Are SSL-Only WordPress Features a Good Idea for WordPress Security?


Towards the end of last year, Matt Mullenweg announced that some upcoming features of WordPress may only be available on sites with SSL enabled. WordPress will also stop promoting web hosting companies that don’t make SSL available by default on WordPress hosting accounts.

The idea that every site should use SSL / TLS is a relatively new one. Until a couple of years ago, everyone agreed e-commerce sites and sites dealing with sensitive information should use SSL certificates to encrypt connections, but few were particularly concerned to implement SSL on the average blog or lead generation site.

SEE ALSO: Why Is The WordPress REST API Such A Big Deal?

Times have changed, and everyone is more security conscious, aware that online criminals, government agencies, and unscrupulous corporations are interested in seeing what we’re are looking at and perhaps injecting their own malicious content.

Implementing SSL wasn’t a walk in the park. It was complex and often had negative side effects, including performance problems, but as Mullenweg rightly points out, it’s now almost trivially easy to implement SSL. Let’s Encrypt has brought SSL within the reach of non-technical users and made it free.

The new WordPress policy seems to be part of a growing movement to “nudge” web hosts and site owners towards blanket implementation of SSL. Although it’s technically possible to use HTTP2 without SSL, browser manufacturers have chosen to make their implementations dependent on its availability. Google search has long rewarded sites with SSL, and, alongside other browser developers, will begin to warn web users if sites they visit aren’t secured by SSL.

WordPress is joining the bandwagon. Some future features will depend on the availability of SSL. They’ll be features that benefit from SSL but wouldn’t have necessarily required it, like API authentication.

For the most part, this is a positive move. Without SSL, websites are woefully insecure and anyone’s interaction with those sites is open to scrutiny and interference. On today’s web, the privacy and security of users should be a top priority, and given the ease with which SSL can be offered, there’s no real reason not to. However, I suspect there will be some holdouts among large-scale users of WordPress, who for reasons of technical debt will decline to implement SSL for some time to come.

Whatever you think about large organizations like Google and WordPress using their influence to “encourage” the adoption of SSL, there’s no doubt it’s working. Last year, for the first time ever, over half of all visits to sites in Google’s Chrome browser were secured. Of course, that doesn’t mean half of all sites are secure, just that a substantial number of the most popular sites offer secure connections.

What do you think? Should Google and WordPress be using their power to force us towards a more secure web?

About the Author 

graemeGraeme Caldwell works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog,

Add Your Comments

  • (will not be published)


  1. Well, it depends. Because of how easy Let’s Encrypt has made it to get a free basic certificate, anybody can quickly acquire a SSL/TLS Certificate for any type of website. There is nothing to stop somebody from using a certificate from Let’s Encrypt or any other certificate authority for that matter to make their site look secure to the public who relies on such things. So, who is really helped here? Who is assuming all the liability surely to follow?

  2. Good thing for me, but too much websites today miss some "know-how" about SSL and its reasonable use: i.e, if you got a blog indexed in Google / Bing with HTTPS, you need to give right directives to your server for massive redirecting. This is not trivial, please do not underestimate it.

  3. I think it is important not to confuse the security of a website with the security of data being transferred between the browser and the server. Just because a site has an SSL certificate does not mean it's "secure". Better education must be given to users that an SSL certificate won't stop hackers and it won't stop badly written plugins and themes from introducing vulnerabilities to the site.

  4. A great move for Wordpress, and we've been offering free Let's Encrypt SSLs to all our VPS and Cloud customers. No question, this is a must for Wordpress sites going forward.