WordPress.org is now forced SSL

In the last week, we transitioned almost all of WordPress.org to load over SSL.

In the coming weeks, any redirects that are temporary will become permanent, and we’ll be adding HTTP Strict Transport Security (HSTS).

api.wordpress.org and downloads.wordpress.org still listen over HTTP as some servers out there do not have OpenSSL and thus cannot communicate with WordPress.org securely. (But if you hit api.wordpress.org with an SSL request, you will always get an SSL downloads URL.)

If in a script you’re downloading https://wordpress.org/latest.zip or latest.tar.gz, please change this to https. Here are common issues you may run into:

  • Problems with curl? If you’re using curl without following locations (-L), your script will break. Switch to https.
  • Problems with wget? If you are using an old version of wget (~1.12.1 or older), it will stumble on the SSL certificate. Switch to https. Also, update wget.

If you find any issues, please leave a comment here or open a meta ticket. Issues could include:

  • Any mixed content warnings.
  • Something that should be forced SSL but isn’t. Note: The Codex has not been redirected yet but it will be soon. Same goes for the global and mobile forums (*.forums.wordpress.org).
  • General breakage or weirdness.

This all applies to BuddyPress.org and bbPress.org too.