[wp-hackers] forcing siteurl to HTTPS in admin

Steve Taylor steve at sltaylor.co.uk
Sun Dec 20 15:22:43 UTC 2009

Hi there,

I'm using FORCE_SSL_ADMIN, and I'm trying to overcome the problem when
a public user (e.g. a subscriber) goes to their profile page and gets
a "Do you want to display insecure items?" notice. It looks like the
default in IE for this question has changed from "Yes" to "No" - and
"No" can block some references to images and scripts.

As ever I tried just sticking a filter in my theme code, but I made it
a tiny plugin on the strength that the filter will get applied earlier
in the processing. This is the code:

function slt_adminURL( $value ) {
	if ( is_admin() && FORCE_SSL_ADMIN && substr( $value, 0, 8 ) != "https://" )
		$value = str_replace( "http://", "https://", $value );
	return $value;
add_filter( 'option_siteurl', 'slt_adminURL', 0 );
add_filter( 'option_url', 'slt_adminURL', 0 );

However, there's still a few plugins returning HTTP URLs. It all seems
to come down to WP_CONTENT_URL being defined in wp-settings.php. It
uses get_option('siteurl'), but I guess the settings are loaded so
early that the above filters have no chance.

Any ideas on how to do this? I thought of setting WP_CONTENT_URL in
wp-config.php, but I guess I would have to do a "manual" check on the
request URL to decide whether we're in admin or not, and hence whether
to apply HTTPS or not?

Or is the best approach to set up some kind of filtering of the HTML
before output in admin, if that's possible?


Steve Taylor

More information about the wp-hackers mailing list