Link to home
Start Free TrialLog in
Avatar of Dan
DanFlag for United Kingdom of Great Britain and Northern Ireland

asked on

What is the best way to secure a wordpress site where SSL is not supported on the server

We have a wordpress (latest version) site I would like to secure, there is no personal data on there, no contact forms no sales. However I would like to lock down the login page and generally increase the security, I had wanted to put SSL I can't. Any suggestions?
Avatar of Justin Carey
Justin Carey
Flag of United States of America image

You are not able to get any security certificates for your site ?
Avatar of Mal Osborne
SSL allow incoming traffic to your site to be encrypted, so that data can not be "sniffed" and read. Hence, you can still have accounts and passwords, however the user's credentials will be send across the internet in "clear text". Anyone who has access to the traffic can just catch packets and look for the user name and password. This could be someone on the same LAN as the user's PC, or someone at the local ISP or data centre. Credit card details can similarly be located and read pretty easily in unencrypted traffic.

A lot of users (like myself) will therefore be wary about entering passwords on non SSL encrypted sites, but it still works.
Avatar of Dan

ASKER

There is a shred certificate but I'm not sure how it is possible for administrators to use that and the public us the true domain.
At the very least, you should use a self signed certificate?  Is this on some web domain service where you haven't paid for SSL?  If yes, then you should switch the service immediately.
CloudFlare will allow you to put SSL in front of your server without having SSL on the server itself. It would look like below (CloudFlare call this Flexible SSL -- see their KB article for a more detailed explanation).

[Your Server:80]····· HTTP ·····[CloudFlare:443]····· HTTPS ·····[Client]

Open in new window


I have never set this up for a WordPress site, but there is this plugin here which will allow you to enable this.

Why can't you use SSL on your WordPress site? You really do want to do full end to end encryption on the connection. Not to mention that with HTTP2 HTTPS pages load faster than HTTP in modern browsers.
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
WordFence like Shaun pointed out is one good approach. Also, have you made sure to stay current with releases of WordPress since they're finding flaws all the time?

Here is one of many WordPress security guides you could read and follow: https://yoast.com/wordpress-security/
Personally, I'd switch hosting.

https://LetsEncrypt.org has been providing free SSL certs for years now.

The idea that SSL is unsupported on a server is unacceptable.

Switch hosting + look for free SSL support.

For me personally, I SSL wrap all my client's sites, production or development.