It’s more clear today than it has ever been in a post-Snowden world that the internet should push for every website to be encrypted. With our own government and large organizations like Yahoo having gone through some very large and publicized security breaches, it is now time to push towards increasing the security of our websites and web API’s.
You may be asking yourself why. The simplest answer to that is that it’s easier than ever to perform a man in the middle attack (MiTM) on an unsuspecting web user. With inexpensive devices like the WiFi pineapple, an inexperienced “hacker” can perform these types of attacks. A user could be shopping online in a coffee shop or airport and these types of devices can broadcast a SSID that is exactly the same as a SSID that you previously connected to the last time you were visiting the coffee shop. If your device is setup to automatically connect to previous WiFi connections that you have trusted then you have now connected directly to the hackers WiFi pineapple device allowing them to sniff all of your web traffic. If the websites you are connecting to are not using a valid SSL certificate to encrypt the traffic, then it makes it that much easier for the hackers to intercept allowing them to steal your session cookies that could allow them to steal your accounts.
If you are a website owner, this is why it is very important to, at the very least, encrypt your login, registration, and any credit card checkout forms on your websites, even though we recommend fully encrypting your websites. It doesn’t cause the performance hits as it did in the past. Additionally, in 2014, Google decided to help with this cause by actually changing their search ranking algorithms to push unencrypted websites lower in search results.
In the past, website users would try and stay away from having their site setup with an SSL because it was expensive, ranging anywhere from $30 a year to several hundreds, and hard to set up. Nowadays it is cheaper and easier than ever. You officially have two free options to set your site up with a SSL certificate. Cloudflare and Let’s Encrypt are two of the more popular options. Let’s Encrypt is a non-profit organization and newer Certificate Authority (CA) that offers free SSL certificates. Let’s Encrypts certs expire every 90 days. The reason they do this is to push for more automation. They partner with web hosting companies to, as they put it, “install software on the web server that can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal”.
If you are looking to increase the security of your websites, the techs at Red Technologies recommends using WPEngine for hosting as they are, in our opinion, one of the leading secure WordPress hosting companies today. WPEngine offers integration with Let’s Encrypt making it easier than ever to configure your site with SSL and more secure.
If you have a WordPress website, we can help keep your site protected. To learn more about the WordPress Security & Maintenance Services that Red Technologies provides, visit http://redtechnologiesinc.com/what-we-do or give us a call at 612-310-7972.
Disclaimer: We are not certified security experts. We are giving a high-level overview about web security so that you can be more informed about some of the most common security vulnerabilities to look out for when developing or finding a developer. We will also be sharing some resources to help you continue your research on web security.