WordPress has turned on HTTPS encryption for every custom domain hosted on WordPress.com. The publishing platform started working with the certificate authority Let's Encrypt to launch a beta rollout of HTTPS earlier this year. In 2014, WordPress implemented HTTPS for websites that used WordPress.com subdomains.
“The Let's Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains,” wrote Barry Abrahamson, chief systems wrangler at Automattic, WordPress' parent company, wrote on a blog post. “We launched the first batch of certificates in January 2016 and immediately started working with Let's Encrypt to make the process smoother for our massive and growing list of domains.”
The encryption capability is the latest security fix that WordPress has added to its security measures. In September 2015, WordPress released version 4.3.1, an update that fixed three security issues, and warned users that earlier versions were discovered to contain a cross-site scripting vulnerability. In April 2013, WordPress began offering two-factor authentication as an opt-in for users.
Several vulnerabilities affecting popular plugins on WordPress have been discovered in recent months. Most notably, gaping vulnerabilities were discovered on the website of Mossack Fonseca, the Panamanian law firm that experienced an email server breach that led to the exfiltration of 2.6 terabytes, including 11.5 million confidential documents, now referred to as the Panama Papers. The firm's website contained at least two WordPress plugins that would provide login credentials to the email server if WordPress was hacked, allowing remote attackers to send and receive email.
WordPress is used on 25 percent of websites, according to data published by W3Techs. “We should be comfortably past 25 [percent] by the end of the year,” Automattic founder Matt Mullenweg wrote on his personal blog in November.