Strong encryption is critical to ensure your privacy and security while using WordPress.com. We encrypt all domains that are registered and connected to a WordPress.com website with an SSL certificate.
We consider strong encryption so important that we do not allow you to compromise the security of your site by disabling it. We also 301 redirect all insecure HTTP requests to the secure HTTPS version.
See some common questions below for more information about HTTPS and SSL on WordPress.com.
In this guide
- What is an SSL certificate?
- How do I install an SSL certificate on my WordPress.com site?
- Can I add my own SSL certificate?
- Why is my site missing an SSL certificate?
- Does HTTPS make my site slower?
- How do I get those annoying security warnings to go away?
- Why do I see tls.automattic.com in my certificate’s common name (CN)?
- Do you support security headers such as HSTS?
SSL stands for Secure Sockets Layer. Since the days of Netscape Navigator, it has been the global standard in encrypted online security technology. An SSL certificate reduces the risk of malicious players (hackers or identity thieves) stealing sensitive information like credit card numbers and passwords from a website visitor or the website itself. Essentially, it provides safe, encrypted communication between your computer and the website you’re visiting.
You don’t need to! We install SSL certificates from Let’s Encrypt on all WordPress.com sites. It will happen automatically.
To check if your SSL certificate is active, go to Upgrades → Domains in your WordPress.com account. Select your domain and scroll down to the Domain security section:
You’ll also know your site has an SSL because the “https” will appear in front of your website’s URL in your browser instead of “http”. You may also see a lock icon, safety seal, or a green URL bar depending on your browser.
For all WordPress.com sites, we will install an SSL certificate from Let’s Encrypt. So no need to worry about adding a custom SSL certificate or installing and setting up CSR.
Our automated process adds SSL certificates from Let’s Encrypt shortly after the registration or connecting of domains. Adding an SSL certificate to your site may take up to 72 hours. If you are not seeing it yet, give it time to take effect.
For domains connected from other registrars, SSL certificates are added after you complete the connection process.
This used to be true, but technologies like HTTP/2 have significantly improved performance. In some cases, encrypted HTTP/2 traffic even outperforms its unencrypted counterpart. We ensure our servers are globally distributed and compatible with the latest emerging technologies, ensuring the best possible user experience.
In general, you should never see security warnings while using WordPress.com. If you do, please contact support and let us know the details.
If you have a custom domain on WordPress.com, we secure it using an SSL certificate from the Let’s Encrypt Certificate Authority. To improve the performance and simplicity of this process, we use the same Common Name, tls.automattic.com, for all certificates and store the unique domain names, grouped in batches of about 50, in the SubjectAltName attribute. All modern browsers honor this attribute and will not display any warnings or errors to you or your visitors.
Yes! We send a Strict-Transport-Security (HSTS) header with all of our HTTPS responses.