You need HTTPS on your website. It encrypts all data sent to and from your web server, which is especially important if visitors are handing over contact details or payment information. But there’s more to website security than encryption. Here are some things to keep in mind while you’re getting your certificate sorted out.
Encryption Is a Good Thing
The word “encryption” comes to us from Greek, which makes me particularly partial to it. (I’m a recovering classicist.) The Greek word κρυπτος (kryptos) means “hidden.” Encryption, as Wikipedia explains, is “the process of encoding a message or information in such a way that only authorized parties can access it.”
There’s a reason that your operating system warns you about connecting to open Wi-Fi networks. Information you send across that network is not encrypted, so a clever hacker with a sniffer tool can see any passwords or other information you might send over it. As the FTC puts it:
If you use an unsecured network to log in to an unencrypted site — or a site that uses encryption only on the sign-in page — other users on the network can see what you see and what you send. They could hijack your session and log in as you. New hacking tools — available for free online — make this easy, even for users with limited technical know-how. Your personal information, private documents, contacts, family photos, and even your login credentials could be up for grabs.
Note that there are two criteria for danger here: an unsecured network and an unencrypted website. As a website owner, you can’t control the security of the network that your visitors use to log in, but you can make sure that any information they send to your website is encrypted.
You do this by installing a security certificate, popularly known as an SSL certificate, on your web server. The actual algorithm these days is no longer SSL (Secure Sockets Layer) but TLS (Transportation Layer Security), but the term “SSL certificate” has stuck.
A Little HTTPS History
A few years ago we all liked to believe that you only needed SSL if you were collecting financial information or other data protected by privacy laws. Your hosting company or ISP might provide SSL for your email as part of the package you were already getting, but merchant service providers required you to pay for a certificate that met their standards, and you had to cough up money for it every year. At the beginning of 2015, one of my clients paid GoDaddy $65 for an SSL certificate good for one year.
By the end of 2015, Google announced it would prioritize HTTPS over HTTP when indexing sites. Early in 2016 we had the launch of Let’s Encrypt and the push to make free security certificates available to everyone. Developers the world over celebrated, because we all want the web to be more secure. A paid SSL certificate is a reasonable expense for an ecommerce website where a single product costs more than the certificate does, but not for a personal blog that doesn’t even make money from ads.
Before long, hosting companies started to offer easy installation and automated renewal of Let’s Encrypt certificates. Several had jumped on the bandwagon by May 2016, and most of the rest have followed, especially since Google and other browser companies promised to start shaming sites without HTTPS. (Indeed, while I was in the process of writing this article, Chrome version 62 dropped, now with extra warnings.)
Get Your Security Certificate Now
I published some guidelines for setting up HTTPS on your website in January, for the East Bay WordPress Meetup. It includes condensed instructions for setting up HTTPS on SiteGround, DreamHost, WP Engine, Pressable, and BlueHost, but there are actually many more hosting companies that support Let’s Encrypt. Even GoDaddy has finally announced its new Pro WordPress hosting, which includes free SSL for every site. HostGator provides free SSL with its business plan; if you don’t want to upgrade your plan, you can pay $10 to have their support staff install a third-party certificate for you. (I used Cloudflare’s, because that’s good for 15 years. It only works if your site is connected to Cloudflare, though.)
Unless you’re dealing with HostGator, getting HTTPS set up should take about 30 minutes. You need to install the certificate, update your site URL, update your analytics to track the HTTPS version of your site, and make a few other minor tweaks to fix any insecure content. Do it now. Do not pass Go. Do not pay $200.
All set? Read on to find out why HTTPS is not the cure for all website security woes.
The Problem with Google’s Word Choice
I’m all in favor of warning people when they’re about to send unencrypted data over the Internet. The problem I have is with Google’s choice of terminology. Describing a page served over HTTP as “not secure” is accurate. But describing a page served over HTTPS as “secure” rather than “encrypted” is misleading.
At present, Chrome is the only browser that actually shows the word “secure” in the address bar. Firefox shows a green lock and Edge just shows a lock. If you click on any of these locks, you see more information. Chrome and Firefox say “Secure Connection.” Edge, interestingly, first provides the identification and then says “Your connection to the server is encrypted,” which is what I call truth in advertising. But right now Edge provides no warning at all when a website’s login page loads over HTTP instead of HTTPS.
I am by no means the first person to object to Google’s word choice for identifying sites with HTTPS. What Wordfence, Tune the Web, and GlobalSign particularly object to is the fact that phishing sites can get SSL certificates, too. That means that you can’t count on the green padlock alone to guarantee that the site asking you for your financial details is the site you think it is.
This is why financial institutions and anyone else whose site is likely to be spoofed should get Extended Validation (EV) certificates that show the name of the company along with the green lock. These are expensive, because every application is reviewed by actual humans to make sure that the company buying the certificate is legitimate. Check to be sure that the PayPal site you are logging into actually says “PayPal, Inc.” in the address bar.
What HTTPS Won’t Prevent
If you’re reading this, you’ve probably been affected by a data breach, computer virus, website “hack”, or other attack at least once. Website defacement and most other attacks are carried out by bots that probe thousands of sites for security vulnerabilities. These bots don’t seek to capture information submitted to your site, but rather to attack your website’s files or database. Having a security certificate won’t protect you from these attacks.
So How Do You Protect Yourself?
The good and bad news about website security is that most of it is your hosting company’s responsibility. According to the owners of companies like Liquid Web and SiteDistrict, if your hosting company is any good, you shouldn’t have to worry about most of the things that the latest “Ultimate Guide to WordPress Security” talks about at all. (I’ve tested this in the case of SiteDistrict.) This is in great part because no amount of security that you apply directly to WordPress will help you if the attackers aren’t getting in via WordPress.
A good hosting company will take security measures that deter most attacks before they get anywhere near your WordPress installation. Most managed hosting companies also include security scans and many offer to fix your site for free if it gets hacked. Depending on your hosting company, a security plugin may be redundant. (Talk to them if you aren’t sure.)
Your Website Security Responsibilities
If you have a good hosting company, there are only a few things that you need to worry about in addition to HTTPS. (If you have a bad hosting company, now would be a good time to switch.)
Use Strong Passwords
I am constantly horrified at the terrible passwords my clients use. Using a weak password is like putting up a “Hack me now” sign. Brute-force attacks—where bots try thousands of username and password combination in order to break into your site—are still very common. Password management apps are abundant and not expensive, so there’s no excuse for using your address or your pet’s name as a password, or using the same password everywhere. I’ve used both LastPass and Dashlane and can recommend them. (Note the EV security certificates.) You need the premium versions if you want to share passwords across devices.
Back Up and Update. Back Up Before You Update.
Between WordPress core and WordPress plugins, sites require continual updating. Rarely a day goes by when there is nothing to update on any of the sites I manage. Many of those updates fix security problems, and once the update has been released, the vulnerability is made public, which means there are exponentially more people who will try to exploit it.
Because updates can sometimes break things, you do want to back your site up before updating, as well as on a regular schedule. I like Updraft Plus because it automatically backs up before any updates.
If you don’t want to do this daily maintenance yourself, there are many companies out there that can do it for you. I know good people at WP-Tonic, WP Site Care, and Maintainn. All of them handle updates, backups, security scans, and various other levels of support for a reasonable monthly fee.
Even if your hosting company provides backups, it’s important to make your own, just in case. WordPress backup plugins tend to be a bit resource-intensive, but if your host rules them out on performance grounds, there are still services like VaultPress and BlogVault.
Keep Your Computer Virus-Free
Most third-party anti-virus programs are awful. There’s nothing that will slow a fast computer down like Norton Antivirus. If you exercise sensible precautions and keep your operating system and software updated, you should be fine with Windows Defender or Apple’s XProtect. But you should know that if your computer is infected with a virus, it can transmit that virus to your website by stealing your FTP credentials and adding infected files. It happened to me once.
Use SFTP, FTPES or SSH to Transfer Files
Plain FTP, like plain HTTP, sends your username and password in plain text, which means someone could steal your credentials. Your hosting company should give you access via either SFTP, FTPES (FTP over explicit TLS/SSL), or SSH (Secure Shell). Even if it’s your developer who does all the editing and transferring of files, the host has to make the secure connection possible. If your host only allows plain FTP, it’s probably time to switch hosting companies.
Back to HTTPS
You need HTTPS. You need it for security, for SEO, and for performance. (The new, faster HTTP/2 protocol requires HTTPS.) If you don’t have it set up on your website yet, do it now. Just make sure you understand the difference between “encrypted” and “secure.”