Secure Sockets Layer(SSL) is the standard security technology for establishing an encrypted link between a server and a client. Usually a web server and a browser, but can also be a mail server and a mail client.
Without encryption, information is sent in plain text. If someone is able to intercept the data they can see and use it. So inputting credit card number or login information in an unsecured site is dangerous and must be avoided. A secured site starts with “https”, as my site. Browsers also show the “padlock” icon.
To enable SSL connection, a website requires an SSL Certificate(CRT). The CRT contains information about the domain, company, address, city, state, and country. It also stores the expiration date and details of the Certification Authority(CA) responsible for the issuance of the certificate.
When a browser connects to a secure site it retrieves the site’s CRT and checks that it has not expired, it has been issued by a CA the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks, the browser will display a warning to the end-user that the site is not secure.
Let’sEncrypt is a free, automated, and open CA. However, demonstrating ownership of a domain requires running software that uses the ACME protocol on the server. To do so, shell access is needed. For the non techies, SSL for Free, FreeSSLCertificate, and ZeroSSL are sites that make the entire process much easier. These services have one issue. The Let’sEncrypt certificate for all its good intention, expires after 3 months only, after which it has to be renewed. CloudFlare offers free SSL if you use their service, renewal is automatic.
Here’s how to generate the CSR using cPanel, ZeroSSL’s CSR Generator can be used also. It has an option to create a 4096 or 2048 bits encryption key. The 2048 bits works like a charm.
If technically knowledgeable, a CSR can be produced using OpenSSL on the local PC.
Creating CSR also generates cryptographic private and public keys. Anything encrypted with the public key can only be decrypted using the private key, and vice versa. The private key must be kept secret at all times, even the CA doesn’t know about it.
The resulting downloadable CSR data file which also contains the public key is then submitted to the CA, who in turn validates it and issue the CRT. To validate the domain, the file based option is better, as one only need to upload a text file. After the CRT is generated, download it as a “Server Certificate” with .pem extension.
When installing CRT on the site, the server will match it with the private key. If they matched, the website will then be able to establish encrypted and secure communication with the visitor’s browser. Here are instructions for installing CRT in cPanel. It’s possible to just supply the CRT and private key and skipped the CA Bundle entry.
To check if the SSL installed properly use SSL Shopper’s SSL Checker. SSLLabs have an SSL Server Test tool that provides comprehensive information that other tools aren’t showing.
Safari is quite strict when it comes to security certificates, in case of “untrusted” error, just disable the TLS 1.0 and 1.1 protocols.
To spare the hassle of the entire process, most web hosts with cPanel or WHM offer AutoSSL with LetsEncrypt support. If there’s an issue with SSL like, it has expired, just remove the existing cert via the SSL/TLS, then Manage SSL sites in cPanel. After removing the defective cert, go to SSL/TLS Status, select the domain and run the AutoSSL.
Now that you have secured the site, there’s a need to redirect all HTTP traffic to HTTPS. Do this by adding the following as the first rewrite rule in the .htaccess file found in the “public_html” directory:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If using WordPRess, force users to use HTTPS with Easy HTTPS Redirection. Most webhosting control panels nowadays have the option to do this.
To fix the mixed content issue, just add this code in the head section:
<meta http-equiv=”Content-Security-Policy” content=”upgrade-insecure-requests”>
To resolve Shopify Ajax cross-domain restriction, use an app proxy. When creating an app, take note to always use the full pair when defining scopes and I use this PHP code for generating tokens.
If the website is hosting resources that are shared to the public such as CSS or Javascript library, there’s a need to ensure that these files aren’t hacked or compromised. One way to implement this is by using SubResource Integrity (SRI). SRIHash and ReportURI generate the hash and code based on the resource URL provided.
Before using SRI, enable Cross-Origin Resource Sharing (CORS) on the server by adding this piece of code in .htaccess:
Header set Access-Control-Allow-Origin “*”
More codes specific to different web servers are available in Enable-CORS.
To set in place authentication to a protected resource, use JSON Web Token. The site provides a list of libraries to use. Here’s a simple tutorial using PHP and jQuery.
If using Mautic and you can’t login because you forgot the password and its not able to send email. You may use this bcrypt generator to generate your new password hash and store in your database. Works like magic.
Password problems? Have you already decided on what password to use? If not yet, no worries. A password is no small thing. Choose an easy one and your account might be compromised in a few minutes. To help secure your online accounts, check out the cool resources below.
Read guides on how to create the “perfect” password here, here and here.
RandomKeyGen is a password and key generator, useful when a secret key is needed. They can generate Fort Knox quality keys.
So now that you have a password in mind, how would you know that it is really “strong”? Kaspersky has a password strength checker that’s fun to use. You enter the password and it gives you an estimate of how long it can withstand a brute force attack. Mine will take more than 3 centuries, haha.
If you are lazy like me and don’t want to sweat over passwords, LastPass is an easy-to-use password manager that also has a password generator. There is no need to download software; just use their browser extension or add-on. Your passwords are stored on their cloud server. They have a free but limited account, which is still good enough. If you organized your passwords properly by folders, you can even use it as a personal landing page with all your online account links and open them in just 1 click. LastPass is now limited to only 1 device. A multi-device alternative is BitWarden, the downside is that the personal free account can’t share passwords.
Another option is Norton Identity Safe.
As a rule of thumb, passwords for accounts that are very important, like your primary email and online banking or financial services, are never stored online. You need to remember them. For anything else, there’s LastPass.
Check out these username generators from NordPass and LastPass. To add further security enable 2FA(2 Factor Authentication) feature in online accounts, most services have them.
What if you were hacked? How would you know? In light of all the news about big company sites being compromised, it’s good to be vigilant and get informed if you were a victim. Have I Been Pwned lets you know. Just supply your username or email and it will scan through records of website breaches that have been made publicly available.
To remain anonymous while browsing the web, use Chrome’s Incognito or FireFox’s Private window. Tor is a network of virtual tunnels that prevents websites or apps from tracking or storing information about your surfing habits and whereabouts. It is robust software; in fact, it was developed by the US Navy itself.
PreyProject is a device protection service that keeps track of your mobile, laptop, and tablets and protects the data. It even helps you find it in case you lose it.
If you have a WordPress site, take note of these facts:
In 2017, 83% of all CMS based websites that were hacked were running WP.
39% of hacked WP websites were using an outdated version of the software.
Almost 50% WP sites are affected by a security vulnerability caused by an outdated or poorly coded plugin or theme.
Only 8% of WP sites were hacked due to a weak password.
As of 2016, only 11.45% of WP sites use SSL Encryption.
To prevent your site ending up as another statistic of the above, try using the plugins below:
Implement HTTP security headers using HTTP Headers. Be careful though, learn more about it first. Analyze security headers with Security Headers.
To confuse would-be hackers, use WPS Hide Login. It “hides” the login URL: wp-login.php by changing it to something else. Make sure the new URL is hard to guess, but easy for you to remember.
Salt keys are used by WP to encrypt your passwords and it is suggested to change it periodically. The keys are generated here. Replace the existing keys with the new ones in the wp-config.php file. Spare yourself the hard labor and do this automatically with Salt Shaker.
To make your login more robust, enable 2 Factor Authentication by installing 2FAS Light – Google Authenticator. Just set it to remember the device so you don’t have to authenticate yourself every time.
Install Wordfence Security, it also has 2FA authentication. If your site is hacked, you can use it to scan and fix any infected files. It has a built-in firewall that’s very effective, but it is good practice to use a server-level firewall instead of an application level. Most web hosting providers offer a firewall as part of their service. Sucuri offers the firewall feature as a premium. It runs on their server, they also offer offsite scan. CloudFlare plugin offer free DDOS protection among other services.
Now that you have secured your WP site, you need to back it up regularly. For backups, I use reliable WPVivid or UpDraftPlus.
If you get hacked, don’t panic. If you have a backup, then simply restore it. But in case you don’t, still, remain calm. Here’s how to fix a hacked site.
The first thing to do is to regain control of your site. That means you have to hack your way inside. Remember, you still have cPanel and FTP access. Use the phpMyAdmin in cPanel to change the password of the admin. Change the admin username, email and password, save the new password as MD5. Also, delete any suspicious user. While you’re in cPanel, change the database password. In File Manager or FTP edit the wp-config.php file and update the DB password and replace the Salt keys. Don’t forget to clean the file for any malicious codes.
In FTP, check the user permissions of the files, hackers may have modified them so you can’t edit. I use this script, to “ch mod” all files and directories. Next, download the latest WP version. In FTP, remove the infected WP core files by deleting the wp-admin and wp-includes folders. Don’t delete the wp-content. Upload the wp-admin and wp-includes directories.
From here, you must now be able to log in. Capture a screenshot of the active plugins. Download the latest version of the plugins and in FTP, upload and overwrite the existing ones. Using Wordfence, scan your site. Wordfence is capable of fixing infected files. But in case it can’t, download the entire wp-content dir. Using NotePad++, open the infected file and copy the malicious code, then do a search and replace for all the files in the folder. Repeat this process until no more malicious code remains and upload the cleaned files back. Repeat the WordFence scan and do an offsite scan to confirm.
You know what’s a faster solution? Each webhost usually run their own daily offsite backups, although this is limited to mostly just a few days. If you were able to detect the hacking early, then maybe you can recover your site from their copy of several days back.
Affiliate Disclosure: Post may contain links to affiliate websites, and we may receive a commission for any purchases or actions made by you on the websites using such links. Thank You.