Secure Blogging

Ever since I started working on Automattic and full-time I’ve found myself working at places like cafes and various other places with wireless internet connections around town. It’s nice because they make far better hot chocolate than I do. I’ve also been lucky enough to find myself at some great conferences around the world, for example I’m heading to SxSW Interacive next week. Any conference worth its salt these days provides free wifi.

This is great, but the internet can be a dangerous place. What most people don’t realize is that almost everything they do on the internet, with the exception of things like e-commerce, is transmitted in clear text. This means the data could be readable to anyone who listened. People use things like “packet sniffers” that let them observe and log traffic on a local network, for example that free wifi connection you and 50 of your closest trusted friends are on.

There are ways around this using things like VPN or SSH tunnels, but mostly they’re beyond the reach of us mere mortals to use. I know personally if I’m a techy conference I’m less likely to post to my blog because someone could just “sniff” my password and traffic and cause all sorts of travel.

We’ve made it so you never have to worry about this on You’re safe blogging here now.

Using the same technology that online stores like and your bank do, we’re now securing all the important bits of your blog using SSL. What this means is that when you’re logging in or posting to, all of your traffic will be encrypted so anyone “sniffing” it will just see a bunch of gibberish. This is free and immediately available for all our users.

On a technical level, what we’ve done is restricted your login cookies to be SSL-only, which means they will never be transmitted in the clear, and we’re encrypting the cookies sent in the clear to make it difficult for anyone to impersonate your login.

There are still one or two kinks we’re working out, particularly for this main blog, but at worst you may see a security warning about the SSL certificate. If you have any problems please let us know using the feedback form.

Also, because we love you so much, we’ve made the code we’re using to do this available as a WordPress plugin. All you need is a SSL certificate and WordPress 2.1-alpha.

Anyway, now when you go to conferences or that sketchy coffee house blog without fear.

Missing out on the latest developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 62,077,822 other followers


Comments are closed.

  1. Michael

    Yes! I’ve been waiting for this! I noticed that you guys did something strange before to scramble the login information but now with SSL, decryption is near impossible.

    Thanks again!


  2. litium

    wow! this is great! nice job!


  3. camdenlady

    umm…but now I seem to have to log in every time, rather than it retaining a cookie. also, there’s a prompt about secure and insecure objects on the page which is a bit annoying.
    I guess these are just kinks, and its good to see this improvement.


  4. Atholas

    A desire fulfilled indeed! As I access from various public places also, I get a lil’ nervous at times… so this is great!

    Thanks and praise to the Matt and the WP team 😀


  5. T.E.E.N.

    WordPress is the best. Keep up the good work guys.


  6. russellreno

    I noticed two days ago I have to log in each day.

    I like WordPress better each day.



  7. greenlightsabers

    Wow, appreciate the work you’re doing here. Cheers! 😀


  8. camdenlady

    it’s not just every day. I’ve been onto my wordpress a couple of times today, and have to log on each time. Just now, it let me in, showed my toolbar, but when I went to my blog stats, it forced me to sign on again. Definitely not quite right yet.


  9. Abhijit Nadgouda

    Good and useful.


  10. reyhan

    Thanks a lot 🙂


  11. Matt

    While we were rolling it out you may have had to login a few extra times. Now it should be stable, again if you have any probs report them using feedback. 🙂


  12. madtypist

    Thank you so much. This is a great feature. Keep up the good work! I can’t say how much I appreciate being able to use WordPress.


  13. mpro

    Thank you. This is a great addition. You guys do an excellent job!


  14. achristian

    Cool. I noticed that I can view wordpress on my XDA 2 mini (Pocket PC) with no layout hassles at all. Well done! I haven’t tried to blog through it yet though. I hope it holds up – but given that you use it yourself, I am sure you’ve got the design right.


  15. swartzonmedia

    Nice, being safe online is huge in my book. At least now I know that there is one thing online that I can use free of mind.


  16. P. A. Monteiro

    You guys just rock. Danke, not just for this feature but for the tags, the widgets…


  17. Alejandro

    Very good idea. Now I know why I don’t use my server for my blog 😛


  18. Livia

    This is FAB! Thanks guys


  19. sherpa

    Fantastic. Wordress never seems to fail me. hooray!


  20. silkenhut

    oh so this is why i need to log in everytime.. hehe I thought there was something, but its a nice feature 😀


  21. linux

    nice one … once again!


  22. xSxCx

    awesome! another great reason to stop using blogger…


  23. Absynthe

    I was so wishing for this…



  24. Pingback: Photo Matt » SxSW WordPress Meetup
  25. continium

    Awesome. Sending vital information through SSL will definetely make me feel safer.


  26. Dasher

    Humm. With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (interesting since the blog has only been up and running since 2006).

    I find myself getting messages from IE saying that the pages contain secure and non-secure elements (mixed mode) and an invalid name on the SSL certificate when visiting and logging in. The SSL cert * won’t be valid for – because there is no child domain.

    XMLRPC calls (if you’re using a desktop blogging client) aren’t encrypted using SSL – and as many of them reget the categories, posts, etc – each time they startup your userID and password are sent down the line.

    Finally – pingbacks/trackbacks don’t appear to function any more…


  27. Pingback: Digital Tehlorlist » Blog Archive » Take Two
  28. Ryan B

    Is there a way to disable it? I have seen a few that don’t have it.


  29. Dasher's Corner

    Secure Admin Problems at WordPress

    Humm.  With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (this blog ha…


  30. lrobison

    I would be curious to know how you managed to use SSL for different subdomains all on one server – assuming uses apache (I can’t see it using IIS) I was under the impression from the apache docs that SSL cannot be used with name-based virtual domains (see )


  31. Matt

    You can have a wildcard SSL cert, so we have one for *


  32. Pingback: Digital Tehlorlist » Wordpress 2.1-alpha Report
  33. lrobison

    Matt: it was not the SSL cert that gave me problems, it was the name based virtual domains. by the way – my browser warns me about the cert when posting here (…) because there is no leading dot to match. It works fine every other place though.


  34. Pingback: JAWW » Significant Speed Improvement
  35. The Atholas Journal

    Why I appreciate so much

    I haven't been updating this blog for a while, mainly because recently I've been looking around the net for free hosts that'd allow me to host my own wordpress installation. The reason being there are quite a lot of restrictions on the blog…


  36. Pingback: the art of backtracking « wordpress™ wank
  37. Sathya

    Does this still hold true !!!


  38. haristv

    regarding the plugin,

    I had trouble making it work, and ended up finding there was a problem in the code.

    I’ve patched it and made it available here:



  39. Pingback: » WordPress SSL Plugin Secure-Admin patched and working!
  40. secureemail

    Why dont you use PGP secured forms. You can encrypt form data with JavaScript and then send it to the server. No need to have SSL or any secure tunnel.

    Check out this example


  41. Pingback: aka ? « An Cuasán
  42. Pingback: life by way of media › Securing Our Blogging
  43. Pingback: Planet Trent » Securing Our Blogging

Create your new blog or website for free

Get Started

%d bloggers like this: