Configuration

HTTPS and SSL

Why use HTTPS and SSL

Strong encryption is critical to ensure your privacy and security while using WordPress.com.  We encrypt all possible traffic, including custom domains hosted on WordPress.com.  We consider strong encryption so important that we do not allow you to compromise the security of your site by disabling it.  We also 301 redirect all insecure HTTP requests to the secure HTTPS version.

↑ Table of Contents ↑

Frequently Asked Questions

↑ Table of Contents ↑

How do I install SSL certificate?

We automatically install SSL certificate for you, so you don’t have to! We will transparently handle all the complexities of SSL certificate management for you. We add free SSL certificates from Let’s Encrypt. So you don’t have to pay anything for SSL certificate.

↑ Table of Contents ↑

That's cool. But why is SSL certificate missing on my site?

Our automated process automatically adds SSL certificates from Let’s Encrypt soon after registering or mapping a domain. We add SSL certificates for our domains in batches. So sometimes it may take up to 72 hours to add SSL certificate to your site. But typically we add SSL certificates earlier than 72 hours.

For mapped domains, we can add SSL certificate only after you add our name servers to your domain.

↑ Table of Contents ↑

Does HTTPS make my site slower?

This used to be true, but technologies like HTTP/2 have significantly improved performance.  In some cases, encrypted HTTP/2 traffic even outperforms its un-encrypted counterpart.  We invest heavily to make sure our servers are globally distributed and compatible with the latest emerging technologies to ensure the best possible user experience.

↑ Table of Contents ↑

How do I get those annoying security warnings to go away?

In general, you should never see security warnings while using WordPress.com.  If you do, please contact support and let us know the details.

↑ Table of Contents ↑

Why do I see tls.automattic.com in my certificate's common name (CN)?

If you have a custom domain on WordPress.com, we secure it using a SSL certificate from the Let’s Encrypt Certificate Authority.  To improve the performance and simplicity of this process, we use the same Common Name, tls.automattic.com, for all certificates and store the unique domain names in the SubjectAltName attribute.  All modern browsers honor this attribute and will not display any warnings or errors to you or your visitors.

↑ Table of Contents ↑

Do you support advanced security features such as HSTS and HPKP?

Yes, currently we send a Strict-Transport-Security header with our HTTPS responses.  HPKP is currently not supported, but may be in the future.

Still confused?

Contact support.

Not quite what you're looking for?

Get Help