Google has been pushing HTTPS harder than anyone. They haven’t been alone — not by a long shot — but they are making the most aggressive moves to push the web to full encryption.
Their latest move is the biggest, I think. They are going to start declaring any website with a form that processes passwords as “not secure” — AKA those websites will get the nasty red lock of doom. It will also apply for sites accepting credit cards, but that’s a no-brainer.
That means that WordPress sites with login forms — I presume on the admin side as well — will have to have HTTPS enabled to avoid the red lock.
That is great!
Well, for the adoption of HTTPS at least.
WordPress works great whether with or without HTTPS. But a change like this — sure to not be the last from Google and other browsers — does have implications for WordPress.
One is we need to ensure that going fully HTTPS is absolutely seamless. It already is for new sites, but it needs to be easier for old sites. There have been various efforts to improve WordPress’s handling of HTTPS, but it’s time to up the pace.
Also, any host that is still holding back on supporting free SSL/TLS certificates from providers like LetsEncrypt: it’s time to change. Say goodbye to your easy money upsells, that game is over.