Why and How to Secure your WordPress Blog using SSL
We hear about different forms of cyber attacks in our daily lives. However, we are currently under serious threat from every one of them, and usually most of it is taken care of by large corporations protecting your data like Facebook, Gmail (Google), Twitter, etc.
It won’t be a calculus puzzle to think where you, the common tech savvy guy is exposed. Well, it’s Blogs. You may belong to the select breed of bloggers who happily pour their wisdom out for the good of everyone, but that may not be enough to secure yourself from this exposed vulnerable point. You could be lucky if you are using Tumblr, Quora or WordPress Online but there are hundreds of thousand of self hosted blogs out there. There are also many commercialized blogs, and trust me – a lot of them haven’t ever had a thought about this. So whats the antidote?
A simple robust fix is SSL.
SSL is simple – if a website has SSL, then all the communications between the client (you and your computer) and the server (the site which you are viewing, which bears the SSL badge) are encrypted: it means no one can snoop on your communication. Snooping being the fundamental attack process for intrusion and theft.
So, who needs SSL?
You, the blog owner, needs SSL on the blog, not the blog readers; it is you who have to facilitate it for your readers. This comes as a best interest for both you and your readers.
You need to get a SSL certificate from a vendor. The cheapest ones come for as low as $8 a year, namely PositiveSSL if you buy it from namecheap.com, who provide one of the best and cheapest services there are. Upon purchasing one, you would be asked to get a CSR (Certificate Signing Request) key from your hosting provider. You can also do so using command prompt via ssh (link). Once you have the CSR, you can provide it to the certificate vendor and they will send you back a confirmation email to the address mentioned as the domain name owner, say firstname.lastname@example.org for the domain blog.asispanda.com.
Upon confirming the email, they reply back with the cerficate and keys in a zip file. The SSL certificate in text form is then emailed to the hosting provider who does all the setting up, and you are good to go. Your site now shall run on HTTP protocol; cool and savvy, isnt it?
Here’s a DIY Guide: http://www.wpbeginner.com/wp-tutorials/how-to-secure-your-wordpress-pages-with-ssl/ to assist you with the process.
Well, if it were so easy and solved all the problems there were, then all blogs would have had it. Here are some hurdles which most blogs face while protecting themselves by SSL.
Now, there are various SSL states like these:
To have a 100% secure communication, there should be no use of externally linked files or external communication over unprotected links. This includes importing a media-like image directly from a link instead of not uploading it on your site, which is a common practice bloggers have as it saves time.
Then there are advertisements. Advertisements nowadays are sourced from 3rd party networks, the most common one being Google Adsense. All you do provide them with a size and link to your blog and they give you back a simple code which you embed in your site; they do all the heavy lifting of matching the advertisement with your blog’s content and posts.
Using a 3rd party ad network instantly defeats the purpose of 100% security, leaving some chances open for snooping and theft. There have been numerous cases where this has been exploited.
At the very minimum, it protects all your user accounts and their communication. The blog authors go on the administration page of WordPress to write and post articles. They stay there for a fairly long time, doing different types of work. This work is often sensitive, for example, checking out links to Paypal donations/social networks/Apps OAuth keys/API health.
These communications do not include any 3rd party resources and hence are protected with a 100% secure SSL connection so that you can go sign-in and check your referral earnings stress-free.
A consistent secure communication between page flows if there is some kind of payment involved in your blog, be it in the form of donations, subscriptions or purchases. The page swaps between your blog page, payment gateway and banks all are consistently protected by SSL. This proves difficult for even the sophisticated of hackers to find a weak entry point in your blog’s communication flow.
I personally feel the advantages weigh over the cost and effort of getting a SSL connection. It is always better to be safe than sorry. In the light of the recent brute force attacks on WordPress accounts, SSL would be an industry standard protection for your blog, and would fare well against a good number of miscreants.