In a previous post I alluded to addressing how to secure a website.  Well the day has come. In this post I will discuss how to secure your WordPress website using HTTPS and SSL.

Security

HTTP vs. HTTPS

So what is the difference between http and https?  Well the https version encrypts the traffic between the user and the server, so someone trying to spy on you (say at a public Wifi) wouldn’t see the data. Think of it like a cable that is plugged into some outlets. You can easily see the cable and what it looks like. That is http. Now take that same cable and run it though conduit, so you know its there you just don’t know anything about it. That is https, it prevents unauthorized users from seeing the data transfer.

Who Should Use HTTPS

If your site asks for any sensitive information (passwords, credit card numbers, birthdays, social security numbers, etc.) you should secure your website. I am of the school of thought that if any part of your website has sensitive data, you protect the entire site. So if you are on WordPress or some other CMS, you need it. This is because you will need to login and the fact that you have a username / password means you should run over https and use SSL.

In the last year or so the major browsers have also been cracking down. If a website loads over http instead of https the browsers are starting to flag them as insecure and this will hurt your SEO rankings. So for all practical purposes every site should use https and SSL, not just sites that pass sensitive information.

How To Do It

So how to you actually make that happen in WordPress? Open your WordPress dashboard, then under the settings click general. Under general you will find an area with your domain (2 versions actually). Ensure that this begins with https like the screenshot below.

WordPress HTTPS

In this screenshot you can see that both the WordPress Address and Site Address both begin with https. It works identically in both www and non-www versions.

SSL

The second layer of security is SSL or Secure Socket Layers. This you get from your hosting provider. SSL issues what is called a certificate, which has information about the site, the issuer, etc. that the user can view and confirm before they enter sensitive data. You can view the certificate by clicking the lock next to the url on your browser.

There are multiple levels of SSL and the product you need depends on how many sites you want to cover and how much detailed information you want it to show. For example, a major shopping site like Amazon would show a lot of details about the company on their certificate whereas a personal blog like this site has a certificate, but the details are mostly my domain and little else.

However, every certificate will have a bunch of info about the issuing agency like who they are, when the certificate is valid, etc. Just click the SSL or Security section of your hosting provider and they will assist you, it’s really not very hard to do.

I am of the school of thought that if any part of your website has sensitive data, you protect the entire site.

To summarize to run a website securely you need to both load the traffic and install a SSL certificate on your domain.  That will protect your users from getting their information stolen, which is in your best interest.

Resources

Security Fundamentals


no2

The bad news is that your organization’s website is at risk, because they all are. There are plenty of people out there with devious intentions whose aim is to embarrass you and steal you and your users information.  I have seen many variations of this in my time as a developer, some of them due to my lack of experience at the time.  In this article I will give you an overview of the most common ways you can protect yourself from threats.  I will expand on all of these topics in later posts but I wanted to start with an overview.  So lets begin.

Threat #1: Passwords

You have passwords for your website (if you are using a CMS like WordPress), email accounts, computers, FTP, social media accounts and more.  The easiest way to protect yourself is to have strong passwords.  An example of a weak password is something like: password123.  Now I have not personally seen a password this week, but in my time I have seen passwords almost as week.  What you are aiming for is a strong combination of Uppercase, lowercase, digits and special characters.  The longer the better.  As an example our week password from above, password123 could be made much more secure if it were pa$sWord123.  However, I still wouldn’t use that.  It’s still too obvious.

Threat #2: Insecure Sites

The second threat is an insecure site, specifically yours.  What you need to do is to never enter any sensitive date into a website that is not running on HTTPS with a  valid security certificate.  And by sensitive date I mean passwords, credit card numbers, driver license number, social security number or anything you don’t want to be made public.  Your should be running your site over HTTPS vs HTTP because HTTPS encrypts the data between the client (your device) and the server, which makes it much more difficult to steal.  Fortunety, running over HTTPS is not hard too do and I’ll show you how in a later post.

Threat #3: External Threat

The external threat are those individuals with malicious intent, that intend to cause harm on your website and to your organization.  There are too many varieties of this to mention but the best things I recommend are related to your website setup. The first is to purchase and run anti-malware software on your web host.  This is essentially the hosting equivalent of anti-virus software for your computer.  The second is to run security plugins on your website that are finely tuned to detect threats such a brute force attack.

Threat #4: Internal Threat

The internal threat are those individuals in your organization that can harm your site but do so unintentionally and not out of malicious intent.  Typically these people accidentally break something they should not have been given access to in the first place.  This is an easy one to prevent.  Your administrator should limit user permissions so that users can edit what is necessary for them to perform their role and nothing more.  For example, if someone in your organization is only responsibility is for posting articles they should not have the ability to add and remove plugins, update themes, etc.

no2