Your website is a goldmine for cyber criminals. They are fast, invisible and always on the prowl for sensitive customer account details or to simply destroy. If you’re a WordPress site owner, you are no doubt aware of the vulnerabilities WordPress sites have experienced in recent years. The good news is that Automattic recently took a much anticipated security step by adding HTTPS encryption to all custom WordPress.com domains (more than 1 million WordPress sites).
You are probably familiar with web encryption as one of the most effective ways to keep data secure. Indeed, encryption is a hot topic right now. Apple recently made headlines after refusing to comply with a court order to assist the FBI to unlock the iPhone used by the San Bernardino shooter. Apple stated that it would need to write new software that would essentially be a master key to opening any iPhone. The main argument was that if the FBI could unlock that iPhone, they could unlock many others, putting everyone’s privacy and personal safety at risk.
For those reasons, among many others, web security should always be at the top of your mind in running your business. But what exactly is HTTPS and how is it beneficial to your business? Can HTTPS alone sufficiently protect your WordPress site? This article will answer those questions in the quest to help you bolster your site security.
What Exactly Is HTTPS?
HTTPS stands for Hyper Text Transport Protocol Secure – the secure connection protocol for HTTP. When you connect to HTTPS, you are using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to protect communications between your computer and a remote server. Both protocols use encryption to keep cyber criminals from intercepting communications.
The information you send across the web passes from computer to computer before it arrives at the end server. That means that all computers the information passes through could read the sensitive information: from usernames and passwords to credit card information and social security numbers. SSL or TSL encrypts the sensitive information through its journey to the intended recipient, so that only they can understand it.
How Is HTTPS Beneficial to Your Website?
HTTPS encryption is very important for both site security and SEO.
HTTPS keeps your business communications with your online customers safe and secure. When it is enabled, any information between the server and a client cannot be diverted, modified, or stolen. This kind of security is essential for any site that has a login and/or payment system – basically any ecommerce business. It not only protects your data but allows web visitors to view your site as credible. In that sense, HTTPS is essential for all businesses and new websites.
Google has also highlighted the importance of HTTPS encryption. In 2014, Google announced that it would start using HTTPS as a ranking signal. That’s right: Google is ranking sites with HTTPS encryption higher than those without it. That announcement pushed a lot of websites across the globe to obtain HTTPS.
Is HTTPS Encryption Enough to Keep Your Site Secure?
No. Although it helps protect your sensitive data, securing your websites is much more complex than HTTPS. The bottom line is that it does not protect your site, network or server from getting hacked. It also does not prevent hackers from abusing software vulnerabilities that may be present in WordPress. In fact, in general, we’ve seen quite a few major attacks on SSL and TSL protocols: Poodle, Heartbleed, Shellshock, LogJam to mention a few.
So what are your options? What can do you to fortify your site?
What More Can You Do to Protect Your Site?
Security is highly important and as such, there are quite a few things you need to do and stay on top of. We’ll go into this in more detail in another post. For now, here are a few things you need to do to fortify your WordPress site.
Know What the Threat Is
Stay on top of hacking threats. You need to know what is happening, what is possible, in order to protect your site against potential threats. Set up news alerts or follow hacking news sites. The information you receive will give you the ability to take precautionary measures.
Update, Update, Update
Update software as soon as an update is available. The reason behind a lot of updates is to protect against a security vulnerability, so delaying an update greatly exposes you to a potential attack. Hackers are constantly on the lookout for vulnerabilities. If you don’t move quickly to patch vulnerabilities, chances are you’ll become easy prey.
Secure Your Admin Dashboard
Access to information in the admin dashboard of your website is every hacker’s dream. Set usernames and passwords that cannot be easily guessed; greatly limit the number of login attempts within a specific time period; don’t send account details over email etc. Your admin panel is a treasure-trove so keep it secured at all times.
Keep Your Network Secure
An insecure network provides fairly easy access to your site servers. Take some precautionary measures such as frequently changing passwords, expiring logins after a certain period of inactivity, setting strong passwords, and scanning malware on each and every device that connects to your network.
Back-up everything, both on-site and off-site. Set up automatic backups several times a day, to various locations, so you don’t lose everything when the worst-case scenario happens.
HTTPS encryption is great for security, SEO and credibility. You most likely were quite overjoyed when Automattic made the announcement that all custom domains would automatically switch to HTTPS encryption. But that does not mean you’re in the clear when it comes to site security.
There is a whole lot more that needs to be done to keep any website safe from advanced, constantly evolving and persistent cyber threats. Some of the tips mentioned in this article will help to reinforce your site security; and keep your mind at ease to tackle the more fun business operations.
8 comments on “HTTPS: Is It Enough to Keep Your WordPress Site Secure?”
All of these comments could be applied to any website or CMS. I fail to see why it was so important to emphasis WordPress and only WordPress as a reference through the article? In fact WordPress is a sloppy and incompetent representation for a REAL website and it is mainly used by those that have no real skills in web development, at least more people that are clueless about web development use it and that includes those that claim they are webmasters and sell these services to unsuspecting businesses. Point being they likely could care less about security and 80% of them wont even update.
The author of this article really eliminated the larger scope of people that are interested in this topic and made it sound like it was all about WordPress. Personally I am so sick of the WP hype and focus it gets. It is like WordPress is the go to source for websites and the fact is it is a blog platform hacked up to try and act like a content management system. Sure it can be used as a CMS but the reality is it was designed to write blogs and fails miserably at anything beyond that. So do yourself a favor Semper Plugins and stop ignoring the true giants in the CMS world and make better associations. As it is this article is only going to be read by those that use WordPress and those of us that demand better, more robust solutions for websites are more than likely not going to give this article a second look!
I appreciate your comments. However, it’s important to keep in mind that this is an exclusively WordPress-centric website, so the content of the articles will be focused on WordPress.
“True giants in the CMS world”… this is WordPress. No other CMS even comes close to the amount of sites powered by WordPress. It appears you may be missing the boat when it comes to what technology is being used to power the Internet.
Ben, the amount of powered sites isn’t really the only statement when it comes to talking about giants. WordPress is still a blog platform. But they do a great marketing on labeling it as the best CMS. Sorry but WordPress doesn’t come close even to Joomla when comparing speed (similar corporate sites and not just blog). Sure, Worpdress is more friendly to users and developers but I’ve never seen powerful WordPress site without taking a lot of server resources. Big WordPress site needs more optimization than on other CMS. For me it is the worst “CMS” I used.
Kevin, I’m interested to know who the “true giants in the CMS world” are. Care to elaborate on that?
I’ve been using the Wordfence plugin (paid, upgraded version) for several months and have been very impressed with it. I have had no hacks; the price is very reasonable; and they keep me informed.
Well, I’m using the Wordfence plugin also and I’m very strict when it comes to lost passwords and people trying to login with the wrong credentials are blocked for the next 24 hours…
But I didn’t see that HTTPS is automatically enabled at all, in fact all my sites are still using HTTP only the payments are done via a secure connection and will never be done directly on my site… I don’t even want that responsibility.
So am I missing something then?
Please explain why I don’t see that HTTPS is being used on my WordPress sites and why I also don’t see any difference in my rankings? I’m still number one on the organic search results pages, I even rank higher as the big sites like Forbes…
If Google is really using HTTPS as a ranking factor I can tell you that it doesn’t look like a super important ranking factor to me since I’m still able to outperform even the big sites and for very competitive keywords or phrases like “SEO and ROI Optimization”
Ricardo Penders CEO [email protected]®Ez_
The Rapid List Building System and Wealthy Internet Marketing