Every website on the internet is vulnerable to hacking attempts. However, the sheer popularity of WordPress combined with the relative inexperience of some owners/administrators regarding security best practices, can often make WordPress websites an easy target.
The team of developers behind the WordPress software itself go to great lengths to ensure the platform remains secure, but hackers are constantly evolving new methods of attack.
This all sounds very serious, but there are a number of relatively simple measures that you can take to protect your WordPress website with a little bit of know how.
- Choose a strong password for your site. Don’t be tempted to choose a weak password just because it’s easy to remember.
- It is critical that you perform all WordPress core, theme and plugin updates as they are rolled out. These often contain fixes for vulnerabilities that have been discovered.
- Secure your website with SSL.
What is SSL?
Every time your website receives a visitor, your webserver exchanges information with their browser. If the two are communicating via HTTP, the data transmitted is in plaintext format and can be subject to an eavesdropping attack. This means it is possible for an attacker to intercept and view potentially sensitive data (credit card details, account logins etc). SSL (Secure Sockets Layer) provides a secure, encrypted channel between both devices sending the data via HTTPS.
In January 2017 Google began marking all HTTP pages that collect passwords or card payment details as non-secure. It is also used as a website ranking factor, so it is now more important than ever to use HTTPS.
In order to use HTTPS you need to have a valid SSL certificate issued by a Certificate Authority (CA). Authorised CA membership programs are operated and a CA must meet detailed criteria to be accepted as a member. Once accepted, any digital certificate issued by that CA is then trusted by browsers which can then display the familiar padlock symbol in the address bar. This digital certificate contains identity credentials that help to verify the identity of the website. Before issuing an SSL certificate the CA will perform a number of checks on the applicant, for example verification of domain ownership.
Until relatively recently SSL certificates had to be purchased, but over the last few years a number of CAs have sprung up that offer free SSL certificates with the aim of helping to create a web that is both more secure and privacy respecting. Let’s Encrypt is one such CA that aims to benefit the internet community by offering free domain-validated SSL certificates.
Getting Let’s Encrypt on WordPress.
Many hosting providers already offer integration with Let’s Encrypt through their cPanel. A list of hosting providers with Let’s Encrypt support can be found here.
If you’re building your site from scratch, installing the SSL will be fairly straightforward providing it’s one of the first things you do. Installing a Let’s Encrypt SSL on an existing site will require a few more steps.
Before you make any important changes to your site, it’s always best to perform a backup.
Log in to the cPanel for your website and look for the Let’s Encrypt logo (usually in Advanced settings or Security). Follow the instructions, and if your domain checks out you should have confirmation of success. You now have a free SSL installed.
Let’s Encrypt SSL certificates automatically renew every 90 days. This renewal happens automatically, however you may also choose to renew manually if you wish.
Next, you need to update your WordPress URLs from HTTP to HTTPS. Go to your WordPress Dashboard, Settings, General and change the WordPress URL and Site URL to reflect your new secure connection.
Database search and replace.
Adding a Let’s Encrypt SSL to an existing website requires the URLs in your WordPress database to be updated. Without this step, your images will load from insecure URLs and your links will also point to insecure pages.
To do this you need to perform a Search and Replace on your database to replace the insecure URLs with secure ones. Happily, there is a very useful script to help you with this from the guys at Interconnect/it. This powerful open source script has been developed to allow you to carry out search and replace actions across the whole database with ease. It even allows you to do a dry run first to see the changes that will take place on execution of the script.
Make sure you have an up to date backup of your database before you attempt to run the script. Please use with caution, and read the installation instructions carefully. Remember to remove it from your server once complete, as leaving it in place is a significant security risk.
Now you have a working HTTPS connection, the next thing to do is ensure your visitors do not connect to your site via HTTP. There are a couple of ways to achieve this. You can download a plugin that handles this for you (such as WordPress Force HTTPS) or you can edit the
.htaccess file by adding the following code above your current rewrite rules, substituting in your sitename:
You should now have a website secured by a free SSL certificate. The padlock icon should be visible in your browser bar. If it’s not visible, go to Whynopadlock to check your website and see what is causing this. You should then be able to resolve the issue.