Using SSL & HTTPS for Your WordPress site?

Sharing information on the internet is common, and we hardly give it a second thought. Every day, we share our personal information over websites or on other platforms. This sharing can be in the form of paying for bills/services using a credit card, sharing addresses, emails or even grocery shopping.

Being a website owner, keeping this information up to the relevant security standards, and to ensure its confidentiality, is a huge responsibility and that is where SSL comes in. The purpose of SSL is to protect the information that users share online and to prevent it from being misused by the wrong person.

The workings of SSL is simple. SSL encrypts the information that is passed through the site’s server to the browser, avoiding information that remains view-able as plain-text. This means that the text is arranged into random illegible numbers and letters than in readable words.

Why Secure Socket Layer (SSL) is important?

The importance of protecting user information on the internet can be determined from the fact that in 2016, Google announced to boost the search ranking of websites using SSL. While you could see a 1% increase at that time, the search engine has planned to increase the boost with time - giving everyone a fair chance to switch over! Another reason is that if a user is required to provide personal information such as their address, name, credit card details, etc., over your website, then you would need SSL protection. Otherwise, you are more likely to compromise on the user’s information.

Creating a Secure SSL Connection:

To create a protective SSL connection on your website, you need to get the SSL certificate from the issuing company known as Certificate Authority. Once the purchase is made, company and website details are provided to the authority such as you address, name and phone number. The site owner, in turn, receives a private and public key. While the public key need not be kept hidden, the private key – much like a password – must not be shared with anyone.

Just like a matching lock and key, these are a simple string of cryptic numbers and letters that mathematically and distinctly match together. Typically, they are built by a Secure Hash Algorithm. Later, the public key is submitted with your information that was entered previously to the authority and in a file known as Certificate Signing Request. The authority then checks the accuracy of the information through verification. Also, it ensures that you are not a hacker or scammer.Once things are clear, the SSL certificate is signed, using an SHA.

As soon as the SSL certificate is issued, the website becomes eligible to use a SSL-encrypted connection. Hence, as the user visits an SSL protected site, the server matches the private key with the SSL certificate. If the combination fits together, a link (encrypted) is established between the user and its browser, and the site and its server.

Appearance of an SSL protected website

Instead of the default prefix http, another prefix ‘https’ will start appearing along with the URL. Moreover, the green padlock that is displayed in the browser’s address field will also refer to an SSL protected site. However, if a site has purchased an SSL Certification – extended validation, your address bar will turn entirely green OR will have the name of the company (with a green background appearing before the URL). Typically, an extended validation certificate offers additional security. This certification is issued once the company undergoes and passes a much detailed application process. On top of standard requirements, the company is further asked to provide proof of their legal operation and physical address.

Using SSL with Your WordPress based website

The ready SSL Certificate can also be used with a WordPress site. However, before you make any further changes, you must back up the entire site to prevent losing everything - in the case of making a wrong move.

The steps discussed below are used for both single and multi-site installations. Firstly edit the following code in your wp-config.php file. This will force both the access and logins to the WordPress admin area for using SSL.
define('FORCE_SSL_ADMIN', true);
Ensure it is placed simply above the line that says-
/* That's all, stop editing! Happy blogging. */

The next step is to set a redirect – 301, so that website visitors are automatically redirected to your SSL secured site by using https rather than HTTP. If the .htaccess file does not exist already, create a new one or edit the existing one. In the case of having one already, just place the code above all the things that are already there. 
<IfModule mod_rewrite.c>
RewriteEngine OnRewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R,L]
</IfModule>

When you place the code, don’t forget to edit the domain and server port correctly. It’s time to test the efforts, visit the URL of your site and if you see a green padlock next to the URL, you have successfully attempted the SSL Certification.

When does your SSL stops working?

If an SSL Certificate becomes invalid, is self-signed or has expired, the padlock either turns red or gets a line through it sometimes. To renew the encryption, the site owner must get the SSL renewed through the authority once the certificate is expired. To keep seamless security throughout, your best choice is not to let the certification become expired and to renew it timely.

Self-signed certificates

If in case you are using a self-signed certificate, it means you have applied for one, and have issued your certificate. You did not pass through a Certificate Authority, and the authority did not validate you or the Certificate. To keep the distinction, many browsers only show trust for SSL Certificates that are issued by an authority of confidence, and if not, the browser displays a warning on every site that is using a self-designed certificate. Therefore, it is important that you only go for the high-ranking Certificate Authority. Otherwise, your site might still be recognized for using a self-signed certificate. However, your SSL Certificate may become invalid for many other reasons as well such as an outdated SHA encryption.

Another reason for an SSL certificate to become invalid is when the browser fails to verify the certificate of authority. This usually happens when the certificate’s domain name does not match with the actual site that uses it. The best way to go about these issues is to update the certificate with authority and to follow the instructions.

Hashing

Hashing uses a set of mathematical rules that are applied to convert the entire information written as characters into a key – a shorter size. To keep the security high, you need robust hashing as the technology advances. With many versions of SHA, SHA0 is no longer usable, and SHA1 has already been phased out by the majority of browsers, which also includes Internet Explorer. Google Chrome announced to issue warnings after January 1, 2016, for all those sites which were using SHA1 by that time. Later the encryption standard of SHA2 was also somewhat discontinued in favor of encryption standard SHA3.

The Yellow padlock

If you notice a mini yield sign with a padlock, it shows that the links of your site refer to some unsecured page. Therefore, make sure that the menu items, all the images, and links use ‘https’ in their URL. However, if you like to know the source of an invalid certificate, use Why No Padlock as the free tool. It promptly informs you of the particular problem that may be prevalent, including in the scripts or images.

What more...

Obtaining an SSL certificate to protect user information on your site is an essential step and necessary to earn the confidence of the visitors. But that is not the only security solution you can get. To further ensure integrity and security of your site, you may choose to go with premium WordPress security plugins such as iThemes Security Pro or Wordfence. To get more pointers about using SSL with WordPress, also considering the specific requirements, you may also get the help from WordPress Codex page section ‘Administration Over SSL'.


Click Here to Leave a Comment Below

Leave a Reply: