org/trunk@49606 1a063a9b-81f0-0310-95a4-ce76da25c4cd
r49212 greatly improved the performance of `get_dirsize()`, but also changed the structure of the data stored in the `dirsize_cache` transient. It stored relative paths instead of absolute ones, and also removed the unnecessary `size` array.
That difference in data structures led to a fatal error in the following environment:
* PHP 8
* Multisite
* A custom `WP_CONTENT_DIR` which is not a child of WP's `ABSPATH` folder (e.g., [https://roots.io/bedrock/ Bedrock])
* The `upload_space_check_disabled` option set to `0`
After upgrading to WP 5.6, the `dirsize_cache` transient still had data in the old format. When `wp-admin.php/index.php` was visited, `get_space_used()` received an `array` instead of an `int`, and tried to divide it by another `int`. PHP 7 would silently cast the arguments to match data types, but [https://wiki.php.net/rfc/arithmetic_operator_type_checks PHP 8 throws a fatal error]:
`Uncaught TypeError: Unsupported operand types: array / int`
`recurse_dirsize()` was using `ABSPATH` to convert the absolute paths to relative ones, but some upload locations are not located under `ABSPATH`. In those cases, `$directory` and `$cache_path` were identical, and that triggered the early return of the old `array`, instead of the expected `int`.
In order to avoid that, this commit restores the absolute paths, but without the `size` array. It also adds a type check when returning cached values. Using absolute paths without `size` has the result of overwriting the old data, so that it matches the new format. The type check and upgrade routine are additional safety measures.
Props peterwilsoncc, janthiel, helen, hellofromtonya, francina, pbiron.
Fixes#51913. See #19879.
Built from https://develop.svn.wordpress.org/trunk@49744
git-svn-id: http://core.svn.wordpress.org/trunk@49467 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Clarifies that if you are on maintenance/security auto-updates that you are only on those and therefore there are more options available.
* Adds a message if a version control system has been detected, as automatic updates are disabled in that case.
* Ensures only one heading between `update available`, `you are on a dev version`, and `you are on latest` appears at any given time, falling back to `you are on latest` if something strange happens with the returned update data.
* Removes some older strings related to auto-updates, which greatly simplifies the above.
* Strips the `core-major-auto-updates-saved` query arg from the URL, as it is related to a dismissible notice.
Props audrasjb, pbiron, helen.
Fixes#51742.
Built from https://develop.svn.wordpress.org/trunk@49638
git-svn-id: http://core.svn.wordpress.org/trunk@49376 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If reinstalling WordPress, there is a condition where tables would exist in the database. Ensures that when that is the case, the install process can carry along without issue.
Fixes#51676.
Props xknown, garubi, mukesh27, desrosj, johnbillion, metalandcoffee, davidbaumwald, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@49452
git-svn-id: http://core.svn.wordpress.org/trunk@49211 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When `noopener noreferrer` was originally added in #37941 and related tickets, the `noreferrer` bit was specifically included due to Firefox not supporting `noopener` at the time.
Since `noopener` has been supported by all major browsers for a while, it should now be safe to remove the `noreferrer` attribute from core.
Props Mista-Flo, audrasjb, joostdevalk, jonoaldersonwp, peterwilsoncc, elgameel.
Fixes#49558.
Built from https://develop.svn.wordpress.org/trunk@49215
git-svn-id: http://core.svn.wordpress.org/trunk@48977 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Instead of one cache entry for all upload folders for a site on multisite, this now caches for each folder and invalidates that cache based on context. In multisite, this should speed up `get_dirsize` calls since older directories that are much less likely to change will no longer have the size recalculated.
Props janthiel, A5hleyRich, batmoo.
Fixes#19879.
Built from https://develop.svn.wordpress.org/trunk@49212
git-svn-id: http://core.svn.wordpress.org/trunk@48974 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using the canonical function name for PHP functions is strongly recommended, as aliases may be deprecated or removed without (much) warning.
This replaces all uses of the following:
* `join()` with `implode()`
* `sizeof()` with `count()`
* `is_writeable()` with `is_writable()`
* `doubleval()` with a `(float)` cast
In part, this is a follow-up to #47746.
Props jrf.
See #50767.
Built from https://develop.svn.wordpress.org/trunk@49193
git-svn-id: http://core.svn.wordpress.org/trunk@48955 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows for edits to be made to a restored post before it goes live again. This also prevents scheduled posts being published unexpectedly if they are untrashed after their originally scheduled date.
The old behaviour of restoring untrashed posts to their original status can be reinstated using the `wp_untrash_post_set_previous_status()` helper function.
Also fixes an issue where the incorrect post ID gets passed to hooks if no post ID is passed to the function.
Props harrym, bananastalktome, jaredcobb, chriscct7, melchoyce, johnbillion, pankajmohale
Fixes#23022
Built from https://develop.svn.wordpress.org/trunk@49125
git-svn-id: http://core.svn.wordpress.org/trunk@48887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As it already was not possible to pass the required parameters without also passing the optional one anyway, removing the default value for the (not so) optional parameters should not affect backward compatibility.
This change affects three functions in core:
* `get_comment_delimited_block_content()`
* `do_enclose()`
* `_wp_delete_tax_menu_item()`
Props jrf, ayeshrajans, desrosj.
Fixes#50343.
Built from https://develop.svn.wordpress.org/trunk@48794
git-svn-id: http://core.svn.wordpress.org/trunk@48556 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Several new checks:
* `max_file_uploads`
* `file_uploads`
* `post_max_size`
* `upload_max_filesize`
* `upload_max`
* `max_file_uploads`
In addition, new function `parse_ini_size()` that converts shorthand byte strings to bytes. Useful for size comparisons.
Fixes#50038.
Props dd32, donmhico, JavierCasares, SergeyBiryukov, ayeshrajans, Clorith, ipstenu, sabernhardt, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@48535
git-svn-id: http://core.svn.wordpress.org/trunk@48297 1a063a9b-81f0-0310-95a4-ce76da25c4cd