WordPress creator and Automattic founder Matt Mullenweg announced today that upcoming versions of the WordPress CMS would include features that would require hosts to support HTTPS.
Without providing any details on what these features are, Mullenweg said that it was time for the WordPress team to start pushing their followers to implement HTTPS for their sites.
WordPress.com already provides free HTTPS
WordPress is currently available as an open-source CMS provided by The WordPress Foundation, but also as a hosted blogging platform provided by Automattic.
In April 2016, Automattic announced free HTTPS for the majority of WordPress.com blogs via Let’s Encrypt, a joint EFF-Mozilla project that provides free SSL certificates for any site that wishes to support HTTPS.
Mullenweg says that starting with early 2017, The WordPress Foundation, through its wordpress.org project, will start to promote hosting platforms that provide an SSL certificate for their clients.
As Mullenweg explained, this is because future WordPress versions would “require hosts to have HTTPS available,” and the WordPress team would like to see as many hosting providers and clients start to migrate their sites to HTTPS in the meantime.
PHP7’s performance played a role in this HTTPS push
A major decision to start this push for HTTPS in WordPress self-hosted CMSs is the major performance boost that came with the release of PHP7 in late 2015, which makes running HTTPS a lot less costly on server resources.
The only details Mullenweg provided was that later in 2017, the WordPress team “will begin to assess which features, such as API authentication, would benefit the most from SSL and make them only enabled when SSL is there.”
HTTPS is already a major factor for Google, who ranks HTTPS websites above sites that offer similar content, but via HTTP.
Since mid-June 2015, over a quarter of all the sites on the Internet are running on top of WordPress, and the CMS has a share above 50% on the CMS market. While not all are running up to date versions, moving just a fraction of the WordPress userbase to HTTPS will do wonders for privacy and security.