Security Experts:

WordPress to Require Hosts to Support HTTPS

In an attempt to provide increased security and privacy for its users, WordPress has announced that upcoming features will require hosts to support HTTPS.

Starting in early 2017, WordPress will be promoting only hosting partners that provide an SSL (Secure Sockets Layer) certificate by default in their accounts. After that, the popular Content Management System (CMS) will assess the use of SSL across various features and enable those features only if the security technology is available.

The main driver for this move is an industry-wide consensus that an encrypted web would result in higher overall online security for all people. Large Internet players have already announced plans to support the transition to HTTPS, including Google, which has been lobbying for improved online security for several years.

Last year, Google said it would favor HTTPS pages over their HTTP counterparts, and the company started monitoring the use of HTTPS on the world’s top 100 websites in its transparency report this year. WordPress, which has been supporting encryption for sites using subdomains for a couple of years, said in April it would offer free HTTPS for custom domains that it hosts, including blogs and websites.

WordPress partnered with the open certificate authority (CA) Let's Encrypt to deliver only secured, HTTPS traffic to users. Backed by the Electronic Frontier Foundation (EFF) and various industry leaders, the CA has already proven a driving force for the web-wide adoption of HTTPS.

By requiring that all hosts have HTTPS available, WordPress ensures that both customers and users take advantage of a secure experience. During 2017, the CMS will analyze the impact of SSL on specific features, including API authentication, and will make the use of SSL mandatory for those that will benefit the most from the improved security.

“Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face,” WordPress creator Matt Mullenweg says.

“Modern browsers, and the incredible success of projects like Let’s Encrypt have made getting a certificate to secure your site fast, free, and something we think every host should support by default,” he also notes.

According to Mullenweg, the performance improvements in PHP7 are so impressive that WordPress might consider requiring hosts to use it by default for new accounts starting next year as well. However, no decision on this has been formally announced yet.

Related: Apple Wants All iOS Apps to Use HTTPS by 2017

Related: Pushes Free HTTPS to All Hosted Sites

Related: Encrypted Network Traffic Comes at a Cost

view counter