Ever since Google started taking HTTPS into consideration as a ranking factor in 2014, people have slowly been switching their sites over to use encrypted connections. This can be one reason to set up SSL to secure WordPress – SEO. However, as of January 2017, Google made things a bit more serious by having Chrome indicate that sites which still use HTTP are insecure. When a site uses a form that gathers potentially private user data, such as login credentials, there’s an even more stringent notification showing that the site is not secure.
These notifications are still in a gray color, but it probably won’t take long before we start seeing the red notification messages for all of these situations. These red messages are already visible when there is, in fact, an SSL certificate in place, but it can’t be verified. And it isn’t just Chrome — browsers like Safari, Internet Explorer and Firefox all have similar ways of showing the security, or the lack of security, on a site.
An added benefit is having your site served over HTTPS is that you can make use of HTTP/2, for which SSL is a requirement.
So there’s no better time than now to make the switch. In this article I will show you three ways to get the green padlock:
- Using CloudFlare to secure your site with a generic SSL certificate the easy way.
- Using Let’s Encrypt to get domain level encryption.
- Getting an Extended Validation SSL to achieve the highest level of certificate, wíth your business name shown instead of just the “Secure” notice.
Securing WordPress the Easy Way: CloudFlare SSL
The process is very simple: Sign up for CloudFlare, change the DNS of your site to activate CloudFlare, and turn on “Flexible SSL” in the “Crypto” section.
To make it even easier, you can have CloudFlare overwrite links to non-secure URLs with the HTTPS version to prevent mixed content warnings. You do this by turning on “Automatic HTTPS Rewrites,” at the bottom of the “Crypto” section.
If you install the CloudFlare WordPress plugin you can specify some of the required settings from within the WP admin. Additionally it helps to overcome an infinite loop that’s triggered sometimes when changing the URL structure to HTTPS, by modifying the header. The plugin is also the easiest way to setup Server Push, which is one of the main benefits of HTTP/2.
It is really that simple! But there are two important points to acknowledge:
- Flexible SSL only encrypts traffic between the browser and CloudFlare. This means the traffic between CloudFlare and your site (on the origin server) is unencrypted, which still leaves room for a “Man-in-the-Middle” attack. This method also isn’t allowed when you’re using forms to sensitive information like credit card data or passwords. To be clear: You can’t use this method for e-commerce sites.
- CloudFlare is using a shared SSL certificate, which means that your visitors won’t be able to verify it’s really you behind the scenes. Even though most visitors won’t go through the effort of checking a certificate, it’s still something to keep in mind. Again, when it comes to becoming PCI compliant for e-commerce (maintaining an SSL certificate is one of the steps), this isn’t allowed.
CloudFlare also offers “Full” and “Full (Strict)” SSL protection. The latter also validates the certificate on the origin server, which at least mitigates the first point above. However, it is still a shared certificate. For $5 per month, you can order a dedicated certificate, but there are cheaper ways to do this; for example, using Let’s Encrypt, which is covered later in this post.
CloudFlare Flexible SSL is a simple way to get your site secure, but, as you’ve seen here, it gives a bit of a false sense of security. While this will prevent any punishment Google can come up with, it won’t always be the best way to actually secure your site and its visitors. But, for a basic informational site, this will do the trick.
Continue reading %How to Secure WordPress with SSL%