WordPress & Site Address (URL) must be HTTPS
Description of the control
This control manages the WordPress & Site Address (URL) must be HTTPS setting in the Core Hardening page under WordPress Interfaces. The UI provides three modes: Unenforced, Enforced (forces https), and Audit only (show reminder banner if not HTTPS), and its help text states that it ensures the WordPress Address URL and Site Address URL use HTTPS so cookies can be marked secure.
Administrators enable this control to keep the core site URLs on HTTPS and to reduce the chance that WordPress continues using insecure HTTP values for the main site address fields when it renders the HTML.
Procedure
- Sign in to WordPress with an account that can manage CMSSPM settings, then open Posture Management from the admin menu.
- Open Core Hardening using the menu slug
cmsspm-core-hardening. - In the WordPress Interfaces card, locate WordPress & Site Address (URL) must be HTTPS.
- Select the desired mode: Unenforced, Enforced (forces https), or Audit only (show reminder banner if not HTTPS).
- Click Save changes at the top of the page.
Validation
After saving, return to Posture Management -> Core Hardening and confirm the selected radio option remains set for WordPress & Site Address (URL) must be HTTPS.
If Enforced (forces https) is selected, verify that the WordPress Address URL and Site Address URL are using HTTPS in WordPress and that the site loads correctly over HTTPS after the change.