Improvements to SSL security and compliance of WordPress Hosting

In order to keep our WordPress platform upto date with best practices and compliance requirements for HTTPS we will be making some minor improvements as of the week of March 19th; specifically we will start the process formally removing support for TLS1.0 & 1.1. on our WordPress Hosting.

Normally such updates would go unnoticed, however the removal of TLS1.0 & 1.1 will mean visitors on very old devices will be unable to access HRRPS enabled websites going forward. This will mean a small percentage of visitors may struggle to connect to your site. These include:

  • Visitors using IE 10 or earlier on Windows Vista or Earlier
  • IE 10 on early versions of Windows Phones
  • Visitors using Safari 6 or earlier on OSX Snow Leopard or earlier
  • Android phone users running 4.3 or earlier
  • Java browsers version 7 or earlier

The good news is this equates to a very small percentage of visitors to an average WordPress website; from a recent sample we took across a set of hosted sites we estimate the affected traffic to equate to just under 2% of visitors. Due to the fact a portion of this traffic is in turn automated bots, we believe the real percentage of affected traffic to be lower still. For those affected, they will receive a could not connect SSL type error. The precise wording will change depending on the device, and the simple advice is the end user needs to urgently upgrade. Much of the web will begin to end this support through 2018.

Why are we doing this?

Simply put, to keep your data safe and encrypted in a way that is modern and compliant. TLS1.0 and 1.1 are older, deprecated protocols. These protocols have known security vulnerabilities, which while hard to exploit, do have the theoretical potential to allow HTTPS traffic to be decrypted. They have since been replaced with TLS1.2 & 1.3. All modern browsers now support TLS1.2  and more and more supporting TLS1.3.

Due to the potential risks, the PCI-DSS compliance mandates that all sites that are PCI compliant must drop support for TLS1.0 by June 2018 with TLS1.1 being dropped shortly after. This means that any major website on the Internet will be following similar suit, if they haven’t indeed made the move already.

Longer term, major browsers will stop accessing sites which still have TLS1.0 enabled at all. All of our WordPress Hosting is PCI compliant out of the box and therefore is updated inline with compliance.

What do I need to do?

Nothing at all. This will happen automatically and you needn’t take any action. This post is a simple advisory to let you know what will be happening behind the scenes. Once complete, sites may see some visitors unable to connect, but again the biggest reduction will be in the amount of automated scripts that connect, the vast majority of which are not wanted. Bots such as GoogleBot which indexes your site for Google still will be able to connect as normal.

Due to the nature of this update it will not be possible to enable TLS1.0 or 1.1 for sites and containers once its been disabled and all containers will be changed without exception.