This notice is a recommendation that you remove any use of TLS 1.0 in applications or scripts accessing WordPress.com sites, including any third-party integrations, or outdated browser use by your organization’s users. This recommendation is consistent with those by other organizations such as Internet Engineering Task Force and the PCI Security Standards Council.
While there are no imminent security problems with TLSv1.0 for WordPress.com sites at this time, if an active exploit were to be identified we would move quickly to disable support for this outdated protocol. For this reason we are recommending that all clients deprecate usage of TLS 1.0 in applications and scripts accessing WordPress.com sites.
What is TLS?
Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, TLS 1.2 in 2008, and TLS 1.3 in 2018.
What’s wrong with TLS 1.0?
There are many potential vulnerabilities in early TLS that, left unaddressed, put sites at risk. The widespread POODLE and BEAST exploits are just a couple of examples of how attackers have taken advantage of weaknesses in early TLS to compromise organizations. As of June 30, 2018 the PCI Data Security Standard (PCI DSS) also recommended disabling TLS 1.0.
Why disable TLS 1.0 now?
The WordPress.com platform has protected against potential TLS 1.0 vulnerabilities for a long time. While there is no immediate practical risk in using TLS 1.0, our security team has been monitoring real-world TLS 1.0 usage patterns and usage is low enough that now is right to move forward with this change.
How would disabling TLS 1.0 impact me?
The impact is expected to be very small. In our tests, less than 5% of total traffic is impacted, with the majority of that being bots. Once TLS 1.0 is disabled, your site will no longer be accessible within the following browser/platform combinations…
- Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below
- Desktop IE versions 7 and below
- Desktop IE versions 8, 9, and 10 – compatible only when running Windows 7 or newer, but not by default
- Firefox 23 to 26 – compatible, but not by default
- Firefox 22 and below
- Google Chrome 22 to 37 – compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile)
- Google Chrome 21 and below
- Google Android browser, Android 4.4 (KitKat) and below
- Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below
- Mobile Safari for iOS 4 and below
If you have any questions, please open a support ticket and we’ll be happy to assist.
WordPress VIP Lobby 