The Official InMotion Hosting Blog

Breathe New Security Features into your Website with SSL

ssl_security

Almost every day I hear the term ‘SSL Certificate’ strewn about in conversation with customers.  Most people inquiring about whether we provide SSL certificates are generally interested in some sort of eCommerce solution.  I hesitate to delve deeper into the true powers of SSL encryption often times, but the advantages of being a proud owner of a SSL are overly abundant!

To understand exactly why an SSL certificate is beneficial, it’s important to understand the basics.  Have you ever noticed that when you go to facebook.com, google.com, or twitter.com that your browser automatically displays a lock in the top bar?  If you have, you might have also noticed that the URL in the address bar changed what you typed, and now displays https:// at the beginning of the URL. This means that the site is secured with an SSL certificate, and is forcing you to use that path.  Most SSL certificates contain the domain name, company, address, city, state, and country.  The Certificate Authority, which is the company who issued the SSL, is also in there.  Basically, when a browser attempts to establish a connection to the website through SSL, it will make a check to ensure the certificate is not expired, is from a trusted Certificate Authority, and is being used on the correct website.  If any of these criteria are not met, your browser will warn you, and let you know this site is not a trusted source, and is not being encrypted through SSL.

What exactly can an SSL certificate do for you? So let’s get down to it.  What are some cool things I can do with an SSL certificate?

Secure Your E-Mail

So many clients come to InMotion Hosting because they want a more secure e-mail platform.  Sure, not using a free public e-mail service will do wonders in your control over spam and viruses, and even having your account compromised, but why not take that extra step?  The extra layer of security that can be provided with just a few clicks will allow you to sleep better at night just knowing you’re more secure in your daily messages.

There’s an excellent article available that will walk you through the steps of having your e-mail send and receive over SSL here: http://www.inmotionhosting.com/support/email/email-client-setup/email-client-configuration-email-over-ssl

Connect to FTP over TLS

If you’re in a shared hosting environment, you won’t have access to SSH access, which is required to use sFTP (Secure FTP).  This is for security reasons, but you can easily implement an SSL certificate to securely connect via FTP.  In fact you can use the server’s free shared SSL certificate to accomplish this by following this guide: http://www.inmotionhosting.com/support/website/ftp/securely-connecting-your-website-using-ftp

Website Security

As mentioned earlier in this article, we typically think about the things that NEED to be encrypted to successfully conduct online business.  Of course credit card information would need to be handled with an SSL certificate, but what else on your site could benefit from this extra security?  Well one thing that comes to my mind is your password.  If I’m using WordPress, Joomla!, or any other CMS – SSL can help protect my website from being compromised.  When I login to make a post, or when my users login to browse their accounts, I always implement SSL.  Think about it.  You type in your username and password combination into a webpage. It’s traveling over the internet, leaving your browser, going through a wireless network, going to a router, and an ISP.  At any point this information could be easily intercepted.  If you ever travel and write new content for your websites, or work on a site while you’re on vacation – then DEFINITELY get yourself an SSL to protect this information.  You never know who might be sitting at the same Starbucks, or airport as you – so why just throw your password out there without having it be secure?

You can follow these simple steps to provide SSL encryption to your WordPress or Joomla! site very easily.

WordPress:

You can easily implement SSL over the WordPress admin login, and registration pages by dropping in some code to your WordPress config file (wp-config.php):

define(‘FORCE_SSL_LOGIN’, true);

Alternatively you can force SSL encryption over the entire WordPress admin area:

define(‘FORCE_SSL_ADMIN’, true);

Typically the second option is the way to go, as this will force it over the entire administration area, giving you added security for your administrative duties.

Joomla!:

Joomla! makes SSL encryption very simple.  You just need to login to your admin area, navigate to your Joomla! Login module, and select ‘Yes’ for the Encrypt Login Form. This option will encrypt your login data for you and your users. You may want to go the extra mile and ensure SSL encryption is set across the entire site as well.

Since session cookies are vulnerable, those can be encrypted.  This typically isn’t going to make or break a site as cookies are set to expire anyways, but leaving session cookies unencrypted will make your site susceptible to Man-In-The-Middle attacks, which can pose a threat and compromise your site.  Luckily Joomla! makes preventing this a simple task as well. Go into the Joomla! Global Configuration area, and then go down to the ‘Force SSL’ area.  Selecting Administrator Only will provide encryption for your administrative section, and admin cookie sessions. You can also select Entire Site, which will provide SSL encryption for everything on your website, including the administration area. This will protect all session cookies for all users as well, so if you’re worried that a MiTM attack would be targeted to your user base, then enable the Entire Site option.

While there are many other CMS platforms available and different ways to enable SSL for each, it would be impossible to cover all of them.  You can always force SSL through your .htaccess file as well if you custom coded your page, which will redirect a user who might type in http://yourname.com to be forced and redirected to https://yourname.com automatically.  So we will want to re-write based on the incoming host and request uri to achieve this.  The following code can be used in your .htaccess file to accomplish this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

When forcing SSL across your entire site, make sure you’re not linking to anything protocol specific. Instead of linking to your style sheet http://yourdomain.com/style.css, leave it open as //yourdomain.com/style.css.  It’s good practice to be doing this anyways.

So now that we’ve discussed some of the benefits that you can experience with adding an SSL certificate, what are you waiting for? You can easily obtain a dedicated IP address and dedicated SSL certificate issued by Comodo, one of the most trusted certificate authorities, directly through AMP!

http://www.inmotionhosting.com/support/website/ssl/how-do-i-obtain-an-ssl-certificate

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>