With the announcement of the recent security issues, namely Meltdown and Spectre, we at Denny Cherry & Associates Consulting have been focused on security awareness this entire week. To further underscore it, we are hosting a Security Webcast today, Friday January 19th, 2018 at 2:00PM EST (11:00 AM PST). Make sure to register now! It’s not too late! The entire team has also been publishing security related blog posts to further high-light for security awareness.
You can find the others blog posts here:
- Denny – Welcome to Security Week at DCAC
- Joey – Have You Patched For Spectre/Meltdown Yet? (And more on patches)
- Kerry – Let’s Talk About Group Managed Service Accounts
- Monica – How to get started with Always Encrypted for Beginners Part 3: One Two Punch
Here’s my contribution:
As a data professional, security should be one of the foremost priorities for us. Some will probably argue that data recovery is more important but personally I believe they are both equally important.
For some time, I’ve wanted to ensure that connections to my blog are secured via a secure socket layer, or SSL. While my blog doesn’t contain sensitive information like social security numbers, people can create accounts and leave comments. In the past this was somewhat difficult to manage and more likely than not, you had to pay for the SSL certificate. However, if you host your blog on the WordPress platform, there are two plug-ins that make this easy and free to accomplish.
These two plug-ins along with this blog post allowed me to easily and effectively secure my blog traffic.
Here’s how to do it.
You will need to go install and activate the two plugins to start. Once installed, start with WP Encrypt. We have to obtain and install the security certificates before you can enable SSL on your site. You can find WP Encrypt under Settings –> WP Encrypt
4/21/2018: UPDATE: It turns out that this solution, while remaining secure, does not automatically update the certificate on GoDaddy (my hosting provider) when it renews. You have to manually up load the contents of the renewed certificate to GoDaddy. While not horribly difficult once you do it, it is still a manual process. Check with your hosting provider first to see if you can use these tools.
This plugin will use the free Let’s Encrypt service to obtain and manage an SSL certificate for your domain. The certificates from this service expire every 90 days. Previously you would have to manually renew the certificate which can be a pain to do. However, this plugin will automatically do this for you so that you do not have to worry about it.
First, we’ll need to adjust the account settings. I just used my name as the Organization Name however if you are running a fully-fledged company, I would suggest using that. In my case, I’m in the United States so the applicable country name and code was used.
Next, under the Additional Settings, make sure the “Auto-generate Certificate” is selected. This setting will make sure that the certificate is automatically renewed before it expires. You can also specify if you want a warning to be displayed before the certificate expires. I choose to do this just so that I can check on it to make sure it actually renewed. If something goes wrong, I’ll have to manually intervene, and I’d like to do that prior to the certificate expiring.
Now you’ll have to register your account. There wasn’t any user name or password provided so I suspect it just used the account settings from above. I did notice that the time stamp on the account is incorrect however I’m not sure why.
Once the account has been registered, you can generate your certificate for your domain. You also have the ability to revoke the certificate if needed. Once the certificate is generated, all appropriate files will be placed into a folder structure on you hosting site. You’ll need to know these paths later on in the process so take a screen shot or just make note of the directory they are in.
We now have an SSL certificate for the domain!
But wait. I’m not done yet. In my case, the file paths for the certificates is wrong. I had to go manually install them via my cPanel on GoDaddy.com. Your hosting provider might have a different process so your mileage vary. Some providers do offer an easier process to install your SSL certificate. Note that you will need to download/open the following files in order to get them installed.
These files will just have a block of jumbled text. You will copy the contents of these files into the appropriate place when you install SSL via cPanel.
Once I’m logged into the cPanel on GoDaddy.com, I went to the SSL/TLS under Security.
The following screen I went to “Manage SSL Sites”
Next is where the real meat of the work is done. Make sure to select the appropriate domain for the certificate. Mine reflects https://www.sqlrus.com.
- The file cert.pem content goes into the Certificate (CRT)
- The file private.pem content goes into the Private Key (KEY)
- The file chain.pem content goes into the Certificate Authority Bundle (CABUNDLE) (the screen shot doesn’t show this text block but it is there)
Once the file contents have been placed in the appropriate places, just click Install Certificate. This will place the certificate files into the right places for your domain.
Next, we will use Really Simple SSL to configure your blog to force everything to a secure connection.
Really Simple SSL
This is a simple plugin to use. You can find it under Settings –> SSL.
Don’t change any of the defaults and just click the button to “Enable SSL”. Once it has been enabled, you should see something similar to what is shown below.
Also, this is a free version, if you want some of the advanced features, you can get the Premium version.
Now, go to your website and check to make sure that the connection is now secure!
You can also use https://www.whynopadlock.com/ to verify that everything looks good.
As with anything, before doing this to your blog, make sure you know of ways to regain access to your blog in case something goes sideways. Hopefully, this won’t happen, but it does and having a backup plan is a good thing.
While it may seem daunting to get SSL installed for your blog, once I had it figured out it was less than 10 minutes to accomplish. Security should be one of your top priorities and you’ll feel better knowing that your blog traffic is now secured.
© 2018, John Morehouse. All rights reserved.