From 2c77206777fa76d0b9033af8702183f21e785bd5 Mon Sep 17 00:00:00 2001
From: Sukhendu Sekhar Guria <sukhendu.guria@rtcamp.com>
Date: Fri, 26 Jun 2026 13:51:41 +0530
Subject: [PATCH] Fix multisite signup URLs for SSL

---
 src/wp-includes/ms-functions.php              | 45 ++++++++++-
 src/wp-signup.php                             | 16 ++--
 .../multisite/wpmuValidateBlogSignup.php      | 80 +++++++++++++++++++
 3 files changed, 132 insertions(+), 9 deletions(-)

diff --git a/src/wp-includes/ms-functions.php b/src/wp-includes/ms-functions.php
index f1cbc62fa8ec7..3befd62ad59ca 100644
--- a/src/wp-includes/ms-functions.php
+++ b/src/wp-includes/ms-functions.php
@@ -914,6 +914,35 @@ function wpmu_signup_user( $user, $user_email, $meta = array() ) {
 	do_action( 'after_signup_user', $user, $user_email, $key, $meta );
 }
 
+/**
+ * Retrieves the URL for a site signup that has not been activated yet.
+ *
+ * @since x.x.x
+ *
+ * @param string $domain The new site domain.
+ * @param string $path   The new site path.
+ * @return string The signup site URL.
+ */
+function wpmu_get_signup_blog_url( $domain, $path ) {
+	$url = 'http://' . $domain . $path;
+
+	if ( ! is_subdomain_install() ) {
+		$scheme = wp_parse_url( get_home_url( get_network()->site_id ), PHP_URL_SCHEME );
+		$url    = set_url_scheme( $url, $scheme );
+	}
+
+	/**
+	 * Filters the URL for a site signup that has not been activated yet.
+	 *
+	 * @since x.x.x
+	 *
+	 * @param string $url    The signup site URL.
+	 * @param string $domain The new site domain.
+	 * @param string $path   The new site path.
+	 */
+	return apply_filters( 'wpmu_signup_blog_url', $url, $domain, $path );
+}
+
 /**
  * Sends a confirmation request email to a user when they sign up for a new site. The new site will not become active
  * until the confirmation link is clicked.
@@ -966,11 +995,19 @@ function wpmu_signup_blog_notification(
 		return false;
 	}
 
+	$blog_url = wpmu_get_signup_blog_url( $domain, $path );
+
 	// Send email with activation link.
-	if ( ! is_subdomain_install() || get_current_network_id() !== 1 ) {
+	if ( ! is_subdomain_install() ) {
+		$scheme = wp_parse_url( $blog_url, PHP_URL_SCHEME );
+		if ( ! $scheme ) {
+			$scheme = null;
+		}
+		$activate_url = network_site_url( "wp-activate.php?key=$key", $scheme );
+	} elseif ( get_current_network_id() !== 1 ) {
 		$activate_url = network_site_url( "wp-activate.php?key=$key" );
 	} else {
-		$activate_url = "http://{$domain}{$path}wp-activate.php?key=$key"; // @todo Use *_url() API.
+		$activate_url = add_query_arg( 'key', $key, trailingslashit( $blog_url ) . 'wp-activate.php' );
 	}
 
 	$activate_url = esc_url( $activate_url );
@@ -1017,7 +1054,7 @@ function wpmu_signup_blog_notification(
 			$meta
 		),
 		$activate_url,
-		esc_url( "http://{$domain}{$path}" ),
+		esc_url( $blog_url ),
 		$key
 	);
 
@@ -1049,7 +1086,7 @@ function wpmu_signup_blog_notification(
 			$meta
 		),
 		$from_name,
-		esc_url( 'http://' . $domain . $path )
+		esc_url( $blog_url )
 	);
 
 	wp_mail( $user_email, wp_specialchars_decode( $subject ), $message, $message_headers );
diff --git a/src/wp-signup.php b/src/wp-signup.php
index 50ab624bb8ca8..337e479c93954 100644
--- a/src/wp-signup.php
+++ b/src/wp-signup.php
@@ -538,14 +538,14 @@ function confirm_another_blog_signup( $domain, $path, $blog_title, $user_name, $
 		$login_url = wp_login_url();
 		restore_current_blog();
 	} else {
-		$home_url  = 'http://' . $domain . $path;
-		$login_url = 'http://' . $domain . $path . 'wp-login.php';
+		$home_url  = wpmu_get_signup_blog_url( $domain, $path );
+		$login_url = trailingslashit( $home_url ) . 'wp-login.php';
 	}
 
 	$site = sprintf(
 		'<a href="%1$s">%2$s</a>',
 		esc_url( $home_url ),
-		$blog_title
+		esc_html( $blog_title )
 	);
 
 	?>
@@ -861,11 +861,17 @@ function validate_blog_signup() {
  * @param array  $meta       Any additional meta from the {@see 'add_signup_meta'} filter in validate_blog_signup().
  */
 function confirm_blog_signup( $domain, $path, $blog_title, $user_name = '', $user_email = '', $meta = array() ) {
+	$blog_url = wpmu_get_signup_blog_url( $domain, $path );
+	$site     = sprintf(
+		'<a href="%1$s">%2$s</a>',
+		esc_url( $blog_url ),
+		esc_html( $blog_title )
+	);
 	?>
 	<h2>
 	<?php
-	/* translators: %s: Site address. */
-	printf( __( 'Congratulations! Your new site, %s, is almost ready.' ), "<a href='http://{$domain}{$path}'>{$blog_title}</a>" )
+	/* translators: %s: Link to the new site. */
+	printf( __( 'Congratulations! Your new site, %s, is almost ready.' ), $site )
 	?>
 	</h2>
 
diff --git a/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php b/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
index 4a29026edeb11..c46596f947273 100644
--- a/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
@@ -18,6 +18,8 @@ class Tests_Multisite_wpmuValidateBlogSignup extends WP_UnitTestCase {
 
 	protected $minimum_site_name_length = 4;
 
+	private $original_home = null;
+
 	public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
 		self::$super_admin_id = $factory->user->create();
 		grant_super_admin( self::$super_admin_id );
@@ -52,6 +54,17 @@ public static function wpTearDownAfterClass() {
 		wp_delete_site( self::$existing_blog_id );
 	}
 
+	public function tear_down() {
+		if ( null !== $this->original_home ) {
+			update_blog_option( get_network()->site_id, 'home', $this->original_home );
+			$this->original_home = null;
+		}
+
+		remove_filter( 'wpmu_signup_blog_url', array( $this, 'filter_signup_blog_url' ) );
+
+		parent::tear_down();
+	}
+
 	/**
 	 * @dataProvider data_validate_blogname
 	 */
@@ -158,4 +171,71 @@ public function test_signup_nonce_check_invalid() {
 
 		$this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
 	}
+
+	/**
+	 * @ticket 31076
+	 * @covers ::wpmu_get_signup_blog_url
+	 */
+	public function test_uses_main_site_scheme_for_subdirectory_installs() {
+		if ( is_subdomain_install() ) {
+			$this->markTestSkipped( 'This test applies to subdirectory installs only.' );
+		}
+
+		$network             = get_network();
+		$this->original_home = get_blog_option( $network->site_id, 'home' );
+
+		update_blog_option( $network->site_id, 'home', set_url_scheme( $this->original_home, 'https' ) );
+
+		$this->assertSame(
+			'https://' . $network->domain . $network->path . 'newsite/',
+			wpmu_get_signup_blog_url( $network->domain, $network->path . 'newsite/' )
+		);
+	}
+
+	/**
+	 * @ticket 31076
+	 * @covers ::wpmu_get_signup_blog_url
+	 */
+	public function test_defaults_to_http_for_subdomain_installs() {
+		if ( ! is_subdomain_install() ) {
+			$this->markTestSkipped( 'This test applies to subdomain installs only.' );
+		}
+
+		$this->assertSame(
+			'http://newsite.example.org/',
+			wpmu_get_signup_blog_url( 'newsite.example.org', '/' )
+		);
+	}
+
+
+	/**
+	 * @ticket 31076
+	 * @covers ::wpmu_signup_blog_notification
+	 */
+	public function test_signup_blog_notification_uses_signup_blog_url() {
+		reset_phpmailer_instance();
+		add_filter( 'wpmu_signup_blog_url', array( $this, 'filter_signup_blog_url' ) );
+
+		wpmu_signup_blog_notification(
+			'newsite.example.org',
+			'/',
+			'New Site',
+			'newuser',
+			'newuser@example.org',
+			'activation-key'
+		);
+
+		$mailer = tests_retrieve_phpmailer_instance();
+		$email  = $mailer->get_sent();
+
+		$this->assertStringContainsString( 'wp-activate.php?key=activation-key', $email->body );
+		$this->assertStringContainsString( 'https://newsite.example.org/', $email->body );
+		$this->assertStringContainsString( 'https://newsite.example.org/', $email->subject );
+
+		reset_phpmailer_instance();
+	}
+
+	public function filter_signup_blog_url( $url ) {
+		return set_url_scheme( $url, 'https' );
+	}
 }