We’re proud to support a more secure web — now for all custom domains on WordPress.com.
HTTPS Everywhere: Encryption for All WordPress.com Sites
Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host.
Best of all, the changes are automatic — you won’t need to do a thing.
As the EFF points out as part of their Encrypt the Web initiative, strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.
WordPress.com has supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014. Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.
The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately started working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.
For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.
Web encryption provides more than security
Protocol enhancements like SPDY and HTTP/2 have narrowed the performance gap between encrypted and un-encrypted web traffic, with encrypted HTTP/2 outperforming un-encrypted HTTP/1.1 in some cases.
Google also announced HTTPS is used as a ranking signal in search results, with HTTPS-enabled sites ranked above their plaintext counterparts.
As a WordPress.com site owner, keep an eye out for this feature on your custom domains. Once your site is HTTPS-enabled, you should see a green lock icon in your browser’s address bar. All plaintext HTTP requests will be automatically redirected to their encrypted counterpart (your URL will begin with
https:// instead of
http://). We will transparently handle all the complexities of SSL certificate management for you.
We take security seriously, and we’re proud to offer this to WordPress.com users. For more information about encryption, please see our support documentation.
That is fantastic! All of your users will greatly benefit from Https encryption and it’s awesome that you are rolling that out. This has so many benefits, such as ranking help for seo and better performance, which is also a ranking factor. Site speed has been announced as a ranking factor, so this is kind of like a double-whammy. Great job guys!
Barry, I am trying to send an email to the address: https://en.support.wordpress.com/contact but keep getting an error message: The server response was: The recipient address isnot a valid RFC-5321 address. l4sm39631342pfi.73 – gsmtp
Could you provide an alternate way to get a HELP message to your support team re: http://www.pioneerheritagegardens.org? Thanks.
What about the http address we may have up at other sites where we’ve advertised our blog/website? For instance, I have the http address in all my published books. Do I have to change the http to https? Out of curiosity, I typed in the address using the http and it went to my site. Will this continue to be redirected if someone used the http? Thank you. I like the idea of https.