WP Hosting Blog

Best practice WordPress hosting, development and management

2018-07-24T09:25:49+00:00 July 20th, 2018|Managing WordPress|By Rogier Lankhorst|

WordPress Plugin: Secure Your WordPress Website With Really Simple SSL

Encrypting your data increases your WordPress website security greatly, and this can be done by getting an SSL certificate and installing Really Simple SSL plugin.

SSL stands for Secure Sockets Layer, a technology used to establish an encrypted link between two systems, most commonly a web server and browser. An unencrypted (HTTP) connection sends data like usernames and passwords in plain text, making it easy for anyone to snoop on the data being sent to your website. Having an encrypted link makes it harder for hackers to obtain or alter any useful data.

In other words, SSL is a technology used to secure all kinds of data like online payments, online communications and user passwords. It’s also common on web contents like images and texts. Although many users still think SSL certification is only needed for logins and webshops etc, this is no longer the case. On unencrypted sites, hackers can set up a fake copy of the website and simply redirect traffic to their own site. You think you are browsing just another website, while in reality, you’re visiting a malicious copy created by a hacker, with the danger of misinformation or viruses. If this website is on SSL, this would become very difficult.

SSL and Google

A few years ago, Google announced that their goal was to move the entire internet to SSL to increase security on the world wide web. Shortly after that, Google added SSL as a ranking factor. This move from Google has had a great impact on the speed with which SSL is implemented. Additionally, Google Chrome increasingly shows warnings for non-SSL websites. Even a simple contact form will now show a warning sign that the user is at risk.

A website without SSL will therefore slowly drop in the rankings as other websites adopt SSL. At the same time, users will be directed away from non-SSL sites by Chrome and other browsers, warning them that the website is not secure. This effectively forces website owners to move to the secure version of Hypertext Transfer Protocol (HTTPS). It also means that you can improve ranking in a relatively simple way: by moving your site to SSL.

How this SSL plugin was born

About four years ago, I noticed that when obtaining an SSL certificate and moving a website to SSL, the WordPress plugins available at that time were all missing a part of the puzzle. My aim was to create a plugin which would handle everything in one click. That had been quite a challenge: There are lots of different server configurations, themes and plugins, which means there are many ways in which an SSL activation can go wrong. The site I started with went down because of additional memory usage, which immediately became my second goal: keep the plugin lightweight on the front-end. This has resulted in a plugin which I think is both lightweight and easy to use on 99% of the websites.

There’s also a premium plugin which scans the site for all issues that are not fixed automatically by the free version and offers several additional layers of security, like Http Strict Transport Security (HSTS) and secure cookies. HSTS sends a header to the browser indicating the site should be visited over https://, preventing regular HTTP requests. The hacker, pretending to be a legitimate site, won’t be able to do this if a site has HSTS, or even better, HSTS preload enabled. The secure cookie settings add extra security by only serving cookies over HTTPS and preventing cross-site scripting attacks.

Screenshot by Really Simple SSL

How Really Simple SSL works

Before you start, you need to get an SSL certificate for your WordPress website. In most cases, the hosting company can do this for you. When that’s done, install Really Simple SSL. If you have the premium add-on, run a scan before you click the “go ahead, activate SSL” button. This way you can make sure there are no hot-linked images, third party widgets or CSS or JS files with HTTP links left over on your site. Then you can click the button… and you’re done!

Screenshot by Really Simple SSL

In the background, the plugin will run a quick check on the certificate, detect your server settings and, in some cases, adds a fix to the wp-config.php needed for WordPress to run smoothly on SSL. The home URL and site URL of the website will change to HTTPS, the mixed content fixer will activate, and a redirect to HTTPS will be enabled.

Wrapping up

It does not mean that your WordPress website is fully secure by just switching your site to SSL. There are many other layers of security which should not be overlooked: Use a unique, strong password or a two-factor authentication, reliable backup plugin and the latest version of WordPress. Find more ways to keep your digital account logins organized and secured while allowing Really Simple SSL as your SSL checker to auto-detect your settings and configures your website to run on HTTPS.

 

About the author

Rogier Lankhorst is a Dutch web developer from Groningen, Netherlands and founder of Really Simple SSL, Really Simple Plugins and co-founder of Complianz GDPR, a tool to make a website GDPR compliant in the same easy way as Really Simple SSL.

Follow Really Simple Plugins and Rogier on TwitterFacebook, LinkedIn and Google+.