Is it safe to use sslverify => true for with wp_remote_get/wp_remote_post

TL;DR: Yes, remove that setting as of WordPress 3.7 or later.

In the past, many people added the sslverify=false parameter specifically because their installation of PHP was unable to properly verify the certificate.

Typically, this was because the PHP install had not been updated with the latest copy of the CA Root Certificates. The root certs change every so often, and normally you don’t notice this change because it happens in normal browser updates. Well, when you have PHP acting like a browser to retrieve https urls, then it needs those root certificate updates too. And most hosts never update PHP, nor update any specific part of it (like the certificates file).

When WordPress implemented auto-updating in version 3.7, it was determined to be necessary to upgrade the WordPress.org APIs to require secure communication. At this time, WordPress began including a copy of the CA Root Certificates file itself, sourced from Mozilla. Since WordPress 3.7, therefore, the WP_HTTP API functions use this file to do certificate verification, and not whatever old or outdated version is packaged with your PHP installation.

Therefore, yes, with WordPress 3.7 or later, it is advisable to remove the sslverify parameter and allow the http functions to do proper certificate verification. Any modern server running SSL with a key signed by one of the known CAs will be verified properly. The WP_HTTP should have a copy of the latest root certificates, and the core project will update that certificates file in WordPress along with normal updates.

Related Posts:

  1. https connection using CURL from command line
  2. What exactly is cacert.pem for?
  3. How to disable cURL SSL certificate verification
  4. Getting error in Curl – Peer certificate cannot be authenticated with known CA certificates
  5. How to send user data from one website to another
  6. Displaying a remote SSL certificate details using CLI tools
  7. curl: (60) SSL certificate problem: unable to get local issuer certificate
  8. How to fix “SSL certificate problem: self signed certificate in certificate chain” error?
  9. NET::ERR_CERT_REVOKED in Chrome, when the certificate is not actually revoked
  10. “ssl module in Python is not available” when installing package with pip3
  11. Curl command for https ( SSL )
  12. How to generate a self-signed SSL certificate using OpenSSL?
  13. Convert .pem to .crt and .key
  14. Simple Java HTTPS server
  15. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  16. cURL error 60: SSL certificate: unable to get local issuer certificate
  17. OpenSSL: unable to verify the first certificate for Experian URL
  18. SSL CA cert (path? access rights?)
  19. ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome
  20. Error:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
  21. How do you sign a Certificate Signing Request with your Certification Authority?
  22. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  23. Issues with installing python libraries on Windows : CondaHTTPError: HTTP 000 CONNECTION FAILED for url
  24. WordPress wp-admin https redirect loop
  25. Howto force SSL for all requests?
  26. Local version of a WordPress site – SSL/HTTPS enforced?
  27. Images causing Mixed Content with SSL
  28. bloginfo() and get_template_directory_uri() with SSL?
  29. Favicon causes mixed content warning over SSL
  30. After updating site to use SSL all images in posts point to http://
  31. Adding https to wordpress website
  32. What’s the right move with SSL for user based site?
  33. I am locked out of my WordPress site after changing site URL from Http to Https
  34. Is curl required?
  35. Enabling SSL on wordpress results in 404
  36. In WP versions >= 4.0, is FORCE_SSL_LOGIN forcing HTTPS for the entire admin session?
  37. Separating HTTP and HTTPS content with WordPress, Varnish, and an SSL terminator?
  38. SSL Certificate and WordPress
  39. Pointing SSL Enabled URL at Single WordPress Page
  40. Occasional HTTPS Mixed Content Warning
  41. Google maps causing mixed content in header
  42. Cloudflare and SSL breaks wordpress – Mixed Content & Unable to use Admin
  43. XML asset fails to load using https
  44. Search and replace http:// links to https:// to get the green padlock
  45. I changed my site from HTTPS back to HTTP and now it is broken- Cannot access Admin panel on HTTP URL
  46. WordPress site shows “File not found.” if opened through https
  47. How to set up HTTPS WordPress from Install Step?
  48. How do I set up a local version of my https wordpress site for testing and development using MAMP
  49. Address a single page to SSL https secure protocol?
  50. Certain header elements not served over https
  51. wordpress http to https windows server
  52. Jetpack “Connect to WordPress” serving insecure content under HTTPS
  53. Allow non-SSL pages to use https or Force non-SSL pages to http?
  54. Website access with http and https
  55. How to force non SSL on just one page?
  56. Need ideas for HTTPS multiple domain solution
  57. Redirect the whole blog to SSL but not the RSS feed (under Nginx)
  58. WordPress 4.0 Forces entire site into SSL
  59. How to control SSL in WordPress for automatically changing http to https?
  60. All content is HTTPS, but browsers warn of HTTP mixed content [closed]
  61. How do I handle SSL properly when WP is behind a reverse proxy?
  62. How to keep WP from using https to get to wordpress.org?
  63. How do I find non-SSL problems on my SSL page?
  64. ERR_TOO_MANY_REDIRECTS on wordpress page [closed]
  65. Disable WordPress accessing WordPress.org to check for updates
  66. URLs not being output with https
  67. How to protect login via SSL but not the rest of the dashboard
  68. ERR_CONNECTION_REFUSED
  69. The REST API request failed due to an error. cURL error 60: SSL certificate problem: certificate has expired
  70. Do I install WordPress from my Cpanel on https or http, if my website has valid certificate?
  71. Website Migration (with https) to a new domain(http)
  72. How to move my local wordpress to https?
  73. Why does WordPress uses HTTPS for JS, CSS on EC2
  74. ERR_SSL_PROTOCOL_ERROR
  75. Problem forcing San SSL certificate on WordPress
  76. SSL Certificate
  77. Front-end pages messed up due to HTTPS
  78. site on subdomain is redirecting to main site after installing wildcard ssl cert on both
  79. Forcing SSL (Bad Theme coding)
  80. How to switch static files back to using HTTP instead of HTTPS?
  81. WordPress Insecure Content
  82. SSL certificate breaks CSS (in combination with W3TC)
  83. I just updated my SSL certificate and now my site looses formatting when
  84. I would like to add ssl certificate to my already existing wordpress site
  85. WordPress and SSL
  86. My WordPress site SSL is in red crossed color and can’t load at first time?
  87. SSL problems with WordPress
  88. SSL/HTTPS Redirect Loop
  89. The plain HTTP request was sent to HTTPS port in wordpress [closed]
  90. How to force static assets with HTTP sources to load over HTTPS?
  91. Moving WordPress from http to https over existing site
  92. WordPress stuck at Step 1 of setup behind nginx reverse proxy
  93. Issue when site move from ssl domain to new domain without ssl
  94. Is there a reason to use an SSL certificate other than Let’s Encrypt’s free SSL?
  95. Wildcard SSL certificate for second-level subdomain
  96. Properly setting up a “default” nginx server for https
  97. Does each subdomain need it’s own SSL certificate?
  98. Does each server behind a load balancer need their own SSL certificate?
  99. Changing my URL in General Settings cause the site to crash
  100. wordpress is auto using http: not https: as it needs to because the server is http behind a reverse proxy https, how do I stop it?

Leave a Comment