In a previous post I alluded to addressing how to secure a website.  Well the day has come. In this post I will discuss how to secure your WordPress website using HTTPS and SSL.

Security

HTTP vs. HTTPS

So what is the difference between http and https?  Well the https version encrypts the traffic between the user and the server, so someone trying to spy on you (say at a public Wifi) wouldn’t see the data. Think of it like a cable that is plugged into some outlets. You can easily see the cable and what it looks like. That is http. Now take that same cable and run it though conduit, so you know its there you just don’t know anything about it. That is https, it prevents unauthorized users from seeing the data transfer.

Who Should Use HTTPS

If your site asks for any sensitive information (passwords, credit card numbers, birthdays, social security numbers, etc.) you should secure your website. I am of the school of thought that if any part of your website has sensitive data, you protect the entire site. So if you are on WordPress or some other CMS, you need it. This is because you will need to login and the fact that you have a username / password means you should run over https and use SSL.

In the last year or so the major browsers have also been cracking down. If a website loads over http instead of https the browsers are starting to flag them as insecure and this will hurt your SEO rankings. So for all practical purposes every site should use https and SSL, not just sites that pass sensitive information.

How To Do It

So how to you actually make that happen in WordPress? Open your WordPress dashboard, then under the settings click general. Under general you will find an area with your domain (2 versions actually). Ensure that this begins with https like the screenshot below.

WordPress HTTPS

In this screenshot you can see that both the WordPress Address and Site Address both begin with https. It works identically in both www and non-www versions.

SSL

The second layer of security is SSL or Secure Socket Layers. This you get from your hosting provider. SSL issues what is called a certificate, which has information about the site, the issuer, etc. that the user can view and confirm before they enter sensitive data. You can view the certificate by clicking the lock next to the url on your browser.

There are multiple levels of SSL and the product you need depends on how many sites you want to cover and how much detailed information you want it to show. For example, a major shopping site like Amazon would show a lot of details about the company on their certificate whereas a personal blog like this site has a certificate, but the details are mostly my domain and little else.

However, every certificate will have a bunch of info about the issuing agency like who they are, when the certificate is valid, etc. Just click the SSL or Security section of your hosting provider and they will assist you, it’s really not very hard to do.

I am of the school of thought that if any part of your website has sensitive data, you protect the entire site.

To summarize to run a website securely you need to both load the traffic and install a SSL certificate on your domain.  That will protect your users from getting their information stolen, which is in your best interest.

Resources

Security Fundamentals


no2

User Experience or UX is a term tossed around in the web development world.  In this post, I will explain what I feel that User Experience is and what it is not.

What User Experience Is Not

User Experience is not the design.  You can have a great design and a lousy user experience.  Conversely, you can have a very simple design and a great user experience.  This is because the user experience is not the design.  Now, the design is part of it, but the design is only one aspect of it.  Unfortunately, I see way too many websites where it is very obvious that the developers where very concerned about how it looked (the design) but not much else because it is really pretty but it was really hard to find what I wanted.

What User Experience Is

If you want a good example of a great user experience look at the Disney Parks.  There are many entertainment options that cost way less, so why to people still pay big bucks and flock from all over the world to go to Disney?  Because they provide a great experience from the moment you arrive to the moment you leave.

I define user experience as the ability of the user to interact with the product in an easy and enjoyable way.  The following items are key to a good user experience:

  1. Relevant Content.  If the content is relevant users will love the experience.  If it is really out of date your site won’t do so well.  I’ve seen business that have blogs where the latest post is from 2 years ago.  That makes for a bad experience.  Conversely, Amazon.com is a great user experience.  Their products are easy to find, its easy to check out and you get the item really quickly (and you can see the order stats at any time).
  2. Clear Navigation. If it is really hard for users to find what they are looking for they leave and go elsewhere.  It is that simple.  My rule of thumb is this: if it takes more than 3 clicks from the homepage to find the page they are looking for, then it is not a good user experience.  Move those items into a menu item accessible from the home page.
  3. Mobile Friendly. Way too many sites aren’t mobile at all.  If you want to stand out make yours mobile.  I have found that only about 20% of website I view are mobile.  Also, on the mobile site don’t try to load everything you would on the desktop site.  You wouldn’t try to fit all the furniture from a 5 bedroom house into a 2 bedroom condo, so don’t try to load everything from a desktop site on a mobile site.
  4. Security.  People want to feel safe.  If they go to your site and it is not secured correctly, they will leave (especially if they are buying). It is really easy to run a secure site using SSL Certificates and running over https.  Read this post to learn more.  Make sure your site is secure and it will help people feel safe and comfortable on you site.

 

So put yourself in the user’s shoes.  If you went to your own website, would it be a good experience or would you leave?  If you would leave, then go change it so people don’t want to leave.  If you wouldn’t leave, keep doing what you are doing…your are the right track.

no2

The bad news is that your organization’s website is at risk, because they all are. There are plenty of people out there with devious intentions whose aim is to embarrass you and steal you and your users information.  I have seen many variations of this in my time as a developer, some of them due to my lack of experience at the time.  In this article I will give you an overview of the most common ways you can protect yourself from threats.  I will expand on all of these topics in later posts but I wanted to start with an overview.  So lets begin.

Threat #1: Passwords

You have passwords for your website (if you are using a CMS like WordPress), email accounts, computers, FTP, social media accounts and more.  The easiest way to protect yourself is to have strong passwords.  An example of a weak password is something like: password123.  Now I have not personally seen a password this week, but in my time I have seen passwords almost as week.  What you are aiming for is a strong combination of Uppercase, lowercase, digits and special characters.  The longer the better.  As an example our week password from above, password123 could be made much more secure if it were pa$sWord123.  However, I still wouldn’t use that.  It’s still too obvious.

Threat #2: Insecure Sites

The second threat is an insecure site, specifically yours.  What you need to do is to never enter any sensitive date into a website that is not running on HTTPS with a  valid security certificate.  And by sensitive date I mean passwords, credit card numbers, driver license number, social security number or anything you don’t want to be made public.  Your should be running your site over HTTPS vs HTTP because HTTPS encrypts the data between the client (your device) and the server, which makes it much more difficult to steal.  Fortunety, running over HTTPS is not hard too do and I’ll show you how in a later post.

Threat #3: External Threat

The external threat are those individuals with malicious intent, that intend to cause harm on your website and to your organization.  There are too many varieties of this to mention but the best things I recommend are related to your website setup. The first is to purchase and run anti-malware software on your web host.  This is essentially the hosting equivalent of anti-virus software for your computer.  The second is to run security plugins on your website that are finely tuned to detect threats such a brute force attack.

Threat #4: Internal Threat

The internal threat are those individuals in your organization that can harm your site but do so unintentionally and not out of malicious intent.  Typically these people accidentally break something they should not have been given access to in the first place.  This is an easy one to prevent.  Your administrator should limit user permissions so that users can edit what is necessary for them to perform their role and nothing more.  For example, if someone in your organization is only responsibility is for posting articles they should not have the ability to add and remove plugins, update themes, etc.

no2