Recently I was reviewing our description page for the popular Force HTTPS plugin and it had this in the description:
“Protocol-relative URLs are not being recommended anymore by some web experts, because the “secure by default” mindset and rapid adaption of SSL (TLS) over HTTPS has surged ahead in the past few years. Still, the problem with WordPress is that it relies on absolute paths/URLs whenever referencing hyperlinks or static resources. So, when the typical WordPress webmaster orders “SSL” from their web host and activates it, one or more things happens:
1. Now their site is loading on both protocols, resulting in duplicate content issues, security concerns, and browser warnings in regard to insecure resources.
2. Smarter web hosts or webmasters might 301 redirect the HTTP version to HTTPS, but resources in the page source code are not fixed. In efect, this cancels out the security benefits and performance benefits of HTTP/2 as well, not to mention the browser warnings that accompany.
This plugin not only makes SURE that HTTP versions of pages site-wide are 301 redirected to their HTTPS equivalent, but it also changes all static resources to use protocol-relevant URLs. But you are wondering why we use relevant URLs if experts are no longer recommending that? Well, If this plugin is installed, the worry over protocol relevancy is null, because this plugin first enforces the HTTPS redirects before implementing relative protocol sources.”
As we have totally refactored the plugin several months ago, this is no longer accurate and I want to make a public note.
Since HTTPS and SSL in general are now more commonly default than HTTP, we have moved to a clear and aggressive approach with the Force HTTPS plugin that simply enforce HTTPS across all redirects, all hyperlinks, and all assets being loaded… PERIOD!
I’m really, really glad we finally made this change. It was a few years overdue.
