Secure Blogging
Ever since I started working on Automattic and WordPress.com full-time I’ve found myself working at places like cafes and various other places with wireless internet connections around town. It’s nice because they make far better hot chocolate than I do. I’ve also been lucky enough to find myself at some great conferences around the world, for example I’m heading to SxSW Interacive next week. Any conference worth its salt these days provides free wifi.
This is great, but the internet can be a dangerous place. What most people don’t realize is that almost everything they do on the internet, with the exception of things like e-commerce, is transmitted in clear text. This means the data could be readable to anyone who listened. People use things like “packet sniffers” that let them observe and log traffic on a local network, for example that free wifi connection you and 50 of your closest trusted friends are on.
There are ways around this using things like VPN or SSH tunnels, but mostly they’re beyond the reach of us mere mortals to use. I know personally if I’m a techy conference I’m less likely to post to my blog because someone could just “sniff” my password and traffic and cause all sorts of travel.
We’ve made it so you never have to worry about this on WordPress.com. You’re safe blogging here now.
Using the same technology that online stores like Amazon.com and your bank do, we’re now securing all the important bits of your blog using SSL. What this means is that when you’re logging in or posting to WordPress.com, all of your traffic will be encrypted so anyone “sniffing” it will just see a bunch of gibberish. This is free and immediately available for all our users.
On a technical level, what we’ve done is restricted your login cookies to be SSL-only, which means they will never be transmitted in the clear, and we’re encrypting the cookies sent in the clear to make it difficult for anyone to impersonate your login.
There are still one or two kinks we’re working out, particularly for this main blog, but at worst you may see a security warning about the SSL certificate. If you have any problems please let us know using the feedback form.
Also, because we love you so much, we’ve made the code we’re using to do this available as a WordPress plugin. All you need is a SSL certificate and WordPress 2.1-alpha.
Anyway, now when you go to conferences or that sketchy coffee house blog without fear.
- March 8, 2006
- Security, WordPress, WordPress.com
WordPress.com News 
Yes! I’ve been waiting for this! I noticed that you guys did something strange before to scramble the login information but now with SSL, decryption is near impossible.
Thanks again!
LikeLike
wow! this is great! nice job!
LikeLike
umm…but now I seem to have to log in every time, rather than it retaining a cookie. also, there’s a prompt about secure and insecure objects on the page which is a bit annoying.
I guess these are just kinks, and its good to see this improvement.
LikeLike
A desire fulfilled indeed! As I access WP.com from various public places also, I get a lil’ nervous at times… so this is great!
Thanks and praise to the Matt and the WP team 😀
LikeLike
WordPress is the best. Keep up the good work guys.
LikeLike
I noticed two days ago I have to log in each day.
I like WordPress better each day.
Thanks
LikeLike
Wow, appreciate the work you’re doing here. Cheers! 😀
LikeLike
it’s not just every day. I’ve been onto my wordpress a couple of times today, and have to log on each time. Just now, it let me in, showed my toolbar, but when I went to my blog stats, it forced me to sign on again. Definitely not quite right yet.
LikeLike
Good and useful.
LikeLike
Thanks a lot 🙂
LikeLike
While we were rolling it out you may have had to login a few extra times. Now it should be stable, again if you have any probs report them using feedback. 🙂
LikeLike
Thank you so much. This is a great feature. Keep up the good work! I can’t say how much I appreciate being able to use WordPress.
LikeLike
Thank you. This is a great addition. You guys do an excellent job!
LikeLike
Cool. I noticed that I can view wordpress on my XDA 2 mini (Pocket PC) with no layout hassles at all. Well done! I haven’t tried to blog through it yet though. I hope it holds up – but given that you use it yourself, I am sure you’ve got the design right.
LikeLike
Nice, being safe online is huge in my book. At least now I know that there is one thing online that I can use free of mind.
LikeLike
You guys just rock. Danke, not just for this feature but for the tags, the widgets…
LikeLike
Very good idea. Now I know why I don’t use my server for my blog 😛
LikeLike
This is FAB! Thanks guys
LikeLike
Fantastic. Wordress never seems to fail me. hooray!
LikeLike
oh so this is why i need to log in everytime.. hehe I thought there was something, but its a nice feature 😀
LikeLike
nice one … once again!
LikeLike
awesome! another great reason to stop using blogger…
LikeLike
I was so wishing for this…
Thanks.
LikeLike
Awesome. Sending vital information through SSL will definetely make me feel safer.
LikeLike
Humm. With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (interesting since the blog has only been up and running since 2006).
I find myself getting messages from IE saying that the pages contain secure and non-secure elements (mixed mode) and an invalid name on the SSL certificate when visiting http://wordpress.com/blog/2006/03/08/secure-blogging/ and logging in. The SSL cert *.wordpress.com won’t be valid for WordPress.com – because there is no child domain.
XMLRPC calls (if you’re using a desktop blogging client) aren’t encrypted using SSL – and as many of them reget the categories, posts, etc – each time they startup your userID and password are sent down the line.
Finally – pingbacks/trackbacks don’t appear to function any more…
LikeLike
Is there a way to disable it? I have seen a few that don’t have it.
LikeLike
Secure Admin Problems at WordPress
Humm. With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (this blog ha…
LikeLike
I would be curious to know how you managed to use SSL for different subdomains all on one server – assuming wordpress.com uses apache (I can’t see it using IIS) I was under the impression from the apache docs that SSL cannot be used with name-based virtual domains (see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts )
LikeLike
You can have a wildcard SSL cert, so we have one for *.wordpress.com.
LikeLike
Matt: it was not the SSL cert that gave me problems, it was the name based virtual domains. by the way – my browser warns me about the cert when posting here (http://wordpress.com/blog/…) because there is no leading dot to match. It works fine every other place though.
LikeLike
Why I appreciate WordPress.com so much
I haven't been updating this blog for a while, mainly because recently I've been looking around the net for free hosts that'd allow me to host my own wordpress installation. The reason being there are quite a lot of restrictions on the blog…
LikeLike
Does this still hold true !!!
LikeLike
regarding the plugin,
I had trouble making it work, and ended up finding there was a problem in the code.
I’ve patched it and made it available here:
http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working
Haris
LikeLike
Why dont you use PGP secured forms. You can encrypt form data with JavaScript and then send it to the server. No need to have SSL or any secure tunnel.
Check out this example
http://www.anonymousspeech.com/how_to_secure_email_form.aspx
LikeLike