WordPress joins movement toward HTTPS encryption

Popular blogging platform WordPress is the latest in a growing number of sites that are enabling website encryption to protect their users.

The popular blogging platform WordPress is about to make its corner of the Internet more secure as it begins to enable encryption by default on 600,000 custom Wordpress.com domains.

The move to embrace HTTPS encryption – the secure form of the Internet protocol HTTP – represents an increasing mainstream embrace of consumer-focused online security. Many major sites, such as Google, Yahoo, Facebook, and Twitter, already have HTTPS enabled, and the US government is working to have HTTPS on its sites by the end of 2016.

But even as some of the biggest companies on the Web are moving toward HTTPS, the majority of Internet sites still don't use HTTPS, which privacy advocates say is especially important when users are submitting sensitive data, such as credit card information or a Social Security Number, to a website.

"It protects our users against various issues," a spokesperson for Automattic, WordPress’s parent company, said in an e-mail. "This includes defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws."

Automattic didn't have a firm date for a complete rollout, but the encryption is currently enabled on about 100,000 of those domains.

Over the past few years, privacy advocates and tech companies have ramped up efforts to expand the use of HTTPS. This past December, the nonprofit Internet Security Research Group (ISRG) launched its service Let’s Encrypt to provide HTTPS encryption to sites for free. It's providing HTTPS encryption to WordPress.

“Who we’re really trying to protect is the people who visit WordPress sites or any other site,” said Josh Aas, ISRG's executive director. "The era of HTTP-only needs to end."

Even though HTTPS is becoming more common, it's still up to individuals to check their URL bar for the HTTPS connection, a task even many experts are unlikely to do for each site they visit.

To help address that issue, tech advocacy nonprofit The Electronic Frontier Foundation provides tools such as the “HTTPS Everywhere” browser extension for consumers. The extension ensures that if someone visits a site with HTTPS, that person connects to the secure version of the site each time. 

Until HTTPS is more widely adopted, tech companies such as Google and Mozilla are working to make a site’s connection security more obvious to Internet users.

Google has a multiphase plan that uses icons in the URL bar to alert users when a site has an encrypted connection, and eventually mark sites that do not as unsafe. Sites won’t be marked until a certain percentage of total Internet traffic is sent over HTTPS. Likewise, Mozilla plans to gradually make new features, such as the geolocation, unavailable to sites that don’t have HTTPS to protect people’s security.

Richard Barnes, head of security for Mozilla’s Firefox browser, tracks the number of domains that newly acquire HTTPS without previously having it. Before Jan. 27 when WordPress acquired HTTPS for the sites, he said, there were about 16.5 million domains total with HTTPS. Paired with other sites that acquired HTTPS that day, the total number of sites with HTTPS jumped 8 percent, which Mr. Barnes said is “significant.” 

WordPress isn’t the only hosting company migrating to a secure connection. DreamHost recently enabled their customers to opt in to HTTPS, as well as hosting company OVH.

 

Editor's note: This story was updated to clarify that custom WordPress.com domains will receive HTTPS encryption.