Blog

Developers: Stop Using sslverify = false — WordPress has you covered

I listened to a talk recently about using WordPress to communicate with external APIs, which is something we do frequently at SkyVerge. We’ve built over 20 payment gateway integrations for WooCommerce, each of which needs to communicate with the payment processor’s API.

One thing that I noticed in the talk is that setting sslverify = false when using wp_remote_get or wp_remote_post was recommended. This is a fairly common practice and has thus become recommended for developers when integrating with an external API.

The reasoning behind this was that doing the verification could cause issues with servers that are unable to validate the certificate or had improper cURL configurations.

Why Use Verification

When using remote requests, your site needs to connect to the external API you’re communicating with. For many external requests, but especially in the case of communicating about payment details, it’s imperative that the API you’re connecting to is the one you intend to connect to. Verification ensures the security of the information being passed back and forth.

Without asking for verification from the external API you connect to, you open yourself to man-in-the-middle attacks, as the authenticity of who you’re connecting to cannot be verified. This means that sensitive information being sent from your site can be intercepted, and that information returned to your site can be spoofed and be inaccurate or malicious.

While a couple of years ago sslverify = true may have caused more issues than it solved due to validation issues, this is no longer the case. When WordPress 3.7 was released, WordPress began to bundle CA certificates into core to validate them itself, bypassing the need for the external validation requests for known certificates and ensuring that the host configuration did not interfere with verification.

At this time, WordPress began including a copy of the CA Root Certificates file itself, sourced from Mozilla.
Source – Otto Wood

You can view the changes on GitHub here:

This changeset also bundles ca-bundle.crt from the Mozilla project to allow for us to verify SSL certificates on hosts which have an incomplete, outdated, or invalid local SSL configuration.
GitHub.com/WordPress

Stop Setting sslverify = false

Given that WordPress is bundling certificates to validate them itself if the host cannot do so, it’s a security risk to set sslverify = false and not verify the remote host is actually who they say they are. The only time you should do this is while developing locally to avoid validating self-signed certificates.

Our newer or recently updated payment gateway integrations set sslverify = true, and we’re currently in the process of adjusting this in all payment gateway integrations to be released with the WooCommerce 2.4 compatibility release. I’d highly recommend that all developers integrating with external APIs do the same.