HTTPS for everyone: WordPress adds encryption for all customer sites

WordPress is, by many accounts, by far the most widely used content management system (CMS) on the internet, with a market share, free and paid, of 60% or more.

A CMS, as the name suggests, is more than just a web hosting platform that lets other people access what you publish.

It organises what you publish, so you can not only add, edit and delete material, but also keep track of who changed what and when, as well as roll back changes that you don’t like.

The security of your CMS therefore affects both you and your readers, so HTTPS (secure HTTP – the padlock in the browser’s address bar) is more than just a nice to have.

Ideally, you’d set things up so that your blog, and the interface through which you edit it, used HTTPS and only HTTPS, so encrypted connections were always used.

After all, encrypting everything, as we’ve argued before, is the easiest way to ensure that there’s nothing important you forgot to encrypt.

In fact, the most valuable part of HTTPS often isn’t the encryption, it’s the authentication: making sure not only that you are communicating privately, but also that you are talking to the right website.

That, in turn, relies on a chain of HTTPS certificates, verified by cryptographic digital signatures provided by one or more CAs, or certificate authorities.

And even though negotiating the “digital paperwork” of acquiring a web site certificate is straightforward once you know how, doing it the first time is a bit like taking the bus in a city you’ve never visited before.

You can easily end up in the wrong place, with no clear idea of what to do next.

WordPress brings HTTPS for free

That’s why we were pleased to see WordPress’s recent announcement that all sites hosted on WordPress.com would now start using HTTPS.

You won’t need to pay a CA for a certificate, or install the certificate yourself, or worry about what happens if the certificate expires, or even to apply for the certificate yourself.

WordPress will take care of that for you, using a project called Let’s Encrypt that tries to remove the hassle (and the per-certificate cost) from using HTTPS:

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.

No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.

Let’s Encrypt has already issued more than 1,000,000 free certificates.

Source: Sophos.com