In a previous post I alluded to addressing how to secure a website. Well the day has come. In this post I will discuss how to secure your WordPress website using HTTPS and SSL.
HTTP vs. HTTPS
So what is the difference between http and https? Well the https version encrypts the traffic between the user and the server, so someone trying to spy on you (say at a public Wifi) wouldn’t see the data. Think of it like a cable that is plugged into some outlets. You can easily see the cable and what it looks like. That is http. Now take that same cable and run it though conduit, so you know its there you just don’t know anything about it. That is https, it prevents unauthorized users from seeing the data transfer.
Who Should Use HTTPS
If your site asks for any sensitive information (passwords, credit card numbers, birthdays, social security numbers, etc.) you should secure your website. I am of the school of thought that if any part of your website has sensitive data, you protect the entire site. So if you are on WordPress or some other CMS, you need it. This is because you will need to login and the fact that you have a username / password means you should run over https and use SSL.
In the last year or so the major browsers have also been cracking down. If a website loads over http instead of https the browsers are starting to flag them as insecure and this will hurt your SEO rankings. So for all practical purposes every site should use https and SSL, not just sites that pass sensitive information.
How To Do It
So how to you actually make that happen in WordPress? Open your WordPress dashboard, then under the settings click general. Under general you will find an area with your domain (2 versions actually). Ensure that this begins with https like the screenshot below.
In this screenshot you can see that both the WordPress Address and Site Address both begin with https. It works identically in both www and non-www versions.
The second layer of security is SSL or Secure Socket Layers. This you get from your hosting provider. SSL issues what is called a certificate, which has information about the site, the issuer, etc. that the user can view and confirm before they enter sensitive data. You can view the certificate by clicking the lock next to the url on your browser.
There are multiple levels of SSL and the product you need depends on how many sites you want to cover and how much detailed information you want it to show. For example, a major shopping site like Amazon would show a lot of details about the company on their certificate whereas a personal blog like this site has a certificate, but the details are mostly my domain and little else.
However, every certificate will have a bunch of info about the issuing agency like who they are, when the certificate is valid, etc. Just click the SSL or Security section of your hosting provider and they will assist you, it’s really not very hard to do.
I am of the school of thought that if any part of your website has sensitive data, you protect the entire site.
To summarize to run a website securely you need to both load the traffic and install a SSL certificate on your domain. That will protect your users from getting their information stolen, which is in your best interest.