Towards the end of last year, Matt Mullenweg announced that some upcoming features of WordPress may only be available on sites with SSL enabled. WordPress will also stop promoting web hosting companies that don’t make SSL available by default on WordPress hosting accounts.
The idea that every site should use SSL / TLS is a relatively new one. Until a couple of years ago, everyone agreed e-commerce sites and sites dealing with sensitive information should use SSL certificates to encrypt connections, but few were particularly concerned to implement SSL on the average blog or lead generation site.
Times have changed, and everyone is more security conscious, aware that online criminals, government agencies, and unscrupulous corporations are interested in seeing what we’re are looking at and perhaps injecting their own malicious content.
Implementing SSL wasn’t a walk in the park. It was complex and often had negative side effects, including performance problems, but as Mullenweg rightly points out, it’s now almost trivially easy to implement SSL. Let’s Encrypt has brought SSL within the reach of non-technical users and made it free.
The new WordPress policy seems to be part of a growing movement to “nudge” web hosts and site owners towards blanket implementation of SSL. Although it’s technically possible to use HTTP2 without SSL, browser manufacturers have chosen to make their implementations dependent on its availability. Google search has long rewarded sites with SSL, and, alongside other browser developers, will begin to warn web users if sites they visit aren’t secured by SSL.
WordPress is joining the bandwagon. Some future features will depend on the availability of SSL. They’ll be features that benefit from SSL but wouldn’t have necessarily required it, like API authentication.
For the most part, this is a positive move. Without SSL, websites are woefully insecure and anyone’s interaction with those sites is open to scrutiny and interference. On today’s web, the privacy and security of users should be a top priority, and given the ease with which SSL can be offered, there’s no real reason not to. However, I suspect there will be some holdouts among large-scale users of WordPress, who for reasons of technical debt will decline to implement SSL for some time to come.
Whatever you think about large organizations like Google and WordPress using their influence to “encourage” the adoption of SSL, there’s no doubt it’s working. Last year, for the first time ever, over half of all visits to sites in Google’s Chrome browser were secured. Of course, that doesn’t mean half of all sites are secure, just that a substantial number of the most popular sites offer secure connections.
What do you think? Should Google and WordPress be using their power to force us towards a more secure web?
About the Author
Graeme Caldwell works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog, https://blog.nexcess.net/.