In a world where hacking attacks seemingly make the headlines weekly (almost daily if you follow tech circles!), it is more important than ever to take every step you can to protect your website. As this site has evolved into a place where we directly sell products on the site we knew it was equally important to protect our users when they make a purchase. To that end we have upgraded the security tools that we use for this site to include two closely related technologies; SSL and HSTS.
What do SSL and HSTS actually do?
SSL is a security system based on a cryptographic protocol for the web that essentially scrambles any data being transferred between a user and a website in a certain way that only the two original parties can understand the information being sent utilising an encryption key generated when they connect. It's the reason why you see some sites like ours with an address starting “https://” rather than “http://”. SSL prevents malicious actors from stealing confidential data in transit such as login details, payment information and more. Plus if you're not already sold on using SSL just for its security benefits it could also give your site a boost in the Google Search results.
HSTS, which stands for HTTP Strict Transport Security, is an additional layer of security which ensures that if you visit a site with SSL enabled that your browser only loads that site over SSL from that point forward to prevent future attacks as well where people may hijack the connection.
The Different Types of SSL
There are two main types of certificate that you can get; Standard Validation which verifies the domain and places a secure green padlock in the address bar as seen on our site and the image below and Extended Validation which verifies the domain and the company behind it and gives you the green bar seen below in the PayPal example. There are also specific variations which allow Wildcard Validation so you can use the certificate across multiple domains or subdomains.
How to Enable SSL & HSTS
The first step that you will need to take is purchasing an SSL certificate. I personally purchased the one for this site from Namecheap but you can use any reputable company selling certificates from trusted certificate authorities (the companies that actually issue the certificates). The easiest way to get your certificate set up on your domain itself will likely be asking the support team from your web host as each environment may differ. Once the domain itself is secured you may also want to read about how to enable SSL on a WordPress site and how you can enable HSTS with this simple WordPress plugin.
Once you have everything set up on your site you can check that it is configured correctly by entering your domain on the Qualys SSL test. This is worth using veen if you're sure you got it right because it can also suggest improvements that you can make to ensure your site is extra-secure.
So let us know; is your site on SSL yet?