WordPress to add free encryption for custom domains

Content management sites like WordPress and Joomla are a juicy target for attackers for a number of reasons: As Web-based applications they are vulnerable to being hacked, and once in they can be used to host and disguise attacks on other sites. Plugins for such sites are an additional vector because they can sport their own vulnerabilities.

So CISOs whose organizations have custom WordPress domains will be pleased by Friday’s announcement that free HTTPS for all domains hosted on WordPress.com has been added at no charge.

“WordPress.com has supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014,” the announcement notes. “Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.”

CISOs will know their site has been HTTPS-enabled by WordPress when they see a green lock in the address bar. The goal is to improve defences against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.

To do it WordPress is using the free Let’s Encrypt project to provide SSL/TLS browser-trusted certificates for a large number of domains. Let’s Encrypt is a free, automated open certificate authority run by the Internet Security Research Group (ISRG), a not-for-profit sponsored by a number of major vendors including Akamai, Cisco Systems, the Electronic Frontier Foundation, Google, Mozilla, the Internet Society and Facebook.

Its goal is to spread the use of HTTPS. The ISRG cites Mozilla Firefox estimates that 40 per cent of all web sites and 65 per cent of transactions are protected by HTTPS.

Let’s Encrypt issues certificates to subscribers from its intermediate certificate authorities (CAs), so the root CA is kept safely offline. Last month the service — officially still in beta — said it had issued its millionth certificate since starting in January. In all the service is helping to secure approximately 2.4 million domains, the ISRG said. (UPDATE: Two days after this story ran Let’s Encrypt came out of beta.)

Like any defence tool, Let’s Encrypt alone doesn’t protect against all attacks. Infosec teams have to ensure their WordPress sites — and plugins — have been updated and patched. And as this January blog from Trend Micro notes, Let’s Encrypt for can be abused by attackers who set up a malicious Web site of their own that uses these certificates but feeds into other sites — including, possibly one hosted on WordPress.

Also note that Let’s Encrypt issues domain-validated certificates, and not not extended validation (EV) certificates which have to be bought and requires a site owner to prove exclusive rights to use a domain. Some organizations may prefer the extra security of an EV certificate.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now