How secure is your website?
Perhaps not as secure as you think.
In WhiteHat Security’s 2015 Website Security Statistics Report, they report that 86% of websites have at least one significant security vulnerability and they indicate that in 2014 there was a 70% likelihood that these vulnerabilities are due to insufficient SSL security protection. Keep in mind that this likelihood was 0% in 2010. That is a significant increase.
What about the security of WordPress sites specifically?
Sucuri reports that in the first quarter of 2016, 78% of the websites for which they provided security were WordPress sites. That is a staggering statistic and one that all WordPress site owners need to take seriously. However, the issue of security can be addressed more easily than you think because the use of SSL security protection is the next logical step in protecting your WordPress site.
What Is SSL?
SSL stands for Secure Socket Layer and it is responsible for the HTTPS (instead of HTTP) you often see at the beginning of a web address when you are on a website. Technically, SSL is now called TLS, for Transport Layer Security, changed by the Internet Engineering Task Force (IETF) in 1999, but most people still refer to it as SSL.
SSL provides protection for a website by providing an encrypted link between a website and a browser. In this way, when someone is visiting a website and that website is communicating with the user’s browser, all information passed between the browser and the website is encrypted and secure. Anyone who might be trying to intercept any sensitive information or data being transmitted between the browser and the website will not succeed.
Why You Need SSL
At this point you might be wondering why you need SSL for your WordPress site. The truth is if you have a simple blog, then perhaps security isn’t your top priority. However, even when you just post to your blog once a week and have a few dozen or a few hundred followers, it is still wise to have an SSL certificate. Here are the reasons you need an SSL certificate:
- Security: Many people have monetized their WordPress sites. Either they run an ecommerce site, have affiliate links, or have a donation site. Many people also run membership sites. Any and all of these sites require the input and transfer of sensitive personal information, such as name, address, and credit card information. And if your WordPress site isn’t monetized, that doesn’t mean it never will be.
- Website Ranking: Google is beginning to give more weight to websites that have SSL certificates. Their goal is to make the Internet a safer place for everyone so they are encouraging websites to get their SSL certificates by giving the HTTPS designation more weight in the search engine rankings. Google has started small, with only a 1% presence in global queries so that website owners have time to switch over, but they are considering giving SSL certifications more weight in the future.
- Professional Appearance: People who visit your website can feel confident that you are legitimate and professional and that any information they provide you is safe and secure.
- Data Integrity: With SSL, every word you post and every link on your site is safe and secure. If you have a link to an affiliate website, no hacker can go into your secure site and replace that link with a phishing link, sending your visitor to a site of their choosing.
- Changes at WordPress: Last week WordPress announced that they will be moving towards SSL in 2017. “2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available.” WordPress plans to begin assessing which features, such as API authentication, would benefit the most from SSL and make these features only enabled when SSL is installed.
Adding Your SSL Certificate to Your WordPress Site
If you want to use SSL on your WordPress site, it is a matter of purchasing an SSL certificate. If you are hosting via a third-party, then check with them as they might provide you with an SSL certificate for free. If they do not provide a free SSL certificate, then they might sell third-party certificates. Once you have your certificate, your web-host will usually install it for you.
Easier Option for Non-DIYers
WordPress Managed hosting companies like Flywheel are now offering FREE SSL certificates through Let’s Encrypt. While the hosting is a bit more expensive, the value of the services they offer (like a FREE SSL Certificate) beyond a standard shared hosting environment is tremendous, so well worth the extra cost.
Instructions for installing a SSL certificate on Flywheel are at How do I add Simple SSL to my site.
Ensuring You’re Secure
You should check and make sure the pages that should be secure are secure. All you need to do is visit each page and look at the URL for those pages. If they are secure, there will be a closed lock symbol beside the https (rather than http).
If there is a yellow triangle in front of the lock symbol, then Google Chrome has found content on the page that is not secure. If there is a red X over the lock symbol and a red line through the “https,” then there is either a problem with the SSL certificate for the site or Google Chrome has found a significant amount of content on the page that is not secure.
Just remember that it is incredibly important to use an SSL certificate if you collect personal data from any visitors or customers or transmit any sensitive data. This is the only way you can ensure that data is fully protected and this is particularly important on WordPress sites. Even if you include affiliate links or links to other websites or social media accounts you own, you need to ensure those links are secure and cannot become compromised. In the end, the choice to get an SSL certificate is yours to make, but getting one just makes good sense.