Categories: Security

WordPress.com Rolling Out Free HTTPS Encryption

WordPress.com plans to roll out encryption to all the custom domains it hosts at no charge to website owners, as a way of helping combat increasingly frequent attacks on the platform by hackers.

The WordPress platform powers about one-quarter of the 10 million most popular websites, making it a popular target for hackers seeking to plant malicious code that can be spread to other users.

Free HTTPS rollout

WordPress.com has offered free encryption for sites running on a subdomain of the site, such as example.wordpress.com, since 2014, and said it now plans to begin rolling out the technology to the more than one million custom domains (such as example.com) for which it provides hosting services.

The change means the sites involved will begin using the HTTPS protocol, which encodes communications between the site and users and can help protect against security issues, WordPress.com said.

“Strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws,” the site said in a statement. “This brings the security and performance of modern encryption to every blog and website we host.”

The company said it’s using SSL certificates from Let’s Encrypt, a certificate authority (CA) run by the Internet Security Research Group (ISRG), a not-for-profit initiative backed by Akamai, Cisco, the Electronic Frontier Foundation, Google, Mozilla, Facebook and other major vendors.

Automatic deployment

HTTPS has been slow to spread broadly across the web, in part because certificates aren’t free, and take some technical expertise to set up and manage. Let’s Encrypt, which began offering services at the end of last year, aims to remove those barriers by offering free certificates that are set up and managed automatically.

The CA said last month it had issued its millionth certificate, and is currently helping secure about 2.4 million domains. About 40 percent of all websites and 65 percent of transactions are currently protected by HTTPS, according to Mozilla figures cited by the ISRG.

WordPress.com said the change will take effect automatically, and that when HTTPS is enabled site owners will see a green lock icon in the browser’s address bar. All web traffic is to be automatically redirected to a web address beginning with “https://”, with the hosting service promising to manage all SSL certificate management issues.

“You’ll see secure encryption automatically deployed on every new site within minutes,” WordPress.com stated. “We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.”

WordPress’ developers have faced growing security issues due in part to the platform’s popularity, with attackers including Islamic State attacking the platform via unpatched bugs.

WordPress’ developers last year began taking WordPress-powered sites offline if they used an outdated version of an add-on called JetPack that was affected by a serious security bug.

Last year IT security specialists Trend Micro said they had found attackers misusing SSL certificates issued by Let’s Encrypt to redirect traffic to malicious websites that implanted banking malware on victims’ computers.

“Let’s Encrypt was the CA used in this case, but other CAs may be abused by other threat actors to launch similar attacks,” Trend said at the time.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

21 hours ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

22 hours ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

22 hours ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

23 hours ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

23 hours ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

24 hours ago