Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

WordPress to Require Hosts to Support HTTPS

In an attempt to provide increased security and privacy for its users, WordPress has announced that upcoming features will require hosts to support HTTPS.

In an attempt to provide increased security and privacy for its users, WordPress has announced that upcoming features will require hosts to support HTTPS.

Starting in early 2017, WordPress will be promoting only hosting partners that provide an SSL (Secure Sockets Layer) certificate by default in their accounts. After that, the popular Content Management System (CMS) will assess the use of SSL across various features and enable those features only if the security technology is available.

The main driver for this move is an industry-wide consensus that an encrypted web would result in higher overall online security for all people. Large Internet players have already announced plans to support the transition to HTTPS, including Google, which has been lobbying for improved online security for several years.

Last year, Google said it would favor HTTPS pages over their HTTP counterparts, and the company started monitoring the use of HTTPS on the world’s top 100 websites in its transparency report this year. WordPress, which has been supporting encryption for sites using WordPress.com subdomains for a couple of years, said in April it would offer free HTTPS for custom domains that it hosts, including blogs and websites.

WordPress partnered with the open certificate authority (CA) Let’s Encrypt to deliver only secured, HTTPS traffic to users. Backed by the Electronic Frontier Foundation (EFF) and various industry leaders, the CA has already proven a driving force for the web-wide adoption of HTTPS.

By requiring that all hosts have HTTPS available, WordPress ensures that both customers and users take advantage of a secure experience. During 2017, the CMS will analyze the impact of SSL on specific features, including API authentication, and will make the use of SSL mandatory for those that will benefit the most from the improved security.

“Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face,” WordPress creator Matt Mullenweg says.

“Modern browsers, and the incredible success of projects like Let’s Encrypt have made getting a certificate to secure your site fast, free, and something we think every host should support by default,” he also notes.

According to Mullenweg, the performance improvements in PHP7 are so impressive that WordPress might consider requiring hosts to use it by default for new accounts starting next year as well. However, no decision on this has been formally announced yet.

Related: Apple Wants All iOS Apps to Use HTTPS by 2017

Related: WordPress.com Pushes Free HTTPS to All Hosted Sites

Related: Encrypted Network Traffic Comes at a Cost

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...