HTTPS Support for VIP Sites

As you may have read, today we enabled HTTPS support for all domains on WordPress.com. We feel very strongly that encryption is quickly becoming an expected (and soon required) part of the web browsing experience and as such, are enabling HTTP to HTTPS redirects for the over one million custom domains on WordPress.com.

We have excluded VIP sites from this initial deployment for a few reasons:

  1. In our testing, there are various third parties, mostly ad networks, that still don’t have HTTPS-capable infrastructure. Plaintext content embedded in an encrypted page won’t display in most modern browsers, thus effectively disabling the ads. We have seen varying levels of success when asking these networks to provide true HTTPS support, but if your particular network(s) don’t support HTTPS, we hope you will strongly encourage them to do so.
  2. For VIP sites that want to enable HTTPS support, we can provide a few options:
    • Secure (default): HTTPS-only. Valid SSL certificate installed, all HTTP traffic redirected to HTTPS.
    • Testing: Valid SSL certificate installed, HTTP traffic NOT redirected to HTTPS. This mode is recommended only for testing and resolving mixed-content issues and is not recommended as a long-term solution.
    • Insecure: Valid SSL certificate installed, HTTPS traffic redirected to HTTP. Not recommended, but can be implemented as a short-term workaround for any issues that might come up in testing.
  3. Our certificate authority, Let’s Encrypt, is compatible with the vast majority of modern browsers and operating systems. There are some known incompatibilities, so if you wish to provide your own SSL certificate (ensuring it covers both the “www” and root domains for your site), we will happily install it for you. Keep in mind you will be responsible for the initial purchase of the certificate and subsequent renewals.

If you have already established HTTPS for your VIP site (on either WordPress.com VIP or VIP Go), no action is needed on your part. Note that HTTPS is enabled for all primary domains on VIP Go as a part of the site setup process.

If you would like to enable HTTPS support for your WordPress.com VIP site using one of the above options, please open a support ticket and include the following information:

  • The domain name(s) for which you want to add HTTPS support.
  • If you don’t want to have us provide a Let’s Encrypt certificate, a request that we generate a CSR for you to purchase your own certificate.
  • Which support option you want to use (Secure, Testing or Insecure).
  • Optionally for “Secure,” a request to use HSTS headers as a part of the redirect. Note that if these are enabled and you later disable HTTPS support, users may not be able to access your site.

If you have any questions about HTTPS support on VIP, please contact us.