Forcing New Sites to HTTPS in a WordPress Multisite Subdomain Network

I had an old coworker reach out today about the multisite network I used to work on at UNC. It’s set up as a subdomain installation and new sites that were being created were not automatically being set to HTTPS and he wanted to know how to change that.

Background Information

If you use a subdirectory multisite network, any new subsites will follow the scheme from the primary site of the network. But on a subdomain network, this is hardcoded to force all new sites to be HTTP.

It’s been proposed to change it mimic subdirectory networks and use the same scheme as the primary site, but the thinking is that you can’t ensure that a user will have a certificate for the new domain, making the new site unreachable.

The Fix

If you’ve got a wildcard certificate in place for the domain of the primary site of the network, then your subdomains will work just fine on HTTPS, so it would be ideal to be able to force this setting when creating new sites in that situation.

There isn’t a clearly identifiable filter specific to scheme or new site URLS, but it can be accomplished using the wp_initialize_site_args filter.

<?php
add_filter( 'wp_initialize_site_args', function( $args, $site ) {
	$url = untrailingslashit( 'https://' . $site->domain . $site->path );

	$args['options']['home']    = $url;
	$args['options']['siteurl'] = $url;

	return $args;
}, 10, 2 );Code language: PHP (php)

Put the above snippet in an file in the mu-plugins directory and it should take care of it for all new sites created either by users on the front-end, or network administrators in the admin.

HTTPS Going Forward

Hopefully we can do some work around that in the future to detect the availability of HTTPS and default to using it if possible.

There are some new efforts underway to encourage site owners to use HTTPS and help them reach out to their hosting providers to enable it if it’s not available.