General SSL Questions


#1

Background: Just got a hosting package, plan to install Wordpress and create a fairly simple site for a small business, but haven’t started as yet. No rush.

With security in mind, I understand it’s best to connect to your WP Admin area through https.

What would be the optimal way to go about this?
Buy a certificate and implement it for the domain even before WP/plugins/themes are installed?
Future web site will not involve e-commerce, but will collect simple data, (e.g. name, email, phone), so the entire site could operate under SSL.
Will implementing SSL also allow SFTP connections?

Thanks for all guidance here!

Chip


#2

The easiest implementation of setting up a certified https connection is to purchase an SSL certificate from the DH Panel.
“Domains” > “Secure Hosting”, then find the Secure Certificates section.

You can use a third-party SSL provider and install it on DH’s server, but you’ll want to provide the third party SSL provider with a CRS and Private Key, which you can ask support to generate:


(or create one yourself following the guide)

If you go with a third party provider and they ask what web server/ssl implementation: DH uses mod_ssl on Apache for shared servers.

It really doesn’t matter whether you implement this before or after content/themes/plugins has been installed. Implementing SSL will not affect your ability to form SFTP connections.

If you end up wanting to force https (make sure all http requests automatically turn into https requests) check this out:


#3

I believe the secured hosting is free? But there’s a charge for a site-specific signed SSL? The free secure hosting when using https is meant to give a certificate warning message.
You could run your web site over http so visitors are not affected by the https warnings from the free secure hosting
And then use htaccess to force https for the admin panel; which would mean only the admin(s) seeing the certificate warning messages.

It would seem slightly - but not extraordinarily - excessive to purchase SSL just for WP admin.


#4

StartSSL has a free certificate that you can use with dreamhost. https://www.startssl.com/?app=1 I believe that here used to be a page “how to” page in dreamhost’s wiki, sadly I’m not finding right now.


#5

Thanks everyone! I’ll dig into this.


#6

but another question is “IS IT WORTH IT”?

[quote]This week, Google Chrome 56 and Mozilla Firefox 51 were both released. These updates bring a new warning about insecure login pages, which appear prominently in the address bar.

This is part of the industry-wide campaign to move away from HTTP, which is insecure, and leaves users’ online activity vulnerable to snooping, interception, modification, and much more.

Chrome 56 will show this warning for any password/credit card field loaded over HTTP.[/quote]
here’s the news article https://www.thesslstore.com/blog/firefox-chrome-warning-about-insecure-login-pages/

this is the beginning of shaming all web site administrators into moving from http and onto https

from what I can make out, is that Dreamhost offer a Comodo verified SSL for $15/year well that’s not exactly extravagant is it? however what really concerns me, is that once you do that, there are many things that can result in ISSUES

[quote]This website does not supply identity information

The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough

[/quote]

Error Alerts such as the one above if links from your own site go to http images

sounds like a mountain of work to me