Connect with us

Hi, what are you looking for?


Network Security

WordPress to Require Hosts to Support HTTPS

In an attempt to provide increased security and privacy for its users, WordPress has announced that upcoming features will require hosts to support HTTPS.

In an attempt to provide increased security and privacy for its users, WordPress has announced that upcoming features will require hosts to support HTTPS.

Starting in early 2017, WordPress will be promoting only hosting partners that provide an SSL (Secure Sockets Layer) certificate by default in their accounts. After that, the popular Content Management System (CMS) will assess the use of SSL across various features and enable those features only if the security technology is available.

The main driver for this move is an industry-wide consensus that an encrypted web would result in higher overall online security for all people. Large Internet players have already announced plans to support the transition to HTTPS, including Google, which has been lobbying for improved online security for several years.

Last year, Google said it would favor HTTPS pages over their HTTP counterparts, and the company started monitoring the use of HTTPS on the world’s top 100 websites in its transparency report this year. WordPress, which has been supporting encryption for sites using subdomains for a couple of years, said in April it would offer free HTTPS for custom domains that it hosts, including blogs and websites.

WordPress partnered with the open certificate authority (CA) Let’s Encrypt to deliver only secured, HTTPS traffic to users. Backed by the Electronic Frontier Foundation (EFF) and various industry leaders, the CA has already proven a driving force for the web-wide adoption of HTTPS.

By requiring that all hosts have HTTPS available, WordPress ensures that both customers and users take advantage of a secure experience. During 2017, the CMS will analyze the impact of SSL on specific features, including API authentication, and will make the use of SSL mandatory for those that will benefit the most from the improved security.

“Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face,” WordPress creator Matt Mullenweg says.

“Modern browsers, and the incredible success of projects like Let’s Encrypt have made getting a certificate to secure your site fast, free, and something we think every host should support by default,” he also notes.

Advertisement. Scroll to continue reading.

According to Mullenweg, the performance improvements in PHP7 are so impressive that WordPress might consider requiring hosts to use it by default for new accounts starting next year as well. However, no decision on this has been formally announced yet.

Related: Apple Wants All iOS Apps to Use HTTPS by 2017

Related: Pushes Free HTTPS to All Hosted Sites

Related: Encrypted Network Traffic Comes at a Cost

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.