WordPress.com Rolling Out Free HTTPS Encryption

WordPress.com plans to roll out encryption to all the custom domains it hosts at no charge to website owners, as a way of helping combat increasingly frequent attacks on the platform by hackers.

The WordPress platform powers about one-quarter of the 10 million most popular websites, making it a popular target for hackers seeking to plant malicious code that can be spread to other users.

Free HTTPS rollout

WordPress.com has offered free encryption for sites running on a subdomain of the site, such as example.wordpress.com, since 2014, and said it now plans to begin rolling out the technology to the more than one million custom domains (such as example.com) for which it provides hosting services.

The change means the sites involved will begin using the HTTPS protocol, which encodes communications between the site and users and can help protect against security issues, WordPress.com said.

“Strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws,” the site said in a statement. “This brings the security and performance of modern encryption to every blog and website we host.”

The company said it’s using SSL certificates from Let’s Encrypt, a certificate authority (CA) run by the Internet Security Research Group (ISRG), a not-for-profit initiative backed by Akamai, Cisco, the Electronic Frontier Foundation, Google, Mozilla, Facebook and other major vendors.

Automatic deployment

HTTPS has been slow to spread broadly across the web, in part because certificates aren’t free, and take some technical expertise to set up and manage. Let’s Encrypt, which began offering services at the end of last year, aims to remove those barriers by offering free certificates that are set up and managed automatically.

The CA said last month it had issued its millionth certificate, and is currently helping secure about 2.4 million domains. About 40 percent of all websites and 65 percent of transactions are currently protected by HTTPS, according to Mozilla figures cited by the ISRG.

WordPress.com said the change will take effect automatically, and that when HTTPS is enabled site owners will see a green lock icon in the browser’s address bar. All web traffic is to be automatically redirected to a web address beginning with “https://”, with the hosting service promising to manage all SSL certificate management issues.

“You’ll see secure encryption automatically deployed on every new site within minutes,” WordPress.com stated. “We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.”

WordPress’ developers have faced growing security issues due in part to the platform’s popularity, with attackers including Islamic State attacking the platform via unpatched bugs.

WordPress’ developers last year began taking WordPress-powered sites offline if they used an outdated version of an add-on called JetPack that was affected by a serious security bug.

Last year IT security specialists Trend Micro said they had found attackers misusing SSL certificates issued by Let’s Encrypt to redirect traffic to malicious websites that implanted banking malware on victims’ computers.

“Let’s Encrypt was the CA used in this case, but other CAs may be abused by other threat actors to launch similar attacks,” Trend said at the time.

Are you a security pro? Try our quiz!