website security

SSL – Eight Reasons to Implement SSL Encryption Now

This is the logo for Hannah West Design, web designer to artists, logo designed by Hannah West © 2000-2016 Hannah WestSSL padlock icon

Hannah West Design Now Secure!

Hannah West Design is now secured with a brand new SSL certificate! On January 14, we migrated www.hannahwestdesign.com to a new hosting service. This is NameCheap hosting, which we want to try out on behalf of our starving artist clients to find out if hosting service compares well to other hosts who don’t have the same affordable pricing.

In addition, Google is now promoting sites that are protected with SSL encryption and demoting those without it by placing an “Unsecured Site” flag (similar to the “This site might be hacked” flag we sometimes see) next to any website which does not have SSL. This is part of a widespread movement to encrypt the web (Learn more at Let’sEncrypt.org). With that in mind, we decided to make the switch to SSL encryption at the same time. As a result, our updated address is https://www.hannahwestdesign.com. We’re proud of that beautiful green padlock displaying in the address bar now!

What is SSL?

SSL stands for Secure Socket Layer. A correctly installed SSL certificate encrypts all information transmitted to and from your website. This protects your private information when visiting the site, from which pages you visit to sharing to submitting contact forms to purchasing online. Websites with contact forms, login pages, online shops, etc. can all benefit from the added security provided by this encryption. Visitors will feel more secure interacting with your site, which is a huge bonus. Importantly, each certificate comes with a guarantee, so if a malicious entity subjects you to liability for damage to a visitor, you will receive a settlement form the certificate issuer. This amount varies with the level of certificate used, but starts at $10,000.

There was a time when conventional wisdom said that applying SSL to an entire website would make its pages load more slowly. However, recent advice from numerous experts in the field now assures us that the opposite is now true. And we are seeing our website load with a bit more spring in its step today…the ultimate proof.

Implementing SSL

The process of implementing SSL can be simple and painless, but it can also be rather harrowing. For me it was somewhere in between those extremes. I have been through this before on client sites as well. While some need extra attention for various reasons, most of the time it’s complete—including all the content tweaks needed for that lovely green padlock to display—in 2–4 hours.

To increase your standing with the search engines, additional tasks are necessary. Once the SSL is in place, we need to make adjustments in Google Webmaster Tools so they can direct traffic to the secure version of your site. We also need to adjust your Google Analytics account so traffic stats will continue to be collected accurately.

Pricing and Other Requirements

Many things related to SSL certificates have changed in the last couple of years. For one thing, they used to be very expensive. While prices for certificates to protect sites that don’t involve e-commerce have become quite affordable, there are now free certificates available from Let’s Encrypt. The catch is that not all hosts have a quick and easy way to install them and the process of doing it manually can take a good deal of time. Furthermore, some hosts—like Ipower—refuse to allow third-party certificates to be installed on their servers. While we could have used Cloudflare on our site, we opted for a Comodo Positive SSL certificate, which NameCheap offers for only $1.99 the first year. Renewals are a very reasonable $9.00/year with discounts for advance purchase up to three years. That’s a big discount from the same certificate on Ipower ($31.99) and Bluehost’s for $4.17/month. What’s the catch? You have to have your website hosted with NameCheap too. Also very inexpensive, so definitely worth considering.

Previously you had to have a dedicated IP address (the numerical equivalent of your web address) for an SSL certificate. This meant you had to have private hosting (expensive) or pay a monthly fee of $4.99-6.99 PER MONTH to have a dedicated IP added to your otherwise reasonably-priced shared hosting. Because unique IP addresses have become more and more rare, this prerequisite has been lifted by many certificate issuers and hosts. Instead, they tie the certificate identity to the domain instead of the server IP. All this has made SSL encryption more affordable to the average website owner. The benefits are greater now too.

Benefits of SSL Encryption

Some hosts provide free SSL certificates, but most do not. These free certificates may have downsides you’d rather not deal with. We found that Bluehost’s free SSL, issued by Comodo, only covers the root domain (https://your-domain.com) and NOT the www version. Big problem for sites installed with www.your-domain.com addresses. We can avoid this with the use of Cloudflare. Though it’s a completely different setup, their free certificate will cover both the bare domain and the www version. Entry-level SSL certificates have become much more affordable than they once were, too.

I’m ready to begin helping others to make this important change as well. I’ve learned the ins and outs of what is possible and what is not on several hosts. I can inform you of your options and advise you on which is the best choice for the money.

If you’re not sure you even want to deal with this undertaking or not, please consider the benefits:

  1. Receive payments through your ecommerce website – Most payment gateways now require SSL, even PayPal
  2. Give your visitors greater confidence in the security of their transactions, interactions with your site, and personal information
  3. Limit liability for identity theft
  4. Boost page load times
  5. Greater protection from hackers
  6. Prevent unknown people snooping on activity to and from your website
  7. Boost your SEO
  8. Participate in the movement to encrypt the entire web

Are you ready to apply SSL to your own website and enjoy these benefits? Please contact me!

Bulletproof Security Pro + Donate to Security Plugin Developers for the Holidays

My clients know I’m always concerned about security for their websites. It’s an ongoing and fluid situation, with new threats being identified constantly. I have used the free version of the BulletProof Security plugin with great results, but it doesn’t cover everything, and a new threat to content management systems like WordPress, Drupal, and others that was identified late last year is on the upswing, with millions of attacks cloaking even more attempts to discover user naems and passwords so they can log in to your website, install malware in the code, and then use it for malicious purposes. I’m recommending that all my clients and anyone else concerned about the security of their WordPress site now upgrade to the Pro version of Bulletproof Security. It’s only $69.95, and will save you more than that if your site is hacked even once! If you don’t know what to do after making a purchase, contact me and I will help you get it installed and configured properly. Learn more and buy Bulletproof Security Pro here:
BPS Pro Learn More

 

On a related note, I install at least two security plugins on every website I build and/or maintain. All plugin developers work incredibly hard to create plugins that will enhance the functionality of your website, and the developers of  security plugins deserve much more than mere kudos for their work. You may not know how effective their work is, because I insulate you from the day to day security notifications that come from some of these plugins, but believe me, I get hundreds of security notifications, alerts and warnings every single day. Most of them have an optional Donate button or link in the plugin’s admin area. Some of their plugin users actually make a monthly donation to them to reward their work and make it possible for them to continue improving their code, which you should consider doing as well. Even if you don’t want to step up to the plate with a monthly donation, however, PLEASE…the holidays are coming, and these guys need to know how much you value their efforts to keep your website safe! If you can’t make a donation to the developers of all the free plugins in use on your website, please send a generous gift to those who have created the security plugins that protect your website night and day!

Looking forward to Free SSL!

Updates on Website Security and Free SSL

Securing your website is increasing in importance to the point that soon your site could be disregarded by Google and avoided by visitors if they don’t see the familiar “https://” with a tiny padlock icon at the beginning of your url. Last year Google announced that websites secured with Secure Socket Layer encryption, or SSL, are getting added favor from the search engine company, increasing their rankings in search result pages at google.com. A number of recent high-profile security breaches such as the one at Sony Pictures demonstrate the possibility that any site can be hacked and illustrate the business-halting disaster that the ensuing data loss can cause. The little understood hacker phenomenon, combined with our fascination with the idea of artificial intelligence, has inspired numerous movies on the subject since the birth of the internet, with the Girl with the Dragon Tattoo released in 2011, The Hacker Wars released last year and Black Hat (Chris Hemsley) leading several new ones slated for release in 2015. Television writers have also explored the phenomenon in many shows, my own personal favorite being “Kill Switch,” one of the most thought-provoking episodes of The X-Files and possibly an inspiration for Transcendence (Johnny Depp). Such fascination reveals how little most of us actually know about what hackers do and how they do it, even the filmmakers, as most movies do not represent hacking with much accuracy. Nearly none of them show the ethical side of hacking — those we can thank for testing sites for vulnerabilities and helping design software to protect the rest of us from that shadowy threat we know nothing about aside from its existence. And of course there’s Anonymous, a group of hackers who seek social justice via computer-hacked threats. Most of us — that is, those of us who do not operate ecommerce websites that conduct credit card transactions online — have been able to get away without SSL up until now, but clearly that era is ending. As responsible citizens of the internet, we all need to step up to the plate and secure our websites to protect our investment in the site itself and any data it may contain, but also to give our visitors confidence by demonstrating our commitment to protecting them from “drive-by” malware infection. Taking these measures will help us retain (and hopefully boost) the search engine rankings we work so hard to gain.

My own website www.soartists.com (The Southern Oregon Artists Resource) was attacked by malware early in 2011. The entire site was taken down and its companion blog, Art Matters!, had to be reconstructed. Fortunately we did not receive any reports of massive spam attacks or anything else that indicated a loss of critical data for any of our listed artists or visitors to our site, but it was a painful wakeup call that directed my attention to the importance of internet security. As a result, all my clients with WordPress sites will see at least one and often three or more security plugins. I set these up to notify me when unauthorized attempts to gain access to the admin portion of their websites result in a “lockout.” This keeps my email inbox quite busy. For those clients who do not have WordPress sites, I recommend a security overhaul to install some basic code that will help protect their sites until they are able to purchase a SSL certificate that will encrypt all activity to, from and on their websites, making the “transactions” that include visitors’ activity invisible to hackers and ever-watchful malware bots looking for opportunities to inject malicious code on vulnerable websites.

So what has kept us all from investing in a SSL certificate that would protect our sites and their visitors? Most of us have a tendency toward complacency, clinging to naïve thoughts that justify inaction. One I hear often is “Why would hackers want anything from my website?” Trust me, it’s nothing personal. If you are not engaged in ecommerce, they probably do not want anything from your site itself, but like parasites they are always looking for “hosts” from which they can silently conduct their mischievous and often damaging activities. In early 2014, a client for whom I needed to create a website on a very restricted budget opted out of security measure “for now.” By Thanksgiving, her site had been blacklisted by Norton Safe Web and had to be cleaned of malware before it could be reinstated. I breathed a deep sigh of relief that we caught this before Google had blacklisted her, as their reinstatement procedure can be much more time-consuming. Still, the process wound up costing her an unexpected sum for cleaning and submitting her site for reconsideration as well as installing security measure that would prevent future infections—no fun for either of us, yet a relief once it was reinstated. For those who chose to look into a SSL certificate for their website, the dealbreaker has most often been the price. SSL certificates have been expensive, and the lineups of less expensive to most expensive types of SSL were not only confusing, but discouraging, making us feel that if we invested in a “minimal” (cheap) SSL certificate, it might not be effective and therefore a waste of money. But there is good news! A couple of days ago I received a little/big gift from one of the security companies whose plugins I use–a link to an article in my inbox with good news for 2015 – SSL will be free, and much easier to install, as of Q2 2015! Following is the source of the information reported in this excellent article. I strongly suggest you read both articles!!

Let’s Encrypt: Delivering SSL/TLS Everywhere

Vital personal and business information flows over the Internet more frequently than ever, and we don’t always know when it’s happening. It’s clear at this point that encrypting is something all of us should be doing. Then why don’t we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data center supports it. Why don’t we just flip the switch?The challenge is server certificates. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation, IdenTrust, Inc., and researchers at the University of Michigan are working through the Internet Security Research Group (“ISRG”), a California public benefit corporation, to deliver this much-needed infrastructure in Q2 2015. The ISRG welcomes other organizations dedicated to the same ideal of ubiquitous, open Internet security.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

If your website needs attention to security or you want to get a SSL certificate and you’re not sure what to do, please contact me at webmistress@hannahwestdesign.com or call 541.899.2012 to discuss your needs and what I can do to help. One of the primary lines of defense is simply keeping your WordPress installation, theme and plugins updated, and backing up your website regularly so you can easily restore it if a disaster does happen. I know you’re busy and have other priorities on your mind and your schedule, so let’s talk about an inexpensive annual contract that will allow me to do that for you so you won’t have to!