Developers have an instant urge to use sslverify => false in most cases when performing an API request or connecting to external services. This is not the case with WordPress only, but let’s discuss it with WordPress.
WordPress has a wp_remote_post() to perform an HTTP request using the POST method. If you check the examples in the documentation, you can see there are many examples with sslverify => false, and yet many have upvotes. 😮. Example of using sslverify param.
wp_remote_get(
'api.example.com',
[
'body' => $body,
'timeout' => 15,
'sslverify' => false
]
);
Let’s talk about SSL Verification, and why developers tend to disable it.
Why do developers tend to disable SSL Verification?
For their simplicity. Developers usually use local development servers with misconfigured certificates which results in the error if SSL verification isn’t disabled. Many premium plugin/theme developers disable SSL verification so that their customers won’t have issues and get in touch with them because of the customer’s misconfigured server.
There are also lots of reasons that SSL verification fails. The plugin/theme developers don’t want to troubleshoot the issues of their customer’s misconfigured server.
A long time ago in WordPress, sslverify => true tend to cause issues even when there was nothing wrong with the server. This was because the PHP installation had not been updated with the latest copy of the CA Root Certificates. However, this is not the case anymore with modern web hosts. Also, because WordPress began including a copy of the CA Root Certificates file itself, sourced from Mozilla.
Any modern server running SSL with a key signed by one of the known CAs will be verified properly.
Ref: https://wordpress.stackexchange.com/a/167947