Andrea Danti - Fotolia

WordPress SSL now free for hosted sites, thanks to Let's Encrypt

Customers with hosted sites will now have WordPress SSL turned on for free by default, thanks to Let's Encrypt certificates, potentially making a large number of websites more secure.

WordPress is now offering free SSL certificates by default for hosted websites, potentially bringing more security to a large number of customers. WordPress had previously supported encryption for subdomains, but has now announced free HTTPS would be rolling out automatically to all custom domains hosted by

According to a blog post by Barry Abrahamson, systems engineer for WordPress' parent company, Automattic Inc., based in San Francisco, WordPress SSL certificates will be gifted by Let's Encrypt -- a free, automated and open certificate authority.

"The Let's Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains," Abrahamson wrote. "We launched the first batch of certificates in January 2016, and immediately started working with Let's Encrypt to make the process smoother for our massive and growing list of domains."

"Our latest efforts now expand encryption to the million-plus custom domains (like hosted on," Abrahamson wrote. W3techs statistics claimed WordPress is used by 59.3% of all the websites using a content management system that it has scanned, or 26.3% of all websites found. However, it is unclear if those statistics include and custom WordPress installations, in addition to

Gunter Ollmann, chief security officer at Vectra Inc., based in San Jose, Calif., said WordPress SSL was a long time coming, as many other blogging platforms had enabled HTTPS "several years ago," but questioned if this will make websites more secure.

"Moving to HTTPS for hosted websites with custom domain names is great for privacy, but offers no significant advantage against the constant plague of remotely exploitable vulnerabilities that WordPress has suffered from over the last decade," Ollmann said. "I don't believe we'll see less compromises of the platform than we traditionally have. However, we may see more targeted attacks, as traditionally exposed organizations move their blogging activity to HTTPS-enabled sites hosted under the WordPress platform in an effort to increase the privacy of their readers."

Let's Encrypt launched in September 2015, and entered a generally available beta in January. This week, Let's Encrypt has exited beta and said it has issued over 1.5 million certificates for approximately 3 million websites since September.

"We now have the experience and confidence to take the project out of beta," said Josh Aas, executive director for Internet Security Research Group, based in San Francisco. "We will continue to work on making the Web a safer place through free encryption. An increasingly broad set of industry stakeholders recognize how important it is to secure the Web through Let's Encrypt. However, we still have a long way to go to deliver on our goal to encrypt 100% of all websites."

Next Steps

Learn how to run a secure WordPress installation in an IaaS virtual machine.

Learn how to improve security for Drupal and WordPress content management systems.

Learn the benefits of a bring-your-own-key encryption service.

Dig Deeper on Web application and API security best practices