As a part of our overall efforts to encrypt sites hosted on WordPress.com, we strongly encourage WordPress.com VIP sites to enable SSL/HTTPS for a custom domain name mapped to your site, and to redirect all site traffic to that secure URL.
By default all domains on WordPress.com have SSL enabled. We have temporarily excluded VIP sites from this requirement to allow time to update themes and site assets so they are SSL-compatible. We’re aware that some third-party ad networks do not yet support SSL for displaying ad content. If your ad networks don’t already support SSL, we hope you will strongly encourage them to do so quickly.
Options for SSL Support #
For VIP sites ready enable HTTPS support, we can provide a few options:
- Secure (default): HTTPS-only. Valid SSL certificate installed, all HTTP traffic redirected to HTTPS.
- Testing: Valid SSL certificate installed, HTTP traffic NOT redirected to HTTPS. This mode is recommended only for testing and resolving mixed-content issues and is not recommended as a long-term solution.
- Insecure: Valid SSL certificate installed, HTTPS traffic redirected to HTTP. Not recommended, but can be implemented as a short-term workaround for any issues that might come up in testing.
Important Notes #
A few notes about how SSL encryption on WordPress.com VIP works:
- Our SSL implementation is SNI based, which means some legacy browsers will not be fully supported in their access to pages served over SSL. Consider this when evaluating whether or not to have us globally redirect all requests to HTTPS URLs, and/or in setting the canonical URL to the HTTPS version of pages/posts on your site.
Setup Process #
When you are ready to enable HTTPS support for your WordPress.com VIP site using one of the above options, please open a support ticket and include the following information:
- The domain name(s) for which you want to add HTTPS support.
- If you want to purchase your own SSL certificate, a request that we generate a CSR.
- Which support option described above you want to use (Secure, Testing or Insecure).
- Optionally for the “Secure” option and where you are providing the certificate, a request to use HSTS headers as a part of the redirect. Note that if these are enabled and you later disable HTTPS support, users may not be able to access your site. (HSTS is enabled for all sites in “Secure” mode using Let’s Encrypt certificates.)