HTTPS and SSL
Table of Contents
Why should I use HTTPS and SSL?
How do I install an SSL certificate on my WordPress.com site?
Why is my site missing an SSL certificate?
Does HTTPS make my site slower?
How do I get those annoying security warnings to go away?
Why do I see tls.automattic.com in my certificate’s common name (CN)?
Do you support advanced security features such as HSTS and HPKP?
Why should I use HTTPS and SSL?
Strong encryption is critical to ensure your privacy and security while using WordPress.com. We encrypt all possible traffic, including custom domains hosted on WordPress.com. We consider strong encryption so important that we do not allow you to compromise the security of your site by disabling it. We also 301 redirect all insecure HTTP requests to the secure HTTPS version.
See some common questions below for more information about HTTPS and SSL on WordPress.com.
How do I install an SSL certificate on my WordPress.com site?
You don’t need to! We automatically install SSL certificates from Let’s Encrypt on all WordPress.com sites.
Why is my site missing an SSL certificate?
Our automated process adds SSL certificates from Let’s Encrypt shortly after the registration or mapping of domains. Because we automatically provision SSL certificates that are shared by multiple customer domains, it may take up to 72 hours to add an SSL certificate to your site.
For mapped domains, SSL certificates are only added after you add our name servers to your domain.
Does HTTPS make my site slower?
This used to be true, but technologies like HTTP/2 have significantly improved performance. In some cases, encrypted HTTP/2 traffic even outperforms its unencrypted counterpart. We make sure our servers are globally distributed and compatible with the latest emerging technologies, ensuring the best possible user experience.
How do I get those annoying security warnings to go away?
In general, you should never see security warnings while using WordPress.com. If you do, please contact support and let us know the details.
Why do I see tls.automattic.com in my certificate's common name (CN)?
If you have a custom domain on WordPress.com, we secure it using a SSL certificate from the Let’s Encrypt Certificate Authority. To improve the performance and simplicity of this process, we use the same Common Name, tls.automattic.com, for all certificates and store the unique domain names, grouped in batches of about 50, in the SubjectAltName attribute. All modern browsers honor this attribute and will not display any warnings or errors to you or your visitors.
Do you support advanced security features such as HSTS and HPKP?
Currently, we send a Strict-Transport-Security (HSTS) header with our HTTPS responses. HPKP is currently not supported, but may be in the future.
Still confused?
Help us improve:
We're always looking to improve our documentation. If this page didn't answer your question or left you wanting more, let us know! We love hearing your feedback. For support, please use the forums or contact support form. Thanks!