WordPress.com plans to roll out encryption to all the custom domains it hosts at no charge to website owners, as a way of helping combat increasingly frequent attacks on the platform by hackers.
The WordPress platform powers about one-quarter of the 10 million most popular websites, making it a popular target for hackers seeking to plant malicious code that can be spread to other users.
The change means the sites involved will begin using the HTTPS protocol, which encodes communications between the site and users and can help protect against security issues, WordPress.com said.
“Strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws,” the site said in a statement. “This brings the security and performance of modern encryption to every blog and website we host.”
The company said it’s using SSL certificates from Let’s Encrypt, a certificate authority (CA) run by the Internet Security Research Group (ISRG), a not-for-profit initiative backed by Akamai, Cisco, the Electronic Frontier Foundation, Google, Mozilla, Facebook and other major vendors.
HTTPS has been slow to spread broadly across the web, in part because certificates aren’t free, and take some technical expertise to set up and manage. Let’s Encrypt, which began offering services at the end of last year, aims to remove those barriers by offering free certificates that are set up and managed automatically.
The CA said last month it had issued its millionth certificate, and is currently helping secure about 2.4 million domains. About 40 percent of all websites and 65 percent of transactions are currently protected by HTTPS, according to Mozilla figures cited by the ISRG.
WordPress.com said the change will take effect automatically, and that when HTTPS is enabled site owners will see a green lock icon in the browser’s address bar. All web traffic is to be automatically redirected to a web address beginning with “https://”, with the hosting service promising to manage all SSL certificate management issues.
“You’ll see secure encryption automatically deployed on every new site within minutes,” WordPress.com stated. “We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.”
WordPress’ developers have faced growing security issues due in part to the platform’s popularity, with attackers including Islamic State attacking the platform via unpatched bugs.
WordPress’ developers last year began taking WordPress-powered sites offline if they used an outdated version of an add-on called JetPack that was affected by a serious security bug.
Last year IT security specialists Trend Micro said they had found attackers misusing SSL certificates issued by Let’s Encrypt to redirect traffic to malicious websites that implanted banking malware on victims’ computers.
“Let’s Encrypt was the CA used in this case, but other CAs may be abused by other threat actors to launch similar attacks,” Trend said at the time.
Are you a security pro? Try our quiz!
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…