WordPress.com has announced free HTTPS for all custom domains that it hosts, including blogs and websites.
The switch to the new security enhancement is automatic, meaning that blog and site owners will immediately benefit from encryption. Furthermore, all new sites will benefit from encryption automatically within minutes, thus ensuring that users are provided only with secured, HTTPS traffic.
To provide customers and users with the new feature, WordPress has partnered with the Let’s Encrypt project, which delivered the efficient and automated method of providing SSL certificates to a large number of domains. The certificate issuance process was kicked off in January, and has now been expanded to the entire list of domains.
The open certificate authority (CA) Let's Encrypt issued its first live digital certificate in September 2015 and entered public beta in December. Backed by the Electronic Frontier Foundation (EFF) and various industry leaders, the CA managed to issue more than one million free certificates in the first three months after going public, all while still in beta.
WordPress has been supporting encryption for sites using WordPress.com subdomains for the past two years, but has finally decided to push it to custom domains too. The decision was fueled by the latest industry trend toward supporting the HTTPS protocol, WordPress explains.
After announcing in 2014 that it would use HTTPS in search engine rankings, Google revealed in December last year that it would favor HTTPS pages over their HTTP counterparts. Last month, the Internet giant said it is now monitoring the use of HTTPS on the world’s top 100 websites in its transparency report.
As soon as WordPress.com custom domains start taking advantage of encryption, a green lock icon will appear in the browser’s address bar, indicating that the feature is active. WordPress also notes that uses the same Common Name, tls.automattic.com, for all certificates, it stores the unique domain names in the SubjectAltName attribute, and it 301 redirects all insecure HTTP requests to the secure HTTPS version.
“All plaintext HTTP requests will be automatically redirected to their encrypted counterpart (your URL will begin with https:// instead of http://). We will transparently handle all the complexities of SSL certificate management for you,” WordPress says.
WordPress is one of the most popular content management system (CMS) out there, but also the most targeted by different types of web attacks. This year alone, we saw WordPress sites used to launch Layer 7 DDoS attacks, and witnessed crooks stealing admin credentials via the Custom Content Type Manager (CCTM) plugin for WordPress.