Is it safe to use sslverify => true for with wp_remote_get/wp_remote_post

I normally use this argument to prevent errors with wp_remote_get and wp_remote_post

    'sslverify' => false

For security reasons I would like to set it to true (or remove it since the default is true).

Should I expect any problems by doing that?


TL;DR: Yes, remove that setting as of WordPress 3.7 or later.

In the past, many people added the sslverify=false parameter specifically because their installation of PHP was unable to properly verify the certificate.

Typically, this was because the PHP install had not been updated with the latest copy of the CA Root Certificates. The root certs change every so often, and normally you don’t notice this change because it happens in normal browser updates. Well, when you have PHP acting like a browser to retrieve https urls, then it needs those root certificate updates too. And most hosts never update PHP, nor update any specific part of it (like the certificates file).

When WordPress implemented auto-updating in version 3.7, it was determined to be necessary to upgrade the APIs to require secure communication. At this time, WordPress began including a copy of the CA Root Certificates file itself, sourced from Mozilla. Since WordPress 3.7, therefore, the WP_HTTP API functions use this file to do certificate verification, and not whatever old or outdated version is packaged with your PHP installation.

Therefore, yes, with WordPress 3.7 or later, it is advisable to remove the sslverify parameter and allow the http functions to do proper certificate verification. Any modern server running SSL with a key signed by one of the known CAs will be verified properly. The WP_HTTP should have a copy of the latest root certificates, and the core project will update that certificates file in WordPress along with normal updates.

Leave a Comment