low priority Another #https report came in this…

(low-priority) Another #https report came in, this time for https://svn.buddypress.org/ which is not using the buddypress cert, but rather than WordPress.org wildcard.


Although https://buddypress.svn.wordpress.org/ is the canonical SVN location, https://svn.buddypress.org/ shows up in search results and is affected by the HTTPSEverywhere-type browser extensions too.

502 Bad Gateway errors

The number of reports for 502 Bad Gateway errors is increasing recently.

My first report for 502 errors was for https://*.wordpress.org/?fetch-custom-header=/plugins/ requests on Jan 7th. This was solved by @barry, “some memory corruption probably caused by a bug in pecl-memcache that we are working on fixing“.

Around April 3rd I got a few reports for translate.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ but couldn’t confirm them.

On April 13th I reported that the https://*.wordpress.org/?fetch-custom-header=/plugins/ issue happens again. This issue is still there, see #dotorg-warnings.

Since this Monday we’re getting reports for 502 Bad Gateway errors on our make sites. For example  https://make.wordpress.org/polyglots/feed/p2.ajax returns a 502 which prevents adding new comments.


But there are also new reports for translate.wordpress.org (when submitting translations) and for localized sites:

Image 2016-06-07 at 9.56.15 am

The 502 errors do not happen on our sandboxes, only in production. Can someone please look into this? Thank you!


Low priority It looks like https security wordpress…

(Low-priority) It looks like https://security.wordpress.org doesn’t act the same as http://security.wordpress.org:

httpHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.: (note: p2 automatically httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information.’s the below urls, edit post to see raw)
$ curl -IL https://security.wordpress.org/ | grep Location
Location: https://codex.wordpress.org/FAQ_Security
Location: https://make.wordpress.org/core/handbook/reporting-security-vulnerabilities/
Location: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/


  • invalid cert (multipattern)
  • redirect to default cpanel URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org

The URL is used as a shorthand in some documentation AFAIK, mentioned to me by @netweb who uses HTTPS Everywhere which triggered this.