WordPress has used HTTPS since 2014 on all sites with domains that end with .wordpress.com.
This has not been too difficult as anyone who owns a domain such as example.com can simply issue certificates to cover any subdomain of it, for example: site4.example.com. This can be done by using what’s known as a wild card certificate, you can cover all subdomains of example.com at once by vouching for *.example.com. (The *character is what’s known as a wildcard and stands for any text you like).
But lots of WordPress users have brought their own domain names to the WordPress ecosystem in order to make them more unique to the site, such as mysite.blog.com. However, WordPress are looking to change things up. They are looking to provide HTTPS to all of their customers' sites that are hosted on WordPress, whether they are using *.wordpress.com or a custom domain name of their own.
Better yet, if one of your readers tries to connect via HTTP, they will automatically be redirected to a more secure HTTPS connection. Providing secure connections for all!
WordPress brings HTTPS for free That’s why we were pleased to see WordPress’s recent announcement that all sites hosted on WordPress.com would now start using HTTPS. You won’t need to pay a CA for a certificate, or install the certificate yourself, or worry about what happens if the certificate expires, or even to apply for the certificate yourself. WordPress will take care of that for you, using a project called Let’s Encrypt that tries to remove the hassle (and the per-certificate cost) from using HTTPS