Dan
asked on
What is the best way to secure a wordpress site where SSL is not supported on the server
We have a wordpress (latest version) site I would like to secure, there is no personal data on there, no contact forms no sales. However I would like to lock down the login page and generally increase the security, I had wanted to put SSL I can't. Any suggestions?
You are not able to get any security certificates for your site ?
SSL allow incoming traffic to your site to be encrypted, so that data can not be "sniffed" and read. Hence, you can still have accounts and passwords, however the user's credentials will be send across the internet in "clear text". Anyone who has access to the traffic can just catch packets and look for the user name and password. This could be someone on the same LAN as the user's PC, or someone at the local ISP or data centre. Credit card details can similarly be located and read pretty easily in unencrypted traffic.
A lot of users (like myself) will therefore be wary about entering passwords on non SSL encrypted sites, but it still works.
A lot of users (like myself) will therefore be wary about entering passwords on non SSL encrypted sites, but it still works.
ASKER
There is a shred certificate but I'm not sure how it is possible for administrators to use that and the public us the true domain.
At the very least, you should use a self signed certificate? Is this on some web domain service where you haven't paid for SSL? If yes, then you should switch the service immediately.
CloudFlare will allow you to put SSL in front of your server without having SSL on the server itself. It would look like below (CloudFlare call this Flexible SSL -- see their KB article for a more detailed explanation).
I have never set this up for a WordPress site, but there is this plugin here which will allow you to enable this.
Why can't you use SSL on your WordPress site? You really do want to do full end to end encryption on the connection. Not to mention that with HTTP2 HTTPS pages load faster than HTTP in modern browsers.
[Your Server:80]····· HTTP ·····[CloudFlare:443]····· HTTPS ·····[Client]
I have never set this up for a WordPress site, but there is this plugin here which will allow you to enable this.
Why can't you use SSL on your WordPress site? You really do want to do full end to end encryption on the connection. Not to mention that with HTTP2 HTTPS pages load faster than HTTP in modern browsers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
WordFence like Shaun pointed out is one good approach. Also, have you made sure to stay current with releases of WordPress since they're finding flaws all the time?
Here is one of many WordPress security guides you could read and follow: https://yoast.com/wordpres s-security /
Here is one of many WordPress security guides you could read and follow: https://yoast.com/wordpres
Personally, I'd switch hosting.
https://LetsEncrypt.org has been providing free SSL certs for years now.
The idea that SSL is unsupported on a server is unacceptable.
Switch hosting + look for free SSL support.
For me personally, I SSL wrap all my client's sites, production or development.
https://LetsEncrypt.org has been providing free SSL certs for years now.
The idea that SSL is unsupported on a server is unacceptable.
Switch hosting + look for free SSL support.
For me personally, I SSL wrap all my client's sites, production or development.