force-https.php

@@ -3,170 +3,220 @@
 Plugin Name: Force HTTPS
 Plugin URI: https://www.littlebizzy.com/plugins/force-https
 Description: HTTPS enforcement for WordPress
-Version: 2.0.3
-Requires PHP: 7.0
+Version: 3.0.0
 Author: LittleBizzy
 Author URI: https://www.littlebizzy.com
+Requires PHP: 7.0
+Tested up to: 6.7
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
+Update URI: false
 GitHub Plugin URI: littlebizzy/force-https
 Primary Branch: master
+Text Domain: force-https
 */
 
 // prevent direct access
 if ( ! defined( 'ABSPATH' ) ) {
     exit;
 }
 
-// disable wordpress.org updates for this plugin
+// override wordpress.org with git updater
 add_filter( 'gu_override_dot_org', function( $overrides ) {
     $overrides[] = 'force-https/force-https.php';
     return $overrides;
 }, 999 );
 
-// Force HTTPS redirection for all non-HTTPS requests
-add_action('init', function () {
-    if (!is_ssl() && !is_admin() && php_sapi_name() !== 'cli') {
-        if (!headers_sent()) {
-            $redirect_url = home_url(add_query_arg(null, null));
-            wp_safe_redirect(set_url_scheme($redirect_url, 'https'), 301);
-            exit();
-        }
+// enforce https at the database level only if wordpress is incorrectly detecting http
+// home_url and site_url should not be in force_https_securize_url because it would run on every call unnecessarily
+function force_https_filter_home( $value ) {
+    if ( is_ssl() ) {
+        return $value;
     }
-}, 10);
+    return set_url_scheme( $value, 'https' );
+}
+
+// no priority needed since pre_option filters override values immediately
+add_filter( 'pre_option_home', 'force_https_filter_home' );
+add_filter( 'pre_option_siteurl', 'force_https_filter_home' );
 
-// Force HTTPS on all URLs by replacing 'http://' with 'https://'
-function fhttps_securize_url($url) {
-    if (strpos($url, 'http://') === 0) {
-        return set_url_scheme($url, 'https');
+// enforce https by redirecting non-ssl requests on frontend, admin, and login pages
+function force_https_redirect() {
+    // exit if already using https
+    if ( is_ssl() ) {
+        return;
     }
-    return $url;
+
+    // exit if headers are sent, running via cli, cron, ajax, or if no request uri exists
+    if ( headers_sent() || defined( 'WP_CLI' ) || defined( 'DOING_CRON' ) || ( defined( 'DOING_AJAX' ) && DOING_AJAX ) || ! isset( $_SERVER['REQUEST_URI'] ) ) {
+        return;
+    }
+
+    // redirect to https version of the requested url
+    wp_redirect( set_url_scheme( home_url( $_SERVER['REQUEST_URI'] ), 'https' ), 301 );
+    exit;
 }
 
-// Apply HTTPS to all relevant WordPress filters
-add_filter('script_loader_src', 'fhttps_securize_url', 20);
-add_filter('style_loader_src', 'fhttps_securize_url', 20);
-add_filter('wp_get_attachment_url', 'fhttps_securize_url', 20);
-add_filter('the_permalink', 'fhttps_securize_url', 20);
-add_filter('post_link', 'fhttps_securize_url', 20);
-add_filter('page_link', 'fhttps_securize_url', 20);
-add_filter('term_link', 'fhttps_securize_url', 20);
-add_filter('home_url', 'fhttps_securize_url', 20);
-add_filter('site_url', 'fhttps_securize_url', 20);
-add_filter('network_site_url', 'fhttps_securize_url', 20);
-add_filter('network_home_url', 'fhttps_securize_url', 20);
-add_filter('template_directory_uri', 'fhttps_securize_url', 20);
-add_filter('stylesheet_directory_uri', 'fhttps_securize_url', 20);
-add_filter('get_avatar_url', 'fhttps_securize_url', 20);
-add_filter('rest_url', 'fhttps_securize_url', 20);
-
-// Ensure all URLs in the upload directory use HTTPS
-add_filter('upload_dir', function($uploads) {
-    $uploads['url'] = set_url_scheme($uploads['url'], 'https');
-    $uploads['baseurl'] = set_url_scheme($uploads['baseurl'], 'https');
-    return $uploads;
-});
+// apply https redirect during initialization, admin, and login
+add_action( 'init', 'force_https_redirect', 10 );
+add_action( 'admin_init', 'force_https_redirect', 10 );
+add_action( 'login_init', 'force_https_redirect', 10 );
+
+// enforce https for valid urls only
+function force_https_securize_url( $value ) {
+    // return unchanged if not a string or does not start with http
+    if ( ! is_string( $value ) || stripos( $value, 'http://' ) !== 0 ) {
+        return $value;
+    }
+
+    // convert to https
+    return set_url_scheme( $value, 'https' );
+}
+
+// apply https to urls used across wordpress
+add_filter( 'admin_url', 'force_https_securize_url', 10 );
+add_filter( 'author_feed_link', 'force_https_securize_url', 10 );
+add_filter( 'category_feed_link', 'force_https_securize_url', 10 );
+add_filter( 'category_link', 'force_https_securize_url', 10 );
+add_filter( 'content_url', 'force_https_securize_url', 10 );
+add_filter( 'embed_oembed_html', 'force_https_securize_url', 10 );
+add_filter( 'get_avatar_url', 'force_https_securize_url', 10 );
+add_filter( 'get_custom_logo', 'force_https_securize_url', 10 );
+add_filter( 'get_the_permalink', 'force_https_securize_url', 10 );
+add_filter( 'includes_url', 'force_https_securize_url', 10 );
+add_filter( 'login_redirect', 'force_https_securize_url', 10 );
+add_filter( 'logout_redirect', 'force_https_securize_url', 10 );
+add_filter( 'nav_menu_link_attributes', 'force_https_securize_url', 10 );
+add_filter( 'network_home_url', 'force_https_securize_url', 10 );
+add_filter( 'network_site_url', 'force_https_securize_url', 10 );
+add_filter( 'page_link', 'force_https_securize_url', 10 );
+add_filter( 'plugins_url', 'force_https_securize_url', 10 );
+add_filter( 'post_link', 'force_https_securize_url', 10 );
+add_filter( 'rest_url', 'force_https_securize_url', 10 );
+add_filter( 'tag_link', 'force_https_securize_url', 10 );
+add_filter( 'term_link', 'force_https_securize_url', 10 );
+add_filter( 'wp_get_attachment_url', 'force_https_securize_url', 10 );
+add_filter( 'wp_logout_url', 'force_https_securize_url', 10 );
+
+// apply https to woocommerce urls if woocommerce is active
+if ( class_exists( 'WooCommerce' ) ) {
+    add_filter( 'wc_get_endpoint_url', 'force_https_securize_url', 10 );
+    add_filter( 'woocommerce_account_endpoint_url', 'force_https_securize_url', 10 );
+    add_filter( 'woocommerce_email_footer_text', 'force_https_filter_output', 999 );
+    add_filter( 'woocommerce_rest_prepare_coupon', 'force_https_filter_output', 999 );
+    add_filter( 'woocommerce_rest_prepare_customer', 'force_https_filter_output', 999 );
+    add_filter( 'woocommerce_rest_prepare_order', 'force_https_filter_output', 999 );
+    add_filter( 'woocommerce_rest_prepare_product', 'force_https_filter_output', 999 );
+}
+
+// enforce https on html content that may contain urls
+function force_https_filter_output( $content ) {
+    // return unchanged if not a string
+    if ( ! is_string( $content ) ) {
+        return $content;
+    }
+
+    // replace http with https in text or html output
+    return str_replace( 'http://', 'https://', $content );
+}
+
+// apply https enforcement to html content
+add_filter( 'comment_text', 'force_https_filter_output', 20 );
+add_filter( 'post_thumbnail_html', 'force_https_filter_output', 10 );
+add_filter( 'render_block', 'force_https_filter_output', 20 );
+add_filter( 'rest_pre_echo_response', 'force_https_filter_output', 999 );
+add_filter( 'walker_nav_menu_start_el', 'force_https_filter_output', 10 );
+add_filter( 'widget_text', 'force_https_filter_output', 20 );
+add_filter( 'widget_text_content', 'force_https_filter_output', 20 );
 
-// Apply HTTPS to all elements and attributes that can contain URLs
-add_filter('the_content', function($content) {
-    // Convert all resources and hyperlinks to HTTPS
+// enforce https on elements and inline content
+add_filter( 'the_content', 'force_https_process_content', 20 );
+
+function force_https_process_content( $content ) {
+    // match elements with src, href, action, content, or formaction attributes
+    static $element_pattern = '#(?i)(<(?:a|img|iframe|video|audio|source|form|link|embed|object|track|script|meta|input|button)\b[^>]*\s*(?:href|src|action|content|formaction)=["\'])http://([^"\']+)#';
+
+    // match script and style content
+    static $script_style_pattern = '#(<(?i:script|style)\b[^>]*>)(.*?)</(?i:script|style)>#s';
+
+    // replace http with https in elements
     $content = preg_replace_callback(
-        '#(<(?:img|iframe|embed|source|script|link|meta|video|audio|track|object|form|area|input|button|a)[^>]+(?:src|srcset|data-src|data-href|action|poster|content|style|href|manifest)=["\'])(http://)([^"\']+)#',
-        function($matches) {
-            return $matches[1] . 'https://' . $matches[3];
+        $element_pattern,
+        function ( $matches ) {
+            return $matches[1] . 'https://' . $matches[2];
         },
         $content
     );
 
-    // Convert inline styles with URL() to HTTPS
-    $content = preg_replace_callback(
-        '#(<[^>]+(?:style)=["\'][^>]*?url\((http://)([^"\']+)\))#',
-        function($matches) {
-            return str_replace('http://', 'https://', $matches[0]);
+    // replace http and escaped http in script and style blocks
+    return preg_replace_callback(
+        $script_style_pattern,
+        function ( $matches ) {
+            preg_match('/<\s*(script|style)/i', $matches[1], $tag_match);
+            return $matches[1] . str_replace(
+                ['http://', 'http:\/\/'],
+                ['https://', 'https:\/\/'],
+                $matches[2]
+            ) . '</' . $tag_match[1] . '>';
         },
         $content
     );
+}
 
-    return $content;
-}, 20);
-
-// Enforce HTTPS for text widget content
-add_filter('widget_text', function($content) {
-    return str_replace('http://', 'https://', $content);
-}, 20);
-
-// Enforce HTTPS for widget text content in newer WordPress versions
-add_filter('widget_text_content', function($content) {
-    return str_replace('http://', 'https://', $content);
-}, 20);
-
-// Apply HTTPS to all URLs in custom menus
-add_filter('nav_menu_link_attributes', function($atts) {
-    if (isset($atts['href']) && strpos($atts['href'], 'http://') === 0) {
-        $atts['href'] = set_url_scheme($atts['href'], 'https');
+// enforce https on wp resource hints to prevent mixed content issues
+add_filter( 'wp_resource_hints', 'force_https_fix_resource_hints', 20 );
+function force_https_fix_resource_hints( $urls ) {
+    // return unchanged if not an array
+    if ( ! is_array( $urls ) ) {
+        return $urls;
     }
-    return $atts;
-}, 20);
-
-// Enforce HTTPS for oEmbed URLs
-add_filter('embed_oembed_html', function($html) {
-    return str_replace('http://', 'https://', $html);
-}, 20);
-
-// Enforce HTTPS for any URLs used in shortcodes
-add_filter('do_shortcode_tag', function($output) {
-    return str_replace('http://', 'https://', $output);
-}, 20);
-
-// Enforce HTTPS on wp_resource_hints
-add_filter('wp_resource_hints', function($urls) {
-    if (is_array($urls)) {
-        foreach ($urls as &$url) {
-            if (is_array($url) && isset($url['href'])) {
-                $url['href'] = str_replace('http://', 'https://', $url['href']);
-            } elseif (is_string($url)) {
-                $url = str_replace('http://', 'https://', $url);
-            }
+
+    // loop through each url and enforce https where needed
+    foreach ( $urls as $key => $url ) {
+        if ( is_string( $url ) ) {
+            $urls[$key] = set_url_scheme( $url, 'https' );
+        } elseif ( is_array( $url ) && isset( $url['href'] ) ) {
+            $urls[$key]['href'] = set_url_scheme( $url['href'], 'https' );
         }
     }
+
     return $urls;
-}, 20);
+}
 
-// Enforce HTTPS on attachment metadata
-add_filter('wp_get_attachment_metadata', function($data) {
-    if (isset($data['file'])) {
-        $data['file'] = str_replace('http://', 'https://', $data['file']);
+// enforce https on image srcsets to prevent mixed content issues
+add_filter( 'wp_calculate_image_srcset', 'force_https_fix_image_srcsets', 999 );
+function force_https_fix_image_srcsets( $sources ) {
+    // return unchanged if sources is not an array
+    if ( ! is_array( $sources ) ) {
+        return $sources;
     }
-    if (isset($data['sizes'])) {
-        foreach ($data['sizes'] as &$size) {
-            if (isset($size['file'])) {
-                $size['file'] = str_replace('http://', 'https://', $size['file']);
-            }
-        }
-    }
-    return $data;
-}, 20);
-
-// Enforce HTTPS on image srcsets
-add_filter('wp_calculate_image_srcset', function($sources) {
-    foreach ($sources as &$source) {
-        if (isset($source['url'])) {
-            $source['url'] = str_replace('http://', 'https://', $source['url']);
+
+    // loop through each source and enforce https on urls
+    foreach ( $sources as $key => $source ) {
+        // check if url is set and enforce https
+        if ( isset( $source['url'] ) ) {
+            $sources[$key]['url'] = set_url_scheme( $source['url'], 'https' );
         }
     }
+
     return $sources;
-}, 20);
+}
 
-// Enforce HTTPS on custom logo HTML
-add_filter('get_custom_logo', function($html) {
-    return str_replace('http://', 'https://', $html);
-}, 20);
+// enforce https on urls in the upload directory to avoid insecure media links
+add_filter( 'upload_dir', 'force_https_fix_upload_dir', 999 );
+function force_https_fix_upload_dir( $uploads ) {
 
-// Enforce HTTPS for login/logout redirect URLs
-add_filter('login_redirect', 'fhttps_securize_url', 20);
-add_filter('logout_redirect', 'fhttps_securize_url', 20);
+    // enforce https on the main upload url
+    if ( isset( $uploads['url'] ) ) {
+        $uploads['url'] = set_url_scheme( $uploads['url'], 'https' );
+    }
+
+    // enforce https on the base upload url
+    if ( isset( $uploads['baseurl'] ) ) {
+        $uploads['baseurl'] = set_url_scheme( $uploads['baseurl'], 'https' );
+    }
 
-// Ensure redirects are HTTPS
-add_filter('wp_redirect', 'fhttps_securize_url', 20);
+    return $uploads;
+}
 
 // Ref: ChatGPT

readme.md

@@ -4,6 +4,18 @@ HTTPS enforcement for WordPress
 
 ## Changelog
 
+## 3.0.0
+- added `Tested up to` header
+- added `Update URI` header
+- added `Text Domain` header
+- improved HTTPS redirection that skips WP-CLI, WP-Cron, and AJAX
+- now leveraging `pre_option_home` and `pre_option_siteurl` to override WordPress sequence early
+- several more `add_filter` being enforced
+- refined regex in `the_content` to correctly process `<script>` and `<style>` blocks
+- refinded and expanded regex for HTML elements
+- support for several WooCommerce `add_filter` if detected
+- significant code structure, syntax, and efficiency improvements
+
 ### 2.0.3
 - added `Requires PHP` plugin header