HTTPS for everyone: WordPress adds encryption for all customer sites

WordPress is, by many accounts, by far the most widely used content management system (CMS) on the internet, with a market share, free and paid, of 60% or more.

A CMS, as the name suggests, is more than just a web hosting platform that lets other people access what you publish.

It organises what you publish, so you can not only add, edit and delete material, but also keep track of who changed what and when, as well as roll back changes that you don’t like.

The security of your CMS therefore affects both you and your readers, so HTTPS (secure HTTP – the padlock in the browser’s address bar) is more than just a nice to have.

Ideally, you’d set things up so that your blog, and the interface through which you edit it, used HTTPS and only HTTPS, so encrypted connections were always used.

After all, encrypting everything, as we’ve argued before, is the easiest way to ensure that there’s nothing important you forgot to encrypt.

In fact, the most valuable part of HTTPS often isn’t the encryption, it’s the authentication: making sure not only that you are communicating privately, but also that you are talking to the right website.

That, in turn, relies on a chain of HTTPS certificates, verified by cryptographic digital signatures provided by one or more CAs, or certificate authorities.

And even though negotiating the “digital paperwork” of acquiring a web site certificate is straightforward once you know how, doing it the first time is a bit like taking the bus in a city you’ve never visited before.

You can easily end up in the wrong place, with no clear idea of what to do next.

WordPress brings HTTPS for free

That’s why we were pleased to see WordPress’s recent announcement that all sites hosted on would now start using HTTPS.

You won’t need to pay a CA for a certificate, or install the certificate yourself, or worry about what happens if the certificate expires, or even to apply for the certificate yourself.

WordPress will take care of that for you, using a project called Let’s Encrypt that tries to remove the hassle (and the per-certificate cost) from using HTTPS:

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.

No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.

Let’s Encrypt has already issued more than 1,000,000 free certificates.

What’s new

WordPress has used HTTPS since 2014 on all sites with domain that end

That’s not too difficult, because anyone who owns a domain such as can issue certificates to cover any subdomains of it, such as

In fact, using what’s known as a wildcard certificate, you can cover all subdomains of in one go by vouching for * (The * character is what’s known as a wildcard, and stands for any text you like, in the same way that the filename *.EXE means “any EXE file”.)

But lots of WordPress users have brought their own domain names to the WordPress ecosystem, such as , which is hosted by VIP.

Until Let’s Encrypt came along, issuing specially-named HTTPS certificates in bulk, quickly and automatically, wasn’t easy.

Now, WordPress has bitten the bullet on the giant task for its users, and from now on, all WordPress-hosted sites, whether * or a custom domain name of your own, will use HTTPS.

Better yet, if one of your readers tries to connect via HTTP, WordPress will automatically redirect them to a more secure HTTPS connection.

Why you should care

  • Traffic to and from unencrypted sites can be intercepted, modified or redirected
  • Well-informed readers are increasingly suspicious of unencrypted sites
  • Search engines like Google are starting to rate pages higher if they use HTTPS
  • Encrypt everything and you won’t forget to encrypt something important