All custom domains hosted on WordPress.com will soon have their sites automatically encrypted for free.
WordPress said late Friday afternoon that more than one million sites will have encryption automatically deployed.
“We are closing the door to unencrypted web traffic at every opportunity,” wrote Barry Abrahamson, chief systems wrangler at Automattic, WordPress’ parent company.
WordPress already supports encryption for sites running on its subdomains. This expansion comes at a pinnacle of concern over the privacy and security of communication online. Many experts have called this a golden age of surveillance, and rapid and frequent rollouts of encryption on the web are keys to keeping transactions and messaging private.
“Strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws,” Abrahamson said.
WordPress’ SSL cert rollout is coming courtesy of the Let’s Encrypt project, a coalition of tech providers, and privacy and legal minds, who developed a mechanism to issue free SSL certificates to any sites that wants one. Let’s Encrypt was announced in November 2014 and within 10 months, it had issued its first free certificate.
“The lack of free automated certs has been the largest puzzle piece stopping the web from being HTTPS by default,” Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation said at the time. “We are extremely excited that we are finally slotting in that missing piece of puzzle.”
Let’s Encrypt had to hit many milestones to get to where it is today, starting with building the specialized infrastructure, security mechanisms and documentation necessary to become a recognized Certificate Authority. Let’s Encrypt partnered with IdenTrust, which provided the cross-signature it needed to become a CA for browsers and software, for example.
Let’s Encrypt also built a trustworthy authentication mechanism called Boulder, which is supported by a fresh protocol, called Automated Certificate Management Environment, or ACME, which enables automated cert requests.
The move also falls in line with a December announcement from Google that it will give more weight to encrypted HTTPS sites in its search rankings.
“Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page,” Google said in its announcement. “When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL.”
“The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains,” Abrahamson said. “We launched the first batch of certificates in January 2016 and immediately started working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.”
WordPress site owners, Abrahamson said, should soon see a familiar green lock icon in their browser address bar, indicating that the free encryption rollout is compete. Any HTTP requests will be automatically redirected to HTTPS, and Abrahamson said WordPress will handle SSL certificate management.