HTTPS Everywhere: Encryption for All WordPress.com Sites

HTTPS Everywhere: Encryption for All WordPress.com Sites

Some interesting news from Barry, en.blog.wordpress.com. Image courtesy beatpavel, via bigstockphoto.com


We’re proud to support a more secure web — now for all custom domains on WordPress.com.

Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host.

Best of all, the changes are automatic — you won’t need to do a thing.

As the EFF points out as part of their Encrypt the Web initiative, strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.

WordPress.com has supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014. Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.

The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately started working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.

For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.

Web encryption provides more than security

Protocol enhancements like SPDY and HTTP/2 have narrowed the performance gap between encrypted and un-encrypted web traffic, with encrypted HTTP/2 outperforming un-encrypted HTTP/1.1 in some cases.

Google also announced HTTPS is used as a ranking signal in search results, with HTTPS-enabled sites ranked above their plaintext counterparts.

As a WordPress.com site owner, keep an eye out for this feature on your custom domains. Once your site is HTTPS-enabled, you should see a green lock icon in your browser’s address bar. All plaintext HTTP requests will be automatically redirected to their encrypted counterpart (your URL will begin with https:// instead of http://). We will transparently handle all the complexities of SSL certificate management for you.

We take security seriously, and we’re proud to offer this to WordPress.com users. For more information about encryption, please see our support documentation.