Security Archives | WordPress Support & Optimization Specialists https://sitecarereset.wpenginepowered.com/category/security/ SiteCare is the complete site health solution for WordPress offering maintenance, support, and optimization services. Thu, 22 Feb 2024 14:41:37 +0000 en-US hourly 1 https://wordpress.org/?v=6.5-beta2 https://sitecare.com/wp-content/uploads/2024/02/logo.svg Security Archives | WordPress Support & Optimization Specialists https://sitecarereset.wpenginepowered.com/category/security/ 32 32 Sending Secure Email with WordPress https://sitecare.com/sending-secure-email-with-wordpress/ https://sitecare.com/sending-secure-email-with-wordpress/#respond Mon, 01 Jul 2019 12:10:00 +0000 https://sitecare.com/?p=18617 Learn the steps to take to ensure you can send email with WordPress securely and safely.

The post Sending Secure Email with WordPress appeared first on WordPress Support & Optimization Specialists.

]]>
When working on client websites that are sending sensitive information via email, we want to make sure that everything that could be done to ensure the security of this information is in place and working as expected. However, sending secure email with WordPress can be more complicated than it seems on the surface.

While we urge WordPress site owners to use WordPress support and maintenance services when conducting more complicated work, we also know that it’s important that users understand the lay of the land. So, we’ll walk you through the steps that can help ensure you maintain WordPress email security as best as possible.

Doesn’t WordPress Send Secure Emails by Default?

The answer is no. WordPress isn’t concerned with sending secure email. That’s not to say it doesn’t matter to WordPress. WordPress support and maintenance providers, the WordPress community and developers push for best practices and standards all the time, but WordPress doesn’t actually send your website emails itself.

If you’ve done any custom coding or plugin development for WordPress, you’ve probably come across the wp_mail function. It’s a simple function that takes a couple of parameters for basic usage and has some more advanced options if you need them. WordPress itself doesn’t actually send email. It hands the responsibility off to whatever mail transfer agent (MTA) your system is configured to use.

How web operating systems send mail

On most Unix and Linux systems, this is sendmail, but it could be any number of applications. WordPress has no real knowledge of this and doesn’t need to know. Instead, it packages up the email into a standard format and hands it off to the system to be sent or queued for sending. This is all perfectly normal. This is how it works in most applications because sending email is the responsibility of the underlying system and not PHP or WordPress itself.

So, the question is raised: Is this method secure for sending emails with WordPress? Unfortunately, no matter whether your website is with WP Engine, WPMaintain, or another provider, the answer is that it depends on how the system is set up, and it can be hard to figure out without sending some test emails or checking with the host.

The bottom line is that if the underlying MTA is not set up to use Secure Socket Layer (SSL)—that is, encrypted by an SSL certificate—then it’s not secure. The email will be sent via plain text in the clear. This is not ideal for sensitive information.

Here are some steps for sending secure WordPress emails.

1. Add SMTP

A stock image of someone working on a laptop keyboard, overlaid with illustrated security icons.

If you have sufficient access and are a little familiar with Unix/Linux (or Windows if that’s your server), then you can go in and change sendmail or whatever MTA is set up to use SSL for sending secure email. But WordPress has another option: Simple Mail Transfer Protocol (SMTP).

SMTP is a better option for several reasons. For one, you have better tools to diagnose potential issues if the mail is not being delivered as expected. It’s a more robust system. But, like sendmail or other MTAs, it may not be configured to be secure either. You need to make sure that even if you switch to SMTP, you are using SSL. WordPress can easily be configured to use STMP via wp-config with some constants or through a custom function in your functions.php file or the easy way with one of the many SMTP plugins.

A word of caution for SMTP Plugins: many of them enable message logging by default. Depending on the nature of your emails, you may not want to store this information. For some clients, storing the emails would be another vector for a potential hack to get their hands on sensitive data, so we only enabled logging while we were testing.

Does Using SSL Mean That Emails are 100% Secure?

Absolutely not. Email, by nature, is a plain text medium. The SSL will help with sending secure emails with WordPress, but the emails themselves are not encrypted in any way and are vulnerable to other types of attacks.

Think of SSL as an armored USPS mail truck with guards. No one is going to get your mail while it’s in transit. But once it’s delivered, all they have to do is find a way to sneak into your mailbox, and they can read the message just fine.

So, using SSL will allow WordPress to send emails securely, but if there’s any node or hop between where the email is sent and when it’s received, then the SSL doesn’t end up helping much. Any insecure node in the delivery chain could be exploited. So, how do you protect the data and not just the transmission? That’s where encryption comes in.

2. Now add PGP

A stock image of a closed laptop resting on a man's fingertips, with a illustration of a security shield hovering above it.

Pretty Good Privacy (PGP) is an encryption format that allows you to use a public and private key so that only the sender and receiver can view the mail. Thankfully, there are a number of PGP plugins for WordPress that will let you send completely encrypted emails. Combined with SSL, this is about as secure as it’s going to get. Technically speaking, any encryption can be broken. But the reason we still use it is in cases like this, breaking PGP would take hundreds of computers many, many decades to decrypt.

This blog is by no means a comprehensive guide for sending secure emails with WordPress. But we ran across the issue, had some discussions, ran some tests, and we wanted to share what we learned. By default, WordPress does not send secure emails. No encryption is used, and no SSL is enforced when handing it off to the system to be mailed. You need to look at the needs of your project and decide if you need more security. At a minimum, we recommend making sure the system is using SSL when sending. If you are sending especially sensitive information, you should take the extra steps and use SMTP with PGP encryption or something similar. As with most advanced areas of running a WordPress site, we recommend turning to a WP maintenance services provider to ensure your sensitive information is properly protected.

If, after reading this blog, you find that you’re still having issues sending secure emails with WordPress, contact us for assistance. Our WordPress maintenance support team can get you and your WordPress site set up with a secure email sending process. And if your website is in need of expert WordPress hosting and maintenance services, speak to one of our team today.

The post Sending Secure Email with WordPress appeared first on WordPress Support & Optimization Specialists.

]]>
https://sitecare.com/sending-secure-email-with-wordpress/feed/ 0
15 Reasons Why Your WordPress Site Was Hacked https://sitecare.com/15-reasons-why-your-wordpress-site-was-hacked/ https://sitecare.com/15-reasons-why-your-wordpress-site-was-hacked/#comments Thu, 28 Feb 2019 20:27:44 +0000 https://www.wpsitecare.com/?p=12387 Three things in life are certain: death, taxes, and WordPress websites getting hacked. The good news is that insecure websites can be controlled — even so, websites are still getting hacked and we've identified 15 reasons why. Read more to found out how to avoid every single one of them.

The post 15 Reasons Why Your WordPress Site Was Hacked appeared first on WordPress Support & Optimization Specialists.

]]>
Death, taxes, and WordPress websites getting hacked. All three seem to be inevitable, but the good news is that insecure websites are one thing we do have control over. Even so, a lot of us are still allowing ourselves to get hacked. In 2019!

We can’t stand for our websites being taken advantage of any longer so I’m going to share my list of 15 reasons your WordPress website was hacked and how to prevent every single one.

What’s the big deal with getting hacked anyway?

Getting hacked is the online equivalent of having broccoli stuck between your two front teeth. Except that broccoli has the ability to serve users spam, steal sensitive private information, and turn your company blog into a soldier in a botnet used to mine Bitcoin. Hackers can also deface your website and cause serious damage to your brand as well.

OK, so it’s a little more serious than broccoli in your teeth. It’s not just a little bit of embarrassment and writing a quick check to Sucuri. There are real stakes here.

Last year hackers caused billions of dollars in damage and caused irreparable harm for many brands and companies. Studies have shown that 60 percent of small businesses that suffer a cyber attack are completely out of business six months later!

I’m not a bank. I’m a restaurant owner.

The reality is that most WordPress websites likely aren’t storing the type of data that can put a company out of business if they get hacked, but some certainly are. Especially with the rise of WooCommerce and tighter enforcement of regulations like GDPR, protecting yourself from getting hacked is more important than it’s ever been.

A screen grab of a line graph showing much higher WooCommerce usage numbers versus other e-commerce platforms between 2011 and 2018.
WooCommerce usage compared to other eCommerce platforms according to BuiltWith

Even if breached data isn’t a concern, dealing with a hacked website is a hassle for everyone involved and will certainly end up costing you at least some money to resolve should hackers gain access to your site.

Is WordPress Insecure?

This is the question. The short answer is no, WordPress isn’t insecure.

That said, because of the modularity of the platform and the fact that literally anyone can create code to run on WordPress, security vulnerabilities happen. Whenever WordPress core itself has a security issue, the team is right on top of it and releases updates in a very timely fashion compared to other major open source content management systems.

If a plugin or theme end up with a security vulnerability, we’re at the mercy of the software author to release a patch in a timely fashion. For the really ugly security bugs, we’ve seen the WordPress team take control and force updates out to everyone automatically to prevent mass-infiltration.

The other reason WordPress is often painted as insecure is that it is a giant target for hackers. It makes up over 32 percent of the top 1,000,000 websites on the internet, which makes it a real darling in the eyes of attackers. Some call it the Microsoft of the web.

Most hackers are lazy. And finding a security hole in a popular theme or plugin gives them the ability to infiltrate thousands of websites at once, rather than wasting time trying to hack one website at a time. It’s more efficient and a lot more interesting.

For now let’s turn our attention to prevention and how to keep our websites from getting hacked in the first place. Sound good? Good.

1. You’re practicing bad password hygiene

I know I’m not talking to you, dear reader. But maybe you know someone who still uses the same password for every single website they visit? Or with the recent emphasis on password strength they’ve begun appending exclamation points or octothorpes to the end of their cat’s name for “enhanced security”?

Well, it’s time for an intervention. Not with you, of course. But with that “friend” of yours. In 2019, using secure unique passwords for all of your websites and services is non-negotiable. Going forward, consider it mandatory!

Shaming isn’t my game, but I’ll never forget the time a friend pulled their phone out of their pocket to find a password. I wrongly assumed they had a password manager app, but they proceeded to open Photos and navigated to their “Passwords” album. 300 screenshots of every password they’ve ever used!

The security implications alone nearly had me committed, but the “system” also seemed incredibly painful to use. Please stop storing credentials in Google Sheets too. Yes, I know you. It’s not a secret anymore.

The Password Protected Journal should never ever be used!

Let me be the first to congratulate you on your new subscription to 1Password. You need this app. Here’s why. Please go buy it now.

In the context of WordPress, you can set password rules across your entire user base using the Force Strong Passwords plugin. Now Darryl in accounting won’t be using RoXyGirl88 for his password anymore.

2. Two-factor authentication still isn’t setup on your website

I know I’m asking a lot today, but it’s because I care. I’m going to take this password stuff one step further and ask that you turn on Two Factor authentication for your website too. If you’re not familiar with 2FA, here’s a great overview.

The idea is that every time you go to login to your website, you authenticate with another device. This is incredibly difficult for hackers to spoof (though, full disclosure, it’s not impossible), so it adds one more layer of security to prevent unauthorized access to your website.

Combination lock on chain link fence
This Masterlock only has one-factor.

WordPress has many different solutions for Two Factor, from more commercial implementations like Duo Security that’s very fully featured, or something more straightforward like Two Factor from George Stephanis. Other popular plugins have 2FA built in as an additional feature like Jetpack and iThemes Security.

3. Brute force and dictionary attacks aren’t being blocked

One of the more popular ways to attack a WordPress website is to automate trying to guess user passwords. If Darryl still hasn’t updated his password, a dictionary attack won’t have to run for very long before it has access to your website.

The good news is that these are relatively easy attacks to thwart. Lots of firewalls like Sucuri and Cloudflare have built-in brute force prevention, and Jetpack uses a tool called Protect to prevent the same types of automated attacks.

Additionally, I’d recommend Limit Login Attempts. This handy plugin does exactly what it says on the tin. You can set a number of login attempts to allow, and once that number is exceeded with incorrect credentials, the user is locked out for a pre-configured amount of time.

4. In 2019 you still have a WordPress user with username ‘admin’

This is very closely related to the last 3 items but includes some interesting history. For the longest time, WordPress shipped out of the box with a pre-configured user named ‘admin’. The problem that this creates is that because a username and password are supposed to be a secret key combination, this default username essentially gives away half of the secret code! Not so secret anymore.

We’ve since learned our ways and WordPress no longer has a default user. However, since WordPress doesn’t make it very easy to change or edit usernames, there are still many many WordPress sites using this default username. If that’s you, or cough “someone that you know,” follow these steps and get yourself a unique username as soon as you can.

5. Way too many people have Admin privileges

I really hate to keep picking on Darryl but the only time he ever logged into WordPress was when Brad from IT created users for everyone in the organization. Darryl peeked in and looked around, found nothing of interest, and never logged in again.

Unfortunately Brad made two big mistakes here. First, he allowed known-security-threat Darryl to have his own account, even though he didn’t need access to the website at all. And second, he gave Darryl admin privileges!

Darryl is never going to touch the website, so it’s unlikely he’ll mess anything up. But his weak password will eventually get cracked, and then the hacker has full access to change or disrupt absolutely anything on the website.

Most organizations don’t need more than one or two administrative accounts. Audit your WordPress user list today and make sure people only have access to exactly what they need to get their work done. This is a nice overview of common WordPress roles and what they’re capable of.

6. You stopped updating WordPress core

This one seems obvious, but it’s more common than you might think. We still see websites every single day that are several versions behind in WordPress.

Most website owners have probably encountered a situation where they couldn’t update WordPress because it had a bad interaction with a plugin or their theme. Or maybe people are afraid of what might happen because of a big new change in WordPress. Sound familiar? Any time we’re faced with an obstacle we don’t know how to climb or some kind of technical issue, the temptation is to make it go away.

We’re busy people so we stop automatic WordPress updates so we can move on with our lives and avoid technical issues. We need our website to “just work,” so if that requires stopping updates until we “can get back to fixing it,” then that’s what we do.

But we never get back to fixing it. The website ends up going months or years without any WordPress security patches being applied, and suddenly we’re in really bad shape. If WordPress updates are causing you grief, get in touch with our team so we can help you get things back on track before it’s too late.

7. You stopped updating themes and plugins

The root cause of not updating themes and plugins is likely similar to why WordPress core updates were stopped. Something broke, so you rolled it back to its last working state and moved on.

Even so, there’s another element that’s introduced when themes and plugins come into play. Because this software is built by third parties and not supported by the WordPress community, it’s possible that plugins or themes become totally abandoned and stop receiving updates altogether.

WordPress dashboard displaying Update notifications, confirming the site is running on the latest version of WordPress.
Not necessarily an up-to-date website

So while you don’t see any update notifications in your dashboard, it’s entirely possible that your software is still slowly dying without you even knowing about it.

Set a monthly calendar reminder to review your plugins and theme to make sure the authors are posting regular updates and that the projects haven’t fallen by the wayside.

8. Cheap and insecure web hosting

You should pay or more per year for web hosting, even if it’s for “a small website.” If it’s a website you care about and that represents you or your business, a solid hosting partner is essential.

While there isn’t a perfect correlation between price and quality of hosting, hosts who charge more have the ability to hire more people or more expert people. This means that critical issues like security aren’t ignored or put off for another day. They’re at the forefront of every team meeting and conversation, and this benefits you in a myriad of ways.

Find a quality hosting provider and ask the right questions to make sure you’re getting great value for your costs. What seems like a bargain today might not feel that way when hack remediation and website recovery ends up costing a thousand bucks in one fell swoop.

9. You’re still using FTP to upload or edit files

This falls right in line with security-conscious web hosting, but you can’t use FTP anymore. It’s an outdated protocol and transfers your username and password IN PLAINTEXT to the server. This is an article from 2011 that’s encouraging people to stop using FTP. It’s time to move on! FTP traffic can easily be sniffed and once a hacker has file level access to your server, it’s game over. It’s way worse than a user even having Admin access to your WordPress site.

Screengrab showing an encrypted and secure connection using secure file transfer protocol (SFTP).
We love SFTP!

You should use SFTP or SSH for secure transfer instead. This ensures that there’s an encrypted connection between you and the server, so you can do your work discreetly and out of the path of hackers. And frankly, if you’re with a host that still supports plain old FTP, it’s time to move. It’s high-level sign of other potential underlying security issues.

10. Someone bought software from a very sketchy vendor

We’ve all been in a situation where we need our website to do one very specific (and likely very niche) thing. We search high and low and find one little corner of the internet selling exactly what we need. Eureka!

But not so fast.

Does that little website have an “About” page? Can you even tell who it is that’s selling you this solution? Before you click the “buy” button, look to make sure the vendor has a solid reputation, has been around for some time, and ideally has at least a few other products that they support. Seeing regular updates in forums and on social media are other good indicators that the vendor is someone you can trust.

If you can’t find what you need from a reputable vendor, you might be better off deciding you don’t need it at all.

11. WordPress salts aren’t being used

We’re not talking about the seasoning here. Sorry.

WP Salts are a built-in cryptography feature that can help with the encryption of your passwords. It also helps with securely signing your website’s cookies. (Again, not a food reference. Sorry.)

Screengrab showing the strings of numbers, letters, and symbols that make up a WordPress salt key.
You can generate WP Salt keys here.

Without getting too far into the technical weeds, WordPress salt keys are an important and often overlooked piece of the security pie (I really need to stop with the food puns). Salt keys are quick to implement and work seamlessly in the background, protecting you day and night.

Here’s a guide for checking to see if you have salt keys, and adding them if you don’t.

12. WordPress hasn’t been hardened

Hardening WordPress is something that’s rarely done and can protect you from all sorts of unnecessary grief. It can mean a myriad of different things, but some of the key components are:

Want to go the extra mile? Change the WordPress admin URL, or add additional password protection to your login pages.

Some security folks are critical of WordPress’ default file permissions, and it’s not uncommon for us to see file permissions even more lax tha what WordPress ships.

I’ll never forget the day I reviewed a site with fully public file permissions for the entire website. Literally any part of their website, public facing or not, could be accessible by every single person on the planet.

If you’re interested in doing more website hardening, refer to the links above or reach out to our team for assistance.

13. Your domain and hosting aren’t kept separate

We like to recommend that people don’t buy their domains and their web hosting from the same company. This article points out some great reasons why.

Some reasons why are it’s easier to move to a new hosting provider if domains and hosting are separate, and even if your website gets hacked, at least you’ll still have control over your domain and can restore a backup on another provider if necessary. If you lose the power to control the flow of traffic, you’ll be in real bad shape and may lose control over your website completely.

Have a clear understanding of your domain and hosting ownerships and who owns both types of accounts. Ownership is a critical piece of security and the business owner should have control of both hosting and domains.

14. Your website isn’t using SSL/TLS

Much has been said about the importance of serving websites over a secure connection. It’s no less important today than it was two years ago when we started to bring it up.

We’ve made some great progress as a whole and it’s encouraging to see more and more hosting companies direct their customers to SSL-enabled websites. But there are still some stragglers. If you’re one, that’s okay. Now is the time to make your move to https. Our team would love to help you make that change. It usually only takes a day to complete.

15. You’re logging everything, and may not even know it

Web servers and some WordPress software have logs enabled — sometimes by default. Depending on the plugin or the web service that’s doing the logging, it’s entirely possible that information about the internal workings of your website are available in publicly accessible directories.

A screen grab of a site's Log files, showing dates and times of different activities on a website.

Years ago, I worked with an individual who had logging enabled for their payment gateway and was recording the name, email, and transaction amount for every single purchase in their shopping cart into a publicly accessible log file.

It ended up being a truly silent killer. No one had any idea that the logging had been enabled until hackers accessed the log files and began emailing the customers as part of a fear campaign.

If you’re unsure what types of logs are being collected behind the scenes, contact your hosting provider or get in touch with us — we’ll be happy to chat that out for you, too!

Wrapping Up

As you can see there are already so many things to be aware of to protect your site. The great news is that while we haven’t uncovered immortality yet, and tax evasion probably isn’t a good idea, securing our WordPress websites is something we can all work on together starting now.

Today is the first day of our fully protected website lives! 🎉

The post 15 Reasons Why Your WordPress Site Was Hacked appeared first on WordPress Support & Optimization Specialists.

]]>
https://sitecare.com/15-reasons-why-your-wordpress-site-was-hacked/feed/ 4
What WordPress Users Must Know About Moving to HTTPS https://sitecare.com/wordpress-https/ https://sitecare.com/wordpress-https/#comments Mon, 27 Aug 2018 17:34:25 +0000 https://www.wpsitecare.com/?p=11999 This is the kind of transition we help our clients with regularly, so hopefully, we can help you avoid a few of the roadblocks we've encountered along the way through this post. Have your questions handy, and let's get into it.

The post What WordPress Users Must Know About Moving to HTTPS appeared first on WordPress Support & Optimization Specialists.

]]>
In this post, I won’t be going into quite as much detail as Zack did at his workshop, but I will show you how to avoid or fix certain issues that sometimes come up when moving your WordPress site to HTTPS.

We do this type of transition for clients all the time, so hopefully we can help you avoid some of the roadblocks we’ve encountered along the way.

P.S. I’m sure you’ve heard this by now, but you need to move your website to HTTPS if you haven’t already. Not only is it a potential security risk, but you’re also actively losing visitor trust and slowing down your website, plus browsers are cracking down on HTTP sites more than ever. Even if you don’t have a shopping cart or member area on your website: PLEASE 👏 SECURE 👏 YOUR 👏 WEBSITE 👏 WITH 👏 HTTPS!

Is it easy to move to HTTPS?

First thing’s first: How easy is it to change a WordPress website from HTTP to HTTPS?

It depends. Nobody ever wants to hear that answer, but it’s the truth.

Changing a WordPress site could take anywhere from 15 minutes to a year. And if you think I’m being facetious about a year, let’s go back to my friend Zack and his adventures in HTTPS.

In 2016, Zack was tasked with moving wired.com — one of the oldest tech publications on the web — to HTTPS. In all, it took their team about 160 human hours to complete the transition. 160 incredibly intelligent human hours. In normal human hours, that’s easily a calendar year.

And sure, most of us aren’t making the transition for a site like WIRED, but it does help illustrate the point that the amount of time it takes to move your site to HTTPS depends on the type of content on your website, how long your site has been around, where your website is hosted, and a myriad of other factors.

I highly recommend you watch Zack’s talk on how they successfully made the move to HTTPS for WIRED. It’s a fantastic opportunity to learn:

Let’s talk SSL/TLS certificates

Now that we’ve got the “how long will this take?” question out of the way, it’s now time to talk about the different types of SSL/TLS certificates that are available. Short for “Secure Sockets Layer” and “Transport Layer Security,” SSL and TLS certificates are security protocols that encrypt connections between your site and your users. You need an SSL or a TLS certificate to make HTTPS happen.

Not all SSL/TLS offerings are created equal

Before getting a certificate, it’s important you understand that not all certificates are created equal. There are varying levels of validation for different purposes. This post does a great job of describing the different levels and what their purposes are without overcomplicating the issue. Here’s a quick rundown:

  • DV – DV is a standard Domain Validation certificate. These certificates are what most people have on their websites.
  • OV – OV is known as Organizational Validation, and requires some additional validation to make sure the website and business are real entities.
  • EV – EV is an Extended Validation certificate and is the most thorough of all. This is the criminal background check equivalent of SSL/TLS certificate issuance. These are very popular among bigger corporations because they not only help with consumer trust, they also typically come with some type of financial protection from fraud. You can tell a site has an EV certificate very easily — you will see their company name next to their URL in the address bar, next to the secure lock icon.
That name right in the browser bar is a beautiful thing.

Can I get a free SSL/TLS certificate?

If you’ve never had to deal with this stuff in the past, figuring out these certificates can be a headache as well as an unexpected expense for your business. Luckily, there is a free option out there — LetsEncrypt. This fantastic initiative offers free SSL/TLS certificates and automates the exhausting process of creating, validating, signing, installing, and renewing certificates. As a result of their affordable, streamlined process, LetsEncrypt has played a huge role in building a more secure web over the past several years.

“Free” doesn’t come without some hidden costs

Okay, yes, LetsEncrypt is fantastic! However, there are few things you should know before you start heavily drinking that LetsEncrypt Kool-Aid:

  1. LetsEncrypt has no validation options beyond Domain Validation. And they have no plans to implement OV or EV certificates in the future. So if your website requires a more extensive certificate, LetEncrypt may not be a suitable option for your site.
  2. LetsEncrypt certificates need to be renewed every three months. I totally understand why this is the case from a technical standpoint. Since they’re providing free certificates, they need to make sure they’re regularly reused and recycled. Makes sense.
  3. LetsEncrypt certificate renewals sometimes have issues. Even with automatic renewals in place, I’ve seen a number of instances where auto-renewals fail for one reason or another. I don’t believe it’s the fault of LetsEncrypt. It’s more than likely an issue with whoever built the auto-renewal process, but nonetheless, it is a problem we’ve seen in more than one occasion.
  4. Your web host may not fully support LetsEncrypt. To expand on point #3 above, a failed certificate renewal likely means downtime for your website until you can manually renew it. SiteGround is still battling a months-long issue with auto-renewals. LetsEncrypt also doesn’t offer support beyond their documentation. If you’re trying to use a LetsEncrypt certificate on your own, you’re gonna need some System Administration skills. LetsEncrypt maintains a list of all of the hosting providers that have LetsEncrypt support.

If you have a host who fully supports LetsEncrypt and their auto-renewal system, and you don’t need anything beyond Domain Validation, LetsEncrypt is definitely a strong way to go. If you’d rather purchase a certificate, or simply need an OV or EV cert, we can help with that! As with our web development and digital marketing services, you can order an SSL certificate through our parent company, Southern Web.

SSL offerings from the most popular hosting companies

I’ve put together a master chart of all the most popular hosting companies and what their SSL offering looks like. Use this data to your advantage next time you’re choosing a new web host.

CDNs and firewalls produce some fun challenges

If you’re using a content delivery network like MaxCDN or KeyCDN, or a firewall service like CloudFlare or Sucuri WAF, you’re going to want to pay attention here.

All these services require a separate certificate from the one being used on the server where your website lives. I repeat, even if you have a certificate setup to protect your website, more than likely you’re going to need to make some special configuration changes when using a CDN or Firewall.

A common occurrence we’ve seen is a client using a host like WP Engine and wants their CDN to use a hostname like cdn.domain.com. Even if they’re using the CDN provided by WP Engine, a separate certificate is required, which can really trip people up.

If you’re going down this path alone, please read the owner’s manual. You don’t want your website to end up like a sad IKEA furniture fail.

CDN and firewall resources for popular web hosts

Mixed content: Are your third party scripts secure?

Partially Secure Browser Icon
Identities have been hidden to protect the website owner. No need for partially secure website shaming.

The last thing I want to address before we go our separate ways is mixed content. Mixed content is where we see the most HTTPS conversion snafus.

When moving a site to HTTPS, mixed content is that evil little nuisance that keeps browsers from displaying that satisfying green lock. People won’t necessarily get an insecure warning, but they will get some type of message indicating that some of the content on the page isn’t secure.

There are WordPress plugins that try and correct mixed content errors, but they can only do so much.

Primary mixed content culprits

There are three places that typically contribute to mixed content issues:

  1. Incomplete database URL replacement. When moving to HTTPS, we recommend replacing all the instances of http on the site (for your domain), with HTTPS. The folks at Delicious Brains have a great guide to follow for this, but sometimes things get missed and will cause mixed content issues.
  2. Ads and other third party scripts. The most common mixed content errors come from third parties. Occasionally (gratefully it’s happening less and less) third-party ad providers, library providers, or other service providers won’t have support for HTTPS at all. This is becoming much less common as HTTPS becomes more prevalent, but there was a long stretch where third party scripts would consistently cause mixed content issues.
  3. Legacy embeds. Legacy embeds are tricky because you don’t know they’re a problem until you manually review your content. Perhaps you have an old embed for a defunct slideshow provider, or an old video service that’s still sticking around from the good ol’ days of the internet. Forcing HTTPS in these instances will break the video or audio embed, so sometimes manual review and moving content can be required. Screaming Frog is a fantastic tool that has an Insecure Content finder. It reviews all of your site URLs and identifies any mixed content.

Dealing with mixed content issues can be extremely time-consuming depending on the size and age of your website. Don’t let it get you down. Now you have the tools you need be basking in the warm glow of that bright green padlock.

Locking it down

Do you see what I did there?

We’ve covered the most common issues you’ll encounter when moving to HTTPS with WordPress. I’ve also included some additional resources below if you want to take the DIY route here. If you’d like to hire pros, we’d be happy to get you a quick estimate. You can get in touch with our team right here. We’d love to help!

Other HTTPS resources

Questions? Anything I missed?

If we can be of any help at all, hit us up in the comments. We love the discussion!

The post What WordPress Users Must Know About Moving to HTTPS appeared first on WordPress Support & Optimization Specialists.

]]>
https://sitecare.com/wordpress-https/feed/ 2