Menu

The hostingHosting A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their website accessible via the World Wide Web. team works to improve WordPress’ end-user experience across hosting environments through industry collaboration and user education.

Want to contribute? Come join us!

The team meets in the #hosting SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. channel each week on Wednesday at 0900 UTC and 1800 UTC. Check out local times at make/meetings.
Contribute automated test results from your hosting environment, and help build the test runner and results page!
See more details about ongoing projects on the Team Projects page.

Learn more about hosting WordPress in the handbook. Feel free to bring up recommendations for changes and additions in Slack!

John Blackbourn 15:17 on 2026-01-28

Should 1024-bit certificates be removed from the root certificate bundle?

The root security certificate bundle in WordPress coreCore Core is the set of software required to run WordPress. The Core Team builds WordPress. still includes some 1024-bit certificates to provide support for what appears to be a narrow range of buggy OpenSSL versions that have been unsupported since 2016. In https://core.trac.wordpress.org/ticket/64063 there is a proposal to remove them from the bundle.

Does anyone know of a reason these certificates should be retained? As far as I understand this really only affects CentOS 7 which is EOL since 2024.

If there’s no objection then I’ll remove them next week (ready for WordPress 7.0 in April).

Jonathan Desrosiers 15:30 on 2026-01-28

+make.wordpress.org/core/
- David Anderson / Team Updraft 10:22 on 2026-01-29
  
  I’m not making an argument either for keeping or removing them, but, just to note that whilst CentOS 7 is EOL from the supplier, extended support is available from other vendors. For example, if you’re running cPanel on CentOS 7, then cPanel provide this automatically (as a chargeable service, which they apply automatically unless you opt-out). So there are still people using supported CentOS 7 installations.
Javier Casares 05:47 on 2026-01-31

This situation feels very similar to how WordPress has historically handled old PHPPHP PHP (PHP: Hypertext Preprocessor) is a general-purpose scripting language especially suited to web development. PHP code is usually processed on a web server by a PHP interpreter. On a web server, the result of the interpreted and executed PHP code would form the whole or part of an HTTP response. versions.

When usage drops below a small threshold (e.g. ~5%), the project has not hesitated to raise minimum requirements, even knowing that some legacy or extended-support systems would be affected. The rationale has consistently been that maintaining compatibility with outdated and insecure components is not sustainable long-term.

In this case, requiring certificates to be at least 2048-bit seems reasonable and appropriate, regardless of operating system or distribution. 1024-bit certificates are no longer considered secure, and keeping them in the root bundle primarily exists to accommodate very old TLSTLS Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. Websites can use TLS to secure all communications between their servers and web browsers. stacks.

If CentOS 7 (or similar environments) still relies on this for historical or extended-support reasons, it likely already has other significant limitations — for example, outdated PHP versions or TLS behavior that WordPress has already deprecated or dropped support for. From that perspective, retaining weaker certificates in coreCore Core is the set of software required to run WordPress. The Core Team builds WordPress. does not really solve the underlying problem.

Deprecating and removing 1024-bit certificates would be consistent with WordPress’ broader approach: encourage platform modernization rather than preserving insecure compatibility indefinitely.

Share this:

Site resources