Skip to content
May 27, 2015 / Jim Fenton

Not a happy WordPress Premium customer

Broken lockSince I’m using my blog more actively to publish information about Nōtifs lately, I thought it would be a good time to upgrade my blog to WordPress Premium. For $99/year, I get a number of benefits including removal of ads from my blog. One of those benefits is the use of a custom domain name, and since I registered several years ago, I thought it might be good to go from to

Everything went quite smoothly. Then a friend called. “Jim, since you’re a security guy, I’m surprised that I get a warning when using HTTPS to read your blog.” Sure enough, accessing resulted in a warning, because the site presented a certificate that is valid for *, not for I hadn’t seen this error because I generally browse my own blog through the administrative interface via I should have anticipated this because I never got a request to provide or approve a certificate for

I contacted WordPress support about this. Their response: currently doesn’t support SSL for custom domains, so you can avoid that error message by giving out the http:// version of your site’s address:

Modern browsers will usually give a warning if you try to visit a site starting with https:// when SSL isn’t supported there, so the best way to avoid that is to make sure that links to your domain begin with http:// instead. We also have a page about HTTPS with more details and other options for turning off those browser warnings.

So the answer is, basically, don’t use TLS (SSL). It did before my upgrade to premium, but doesn’t now. Not something you want to tell a “security guy”.

There are a number of reasons this is a problem:

  • More and more people default to using TLS if they can.
  • Presenting a certificate for the wrong site just trains users to ignore these warnings, making them less secure.
  • A premium feature should be an upgrade.

How would I like it to work? WordPress should tell me they’re going to obtain a certificate for my domain, and to approve the request for it that their Certificate Authority will send me. Or even send me a Key Signing Request and let me buy the certificate.

What are some alternatives? One is to operate an HTTPS reverse proxy, and map into myself. Another is to move my blog to a self-hosted WordPress site, but I’m not sure I want to deal with the frequent security issues I have been hearing of. A third is just to turn off the domain mapping, and decide whether the cost of WordPress Premium is still worth it (mostly for ad removal).

I’ll decide which way to go soon, and apologize for the warning messages in the meanwhile. Please don’t just click “accept” when you see one of these, OK?

Image: “Broken Rusty Lock: Security (grunge)” by Flickr user Nick Carter used under CC BY 2.0 license.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: