10/05/2016

Installing SSL Security on Your Website

Starting in 2017, you will be hearing a lot about securing your website with something known as SSL. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

So for example when you type your credit card into a form you want that information to be passed securely without anyone being able to snoop while it is in transit. That is what SSL does. A visitor to a web page knows a website is secure when they see a little lock somewhere near the address bar:

image from www.geek.com

If you manage a website, how do you obtain the necessary SSL certificate required? That's the question many will be asking, and there is a lot of confusion around this topic, unfortunately. In the past, SSL certificates were sold for anywhere between $20 and $100 and had to be renewed, like domain names, every year. This is presently still the case, but we think SSL prices will go down dramatically as more website owners start to purchase and install them. Obtaining an SSL certificate can be a complex exercise but many domain name registrars like GoDaddy and 1and1.com are making the process much easier and less expensive. Starter SSL certificates are now available for free from LetsEncrypt.org and from many hosts.

Zerossl.com is one such authority that can generate a free, domain-validated (ie DV) certificate using the Let's Encrypt system. Domain Validated certificates only need to confirm your ownership of the domain name. The confirmation process is very simple and there are two options to choose from: DNS verficiation and HTTP verification. The former requires creating a specific DNS record of TXT type for the domain. The latter requires creating a plain text file with a specific content on your web server. Note that the text file that you need to install does not have an extension and some hosts prevent files without extensions as a security measure. This may change in the future. Choose the option you are most comfortable with - normally all registrars provide a way to edit DNS records, but you might like creating a text file better. DNS verification also might take a bit longer depending on how quickly your registrar's servers publish the changes (usually within 15-20 minutes), while HTTP verification can be instant.

We have a Business Package from 1and1.com and recently were offered a free SSL Starter certificate that we enabled for www.newpathnetwork.org. The process was quite painless as it is essentially a one click install and creates a domain validated SSL certificate. We had to spend about an hour eliminating references to non-secure code in our website to ensure full security was activated.

Finally we had to create an .htaccess file to ensure non HTTP requests (non-SSL) redirected automatically to the secure version of the site. This also makes sure when Google searches bring up your site you will be found online. We are sharing our .htaccess file stored in the root directory of our Linux-powered shared hosting environment over at 1and1.com. If you are running WordPress, SSL installation may be even simpler with your host.

Step 1. Create or edit a file called .htaccess in the root of your website.

Step 2. Add these lines (or edit if they already exist)

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.yourdomain\.com$ [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L]

Step 3. Save the file. You can upload via SFTP or use your favourite shell editor to edit the file.

Step 4. Test your website to make sure the SSL secure site is loading. Click the lock or the little circle with an i in it to check security details.

Essentially these commands take an inbound request for www.yourdomain.com or yourdomain.com and redirect the visitor to the https://www.yourdomain.com equivalent. Any URL will automatically redirect to the correct new, shiny and secure URL.

NOTE: Adding SSL security to your site does not mean that you don't have to maintain the integrity of the software that runs the site. If you have a host that does the updates and maintenance, then great! But if you are worried about hackers getting into your website, get in touch with us. We can tell you more about how we can help you maintain security on your WordPress-powered website. We include SSL certificate installation with our Silver and Gold plans!

 

 

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment