Secure Blogging

Ever since I started working on Automattic and WordPress.com full-time I’ve found myself working at places like cafes and various other places with wireless internet connections around town. It’s nice because they make far better hot chocolate than I do. I’ve also been lucky enough to find myself at some great conferences around the world, for example I’m heading to SxSW Interacive next week. Any conference worth its salt these days provides free wifi.

This is great, but the internet can be a dangerous place. What most people don’t realize is that almost everything they do on the internet, with the exception of things like e-commerce, is transmitted in clear text. This means the data could be readable to anyone who listened. People use things like “packet sniffers” that let them observe and log traffic on a local network, for example that free wifi connection you and 50 of your closest trusted friends are on.

There are ways around this using things like VPN or SSH tunnels, but mostly they’re beyond the reach of us mere mortals to use. I know personally if I’m a techy conference I’m less likely to post to my blog because someone could just “sniff” my password and traffic and cause all sorts of travel.

We’ve made it so you never have to worry about this on WordPress.com. You’re safe blogging here now.

Using the same technology that online stores like Amazon.com and your bank do, we’re now securing all the important bits of your blog using SSL. What this means is that when you’re logging in or posting to WordPress.com, all of your traffic will be encrypted so anyone “sniffing” it will just see a bunch of gibberish. This is free and immediately available for all our users.

On a technical level, what we’ve done is restricted your login cookies to be SSL-only, which means they will never be transmitted in the clear, and we’re encrypting the cookies sent in the clear to make it difficult for anyone to impersonate your login.

There are still one or two kinks we’re working out, particularly for this main blog, but at worst you may see a security warning about the SSL certificate. If you have any problems please let us know using the feedback form.

Also, because we love you so much, we’ve made the code we’re using to do this available as a WordPress plugin. All you need is a SSL certificate and WordPress 2.1-alpha.

Anyway, now when you go to conferences or that sketchy coffee house blog without fear.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 17,500,933 other followers

Matt

43 Comments

Comments are closed.

  1. Michael

    Yes! I’ve been waiting for this! I noticed that you guys did something strange before to scramble the login information but now with SSL, decryption is near impossible.

    Thanks again!

    Like

  2. litium

    wow! this is great! nice job!

    Like

  3. camdenlady

    umm…but now I seem to have to log in every time, rather than it retaining a cookie. also, there’s a prompt about secure and insecure objects on the page which is a bit annoying.
    I guess these are just kinks, and its good to see this improvement.

    Like

  4. Atholas

    A desire fulfilled indeed! As I access WP.com from various public places also, I get a lil’ nervous at times… so this is great!

    Thanks and praise to the Matt and the WP team :-D

    Like

  5. T.E.E.N.

    WordPress is the best. Keep up the good work guys.

    Like

  6. russellreno

    I noticed two days ago I have to log in each day.

    I like WordPress better each day.

    Thanks

    Like

  7. greenlightsabers

    Wow, appreciate the work you’re doing here. Cheers! :D

    Like

  8. camdenlady

    it’s not just every day. I’ve been onto my wordpress a couple of times today, and have to log on each time. Just now, it let me in, showed my toolbar, but when I went to my blog stats, it forced me to sign on again. Definitely not quite right yet.

    Like

  9. Abhijit Nadgouda

    Good and useful.

    Like

  10. reyhan

    Thanks a lot :)

    Like

  11. Matt

    While we were rolling it out you may have had to login a few extra times. Now it should be stable, again if you have any probs report them using feedback. :)

    Like

  12. madtypist

    Thank you so much. This is a great feature. Keep up the good work! I can’t say how much I appreciate being able to use WordPress.

    Like

  13. mpro

    Thank you. This is a great addition. You guys do an excellent job!

    Like

  14. achristian

    Cool. I noticed that I can view wordpress on my XDA 2 mini (Pocket PC) with no layout hassles at all. Well done! I haven’t tried to blog through it yet though. I hope it holds up – but given that you use it yourself, I am sure you’ve got the design right.

    Like

  15. swartzonmedia

    Nice, being safe online is huge in my book. At least now I know that there is one thing online that I can use free of mind.

    Like

  16. P. A. Monteiro

    You guys just rock. Danke, not just for this feature but for the tags, the widgets…

    Like

  17. Alejandro

    Very good idea. Now I know why I don’t use my server for my blog :P

    Like

  18. Livia

    This is FAB! Thanks guys

    Like

  19. sherpa

    Fantastic. Wordress never seems to fail me. hooray!

    Like

  20. silkenhut

    oh so this is why i need to log in everytime.. hehe I thought there was something, but its a nice feature :D

    Like

  21. linux

    nice one … once again!

    Like

  22. xSxCx

    awesome! another great reason to stop using blogger…

    Like

  23. Absynthe

    I was so wishing for this…

    Thanks.

    Like

  24. Pingback: Photo Matt » SxSW WordPress Meetup
  25. continium

    Awesome. Sending vital information through SSL will definetely make me feel safer.

    Like

  26. Dasher

    Humm. With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (interesting since the blog has only been up and running since 2006).

    I find myself getting messages from IE saying that the pages contain secure and non-secure elements (mixed mode) and an invalid name on the SSL certificate when visiting http://wordpress.com/blog/2006/03/08/secure-blogging/ and logging in. The SSL cert *.wordpress.com won’t be valid for WordPress.com – because there is no child domain.

    XMLRPC calls (if you’re using a desktop blogging client) aren’t encrypted using SSL – and as many of them reget the categories, posts, etc – each time they startup your userID and password are sent down the line.

    Finally – pingbacks/trackbacks don’t appear to function any more…

    Like

  27. Pingback: Digital Tehlorlist » Blog Archive » Take Two
  28. Ryan B

    Is there a way to disable it? I have seen a few that don’t have it.

    Like

  29. Dasher's Corner

    Secure Admin Problems at WordPress

    Humm.  With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (this blog ha…

    Like

  30. lrobison

    I would be curious to know how you managed to use SSL for different subdomains all on one server – assuming wordpress.com uses apache (I can’t see it using IIS) I was under the impression from the apache docs that SSL cannot be used with name-based virtual domains (see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts )

    Like

  31. Matt

    You can have a wildcard SSL cert, so we have one for *.wordpress.com.

    Like

  32. Pingback: Digital Tehlorlist » Wordpress 2.1-alpha Report
  33. lrobison

    Matt: it was not the SSL cert that gave me problems, it was the name based virtual domains. by the way – my browser warns me about the cert when posting here (http://wordpress.com/blog/…) because there is no leading dot to match. It works fine every other place though.

    Like

  34. Pingback: JAWW » WordPress.com Significant Speed Improvement
  35. The Atholas Journal

    Why I appreciate WordPress.com so much

    I haven't been updating this blog for a while, mainly because recently I've been looking around the net for free hosts that'd allow me to host my own wordpress installation. The reason being there are quite a lot of restrictions on the blog…

    Like

  36. Pingback: the art of backtracking « wordpress™ wank
  37. Sathya

    Does this still hold true !!!

    Like

  38. haristv

    regarding the plugin,

    I had trouble making it work, and ended up finding there was a problem in the code.

    I’ve patched it and made it available here:

    http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working

    Haris

    Like

  39. Pingback: Haris.tv » WordPress SSL Plugin Secure-Admin patched and working!
  40. secureemail

    Why dont you use PGP secured forms. You can encrypt form data with JavaScript and then send it to the server. No need to have SSL or any secure tunnel.

    Check out this example

    http://www.anonymousspeech.com/how_to_secure_email_form.aspx

    Like

  41. Pingback: Wordpress.com aka InsecurePress.com ? « An Cuasán
  42. Pingback: life by way of media › Securing Our Blogging
  43. Pingback: Planet Trent » Securing Our Blogging
Follow

Get every new post delivered to your Inbox.

Join 17,500,933 other followers

%d bloggers like this: