How to Make your WordPress Site Fully Secured

secure-wordpress-site

WordPress has been around for more than 15 years. And no other Content Management System (CMS) has been as simple and powerful as WordPress at the same time. Moreover, for the same reason, WordPress is the leader in the CMS market.

When you want to put up a site or blog, the obvious choice is WordPress. Because it requires almost no coding/programming knowledge to start with. But the problem is, you have to configure the site to make it secure. Otherwise, Google Chrome shows the site visitors that your site is not secure. Same goes with Mozilla Firefox. Firefox displays a dark padlock with a red slash.

Even if you do not handle any sensitive information like payments, collecting personal information, and so on, there are significant issues that make the visitor leave your site. One such problem is that leakage of the user visiting history and malicious content injection by a hacker sitting between the server and the visitor.

Keeping that apart, the visitors’ minds are wired in a way that when a website is not secured, it is better to navigate away. Thanks to internet security awareness campaigns.

Two things are required to make a WordPress site secure.

  1. An SSL certificate
  2. HTTPS is enabled for your WordPress site.

Worry not, we will walk you through all the necessary steps.

HTTPS, what is it?

Simply put, HTTPS is a secured version of HTTP.

HTTP stands for HyperText Transfer Protocol. Through this protocol web pages, and any underlying data, are transferred between a web server and a browser. The browser reads these pages—which contain code in the form of HTML, CSS, JavaScript—and decodes them for displaying on the screen.

HTTPS stands for HTTP over SSL (or HTTP over TLS). Secure Sockets Layer (SSL) is an additional element that ensures everything traveling between the web server and browser is adequately encrypted. And that anyone who is able to see the data between server and browser cannot understand it. Hence, no one can steal any information, like credit card details, login credentials, etc.

What is an SSL Certificate?

Basically the encryption happens using Public Key Cryptography.

In Public Key Cryptography (PKC), two keys will be available, which are called a key pair: a Public Key and a Private Key. The data encrypted with the Public Key can only be decrypted using the relevant Private Key. Public Key is available for everyone so that sending information securely is possible. Hence it is called Public Key. And the Private Key is a secret.

In reality, whenever you enter some info on a secured website, the information is encrypted using the Public Key. After the encrypted info reached the web server, the server decrypts and understands the information using Private Key.

In general, the encryption process happens behind the scenes in the web browser.

But, how can you be one hundred percent confident that you are using the correct Public Key? Maybe a hacker in between is manipulating the traffic and is making you use the wrong Public Key so that he can decrypt it.

That is why you need an SSL certificate.

A Certificate Authority (CA), which is a trusted third-party, issues an SSL certificate. The CA certifies that the user/visitor is using the correct Public Key. Web browsers recognize these certificates, and they would display a green padlock along with HTTPS protocol to notify the visitor that he is on a secure connection.

So, you have to use HTTPS along with an SSL certificate to make your WordPress site fully secured.

How to set up HTTPS on your WordPress site?

You can setup HTTPS using multiple ways. Here we explain some easy ways to do it.

Using a Plugin

In the WordPress ecosystem, for almost everything, there is a plugin that can do the job for you. And setting up HTTPS is no exception to do with a plugin.

Really Simple SSL is the plugin of our choice. Because it not only makes your website fully HTTPS and makes sure that anything that loads on the background of a webpage is also secure.

Follow these steps to install the plugin:

  1. Log on to the WordPress admin panel.
  2. On the left side, Click on Plugins
  3. Then, Click on Add New
  4. Search for Really Simple SSL
  5. Click on Install

Now the plugin is installed, and you should activate it. Then you can proceed to configure the site with HTTPS. The plugin interface is straightforward. And you can do the necessary steps required without much effort.

Alternatively, another plugin called WordPress HTTPS can also help you out with enabling HTTPS on your WordPress site.

Using Settings

You can also enable HTTPS using the Settings page.

  1. On the Admin panel, click on Settings
  2. General Settings page is displayed.
  3. Modify both the WordPress Address and Site Adress from HTTP to HTTPS.
  4. Scroll down and click on Save Changes.

Sometimes, you will not be able to modify these fields. In that case, use a plugin mentioned in the above section.

Install the SSL certificate

You have to install the SSL certificate on the web server before make your website https where you have hosted your WordPress site. Only after installing the SSL certificate you will see the secure green padlock on the address bar of a web browser.

You have to buy an SSL certificate from a Certificate Authority (CA) like Comodo or you can get from SSL2Buy

Now you have bought SSL Certificate for your website. And it is time to install the certificate on your web server.

A WordPress installation in general uses an Apache HTTPD server or a Nginx server in the backend.

Installing SSL on Apache Server

  1. Save the certificate and key in a folder. Sometimes depending where you have purchased SSL certificate you will also have a certificate chain file.
  2. Open the Apache configuration file. It is usually available in /etc/httpd folder.
  3. In the configuration file, go to SSL Engine section
  4. Ensure the following lines in the section:

SSLEngine on

SSLCertificateFile [add the path to certificate file here]

SSLCertificateKeyFile [add the path to key file here]

SSLCertificateChainFile [add the path to certificate chain file here]

Save the Apache server configuration file. And restart the Apache server.

You can use the following commands:

/usr/local/apache/bin/apachectl startssl

/usr/local/apache/bin/apachectl restart

Installing SSL on Nginx server

  1. If you have both the certificate file and chain file, you have to combine them into a single file.
  2. You may use the cat command to combine both the files. Ensure that main certificate info is place first and then the chain/intermediate certificate file.

You can use the following command:

cat main.crt intermediate.crt >> single.crt

The above command adds the contents of main and intermediate certificate into the Single certificate.

Now, place the combined certificate file and key file in a folder on the host machine.

Then, locate the Nginx configuration file.

Locate the server section in the configuration file.

Ensure the following lines of code in the section:

server {

listen 443 default ssl;

ssl_certificate  [add the path to combined certificate file here];

ssl_certificate_key  [add the path to key file here];

}

 

Save the Nginx configuration file.

Then, restart the Nginx server.

The following command helps you to restart the Nginx server:

/etc/init.d/nginx restart

Check the WordPress Site

Now browse your WordPress site using a web browser like Chrome or Firefox, and you will see HTTPS sign with a green padlock in the address bar.

Sometimes, the browser displays an error that says Mixed content warning. This warning occurs when some content on the page is loading through HTTP instead of HTTPS. You can address these issues using the Really Simple SSL plugin. Or by manually replacing the HTTP links in your code with the relevance HTTPS URLs.

Conclusion

WordPress can also be installed on a Windows server using Microsoft IIS. However, that is not popular, and it is out of the scope of this article.

If you have run into any issues, usually the error messages will give necessary clues to identify and address the issues. And if you are not technically sound, it is better to take expert assistance. Otherwise, you will quickly run into problems. And, sometimes, even end up taking down the entire site without knowing what you had done wrong.

What if you don’t have the necessary skill or time/money to hire someone to address your problem?

You should better host your website with providers like WpEngine, HostGator, or GoDaddy. These providers offer you free technical support along with your subscription plan. And some of these plans include an SSL certificate. In this case, you do not have to worry about making your WordPress site secure. The service provider will make the site secure for you.

Alternatively, if you have bought an SSL form SSL2BUY, the technical team from these service providers will help you out.

About Navneet Singh

Navneet Singh is a young enthusiast who Loves Internet Marketing and is always eager to share useful and authentic content to help others. A Software Engineer By Chance and Working as a Digital Marketing Consultant in an IT MNC by Choice. A Basket Ball Player and a Budding Entrepreneur. Inbound Marketing and Customer Acquisition Certified, and a Conversion Optimization Expert. As Seen on MarketingLand.Com and Forbes.Com You may reach Navneet Singh at navneet.emarketing@gmail.com

Navneet Singh

Navneet Singh is a young enthusiast who Loves Internet Marketing and is always eager to share useful and authentic content to help others. A Software Engineer By Chance and Working as a Digital Marketing Consultant in an IT MNC by Choice. A Basket Ball Player and a Budding Entrepreneur. Inbound Marketing and Customer Acquisition Certified, and a Conversion Optimization Expert. As Seen on MarketingLand.Com and Forbes.Com You may reach Navneet Singh at navneet.emarketing@gmail.com