When the ability to protect ONLY your WP Admin dashboard was introduced 5 years ago, it was during a time when:
- SSLs were not free and often expensive.
- HTTPS processing was slow, so it was common to have certain paths secured while others were left unprotected for the tradeoff in favor of speed.
As a result, our platform was originally built with an option in the User Portal to protect only your Login and Admin pages, that way your public-facing site wasn’t impacted, but sending passwords was now secured through HTTPS.
In the current state of the internet, almost the exact opposite is true. SSLs are now free (Thanks, Let’s Encrypt!), so it is easy and free to secure your site. HTTPS routing speed is almost negligible, so the norm has become configuring your entire site to leverage HTTPS.
With the arrival of WordPress 5.0, the new Gutenberg Editor leverages the WP REST API, which by default uses the /wp-json/ path. If you are only sending the Login and the WP Admin dashboard over HTTPS and no other paths, this can cause conflicts with the REST API functionality. As such, we’re making the change to ensure that the /wp-json/ path is included in that WP Admin toggle to be secured over HTTPS.
Should you discover mixed content warnings and/or errors, or find that your API paths are no longer functioning, please take the following action:
1) WP REST API calls over HTTP
As a security best practice, we recommend that all API calls occur over HTTPS. If you are making API calls over HTTP, this platform change may impact you. We recommend you take action promptly to update any HTTP API calls to be made over HTTPS.
This could be as simple as updating your scripts to leverage https:// instead of http:// or changing the protocol that your client uses. For specific details around this, we recommend reaching out to your developer to assist.
2) Custom WP REST API path
If you have a custom path configured, we recommend taking the steps to secure your entire site or the custom path over HTTPS, as your post functionality will be impacted by an upgrade to WP 5.0. More information on how to force your full site over to HTTPS can be found here.
If you cannot force your entire site to use HTTPS and you have a custom API path, you can instead include that specific URL on the “SSL” page in the User Portal under the covered domain.
If neither of the above scenarios applies to you, no action is required. Please reach out to Support if you have any additional questions.