Sophos Cloud Optix
WordPress is, by many accounts, by far the most widely used content management system (CMS) on the internet, with a market share, free and paid, of 60% or more.
A CMS, as the name suggests, is more than just a web hosting platform that lets other people access what you publish.
It organises what you publish, so you can not only add, edit and delete material, but also keep track of who changed what and when, as well as roll back changes that you don’t like.
The security of your CMS therefore affects both you and your readers, so HTTPS (secure HTTP – the padlock in the browser’s address bar) is more than just a nice to have.
Ideally, you’d set things up so that your blog, and the interface through which you edit it, used HTTPS and only HTTPS, so encrypted connections were always used.
After all, encrypting everything, as we’ve argued before, is the easiest way to ensure that there’s nothing important you forgot to encrypt.
In fact, the most valuable part of HTTPS often isn’t the encryption, it’s the authentication: making sure not only that you are communicating privately, but also that you are talking to the right website.
That, in turn, relies on a chain of HTTPS certificates, verified by cryptographic digital signatures provided by one or more CAs, or certificate authorities.
And even though negotiating the “digital paperwork” of acquiring a web site certificate is straightforward once you know how, doing it the first time is a bit like taking the bus in a city you’ve never visited before.
You can easily end up in the wrong place, with no clear idea of what to do next.
WordPress brings HTTPS for free
That’s why we were pleased to see WordPress’s recent announcement that all sites hosted on WordPress.com would now start using HTTPS.
You won’t need to pay a CA for a certificate, or install the certificate yourself, or worry about what happens if the certificate expires, or even to apply for the certificate yourself.
WordPress will take care of that for you, using a project called Let’s Encrypt that tries to remove the hassle (and the per-certificate cost) from using HTTPS:
Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.
No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.
Let’s Encrypt has already issued more than 1,000,000 free certificates.
What’s new
WordPress has used HTTPS since 2014 on all sites with domain that end .wordpress.com.
That’s not too difficult, because anyone who owns a domain such as example.com can issue certificates to cover any subdomains of it, such as thirdlevel.example.com.
In fact, using what’s known as a wildcard certificate, you can cover all subdomains of example.com in one go by vouching for *.example.com. (The * character is what’s known as a wildcard, and stands for any text you like, in the same way that the filename *.EXE means “any EXE file”.)
But lots of WordPress users have brought their own domain names to the WordPress ecosystem, such as nakedsecurity.sophos.com , which is hosted by WordPress.com VIP.
Until Let’s Encrypt came along, issuing specially-named HTTPS certificates in bulk, quickly and automatically, wasn’t easy.
Now, WordPress has bitten the bullet on the giant task for its users, and from now on, all WordPress-hosted sites, whether *.wordpress.com or a custom domain name of your own, will use HTTPS.
Better yet, if one of your readers tries to connect via HTTP, WordPress will automatically redirect them to a more secure HTTPS connection.
Why you should care
- Traffic to and from unencrypted sites can be intercepted, modified or redirected
- Well-informed readers are increasingly suspicious of unencrypted sites
- Search engines like Google are starting to rate pages higher if they use HTTPS
- Encrypt everything and you won’t forget to encrypt something important
Unfortunatly there is not yet support for letsencrypt for people who maintain WordPress sites away from wordpress.com. Quite a few ISP and web site hosting companies do provide a letsencrypt function allowing you to generate a certificate for your own domain, but many do not. What we need is WordPress plugin support for letsencrypt so that we can generate and utilise a letsencrypt certificate from within the admin side of a site based on wordpress. There is a github project: https://github.com/tollmanz/lets-encrypt-wp which is working towards it, but seems quite slow (I am not qualified to help), perhaps there are some out there who could help out?
I guess you need to lean on those hosting providers to help out 🙂
Please read the article before publishing it. That way you can avoid typos like these:
…is more than more than just…
It organises want you publish…
…rate HTTPS sites higher than HTTPS ones…
Thanks!
Thanks. I think. (Most readers aren’t quite so snide about typos, just point them out and let us fix them, but that doesn’t affect that they are mistakes that ought not to have gone live. Due to the time of publishing, I had to proofread my own article. If you’ve ever had to proof your own work you will know how hard that is, because you know how the text is supposed to look.)
…because you’ve never made a mistake in your life, have you, Robert? 😉
How’s this managed?
I can’t see anything on their website to explain… but I guess wordpress.com are an intermediate CA? But if it’s automatic, they can’t be doing checks other than making sure A-records point to them… in which case couldn’t someone with access to DNS repoint it to a fake site hosted at wordpress.com and have a trusted cert handed out to visitors?
Am I missing something?
Phil, you can read about how Let’s Encrypt validates a site here: https://letsencrypt.org/how-it-works/
The short version:
The web server manager or hosting provider (in this case WordPress) installs software to talk to Let’s Encrypt. When a certificate is requested, Let’s Encrypt issues a challenge, such as adding a specific file on the website. Then the CA checks to see whether the challenge is successfully answered (does the file exist? does it have the content expected?), and issues the certificate.