Adding SSL to website

He should have been able to add SSL to your site within 10 mins even less than that if they understood it properly. If you move it to a cpanel host, some hosts will even do it for you for free to help you migrate it fully over including SSL cert.
 
Pho said:
You can't generate certificates for non-public URLs.
Click to expand...

That's note quite right. If you use DNS challenge then the host doesn't have to be publicly accessible plus you can create wildcard certificates this way. I'm using this method for a couple of test systems at work, all the systems are only accessible on the internal network but they have perfecly valid Lets Encrypt SSL certificates.
 
damodude said:
The connection strings to the database will change
Click to expand...
Is that all there is? Rewrite connection strings and be done. Why do you make it sound like end of the world.

Vince said:
After heartbleed id be looking at an ssl cert from a credible provider
Click to expand...
Lets Encrypt is the most credible out there. There is no hidden agenda except to promote 100% sites to have traffic encrypted.
After heartbleed I would be making sure that software in my server is always upgradedwith latest security patches. Which concerns OP with WordPress as well.
 
the-evaluator said:
That's note quite right. If you use DNS challenge then the host doesn't have to be publicly accessible plus you can create wildcard certificates this way. I'm using this method for a couple of test systems at work, all the systems are only accessible on the internal network but they have perfecly valid Lets Encrypt SSL certificates.
Click to expand...

Oh I didn't know that, thanks for pointing that out. Could be quite handy :)
 
In theory I agree but that would require a degree of DNS knowledge that's likely beyond your average person running a Wordpress site. There are a number or DNS providers that provide an API but even that's not overly trivial.
 
mrbell1984 said:
On another note SSL isn't going to stop wordpress from being hacked.
Click to expand...

I agree with this. SSL would have made no difference at all to your site getting hacked.

There's only 1 connection string in WordPress. It's in /wp-config.php and takes 30 seconds to update.

Looks like your developer might have been struggling with the URL when trying to setup SSL? There's some images (including one in the footer) which dont load because the URL is wrong: http://kennankay..co.uk (extra .)
It should be an easy process to set up SSL on a WordPress site. Some hosts don't allow using your own certificate and may require that you buy one from them but there's no way it should take 10 hours.
 
Last edited:
Thanks again to all for your comments and advise, can anyone suggest a good trusted website for hiring freelance web developers? A google search throws up a few websites but would rather trust the advise of the helpful peeps here :)
 
Bit late to the party here but firstly, Heartbleed was an SSL library issue (openssl) and *not* related to the type of SSL certificate being served. And the site redirect would've been a dodgy plugin, there have been so many exploits like this in the past year - at one point I think I was fixing 5 a day at Fixed.net.

Let's Encrypt are doing great work in making security affordable for all.

Yes, at my old company we made a decent bit of money from selling SSLs, but we also had the cost of the dedicated IPs and the staff time to manage it all, and dealing with inevitable issues/complaints etc. So actual profit I couldn't tell you.

Nowadays a dedicated IP isn't a requirement like it was before thanks to various improvements.

So now I run cPanel AutoSSL (configured with either Sectigo or LE) on all my servers at my new company and I can count how many certs I've bought in the last year...none! It all just works, saves me time, saves my clients money, life is great.

OV and EV SSLs can still be bought but I see these only rarely.

A huge number of people also use Cloudflare who include free automatic SSL. Modern life is good!

But....some large legacy hosts have old tech and/or shareholders to please!

visibleman said:
Find out who the host is and contact them directly regarding adding a SSL certificate - how it's done etc.
Click to expand...
Looks like the site is now with Godaddy (I didn't see the thread at creation time so maybe it always was) and has a Godaddy SSL installed, probably at some expense :(

And even with a web panel backed host (cPanel, Plesk etc), some require the host to intervene to add/modify certificates - certainly the case with our VPS's from Tsohost, as we don't have root access to the cPanel for the AutoSSL module.
Click to expand...
Indeed, however root access isn't a requirement for AutoSSL, so there's little reason any provider who is offering cPanel/WHM systems can't enable AutoSSL unless for some reason they explicitly don't want to. I would ask them. Maybe it's running an older Centos version in which case account copies to a new install would be a good idea.


One of the companies who don't support LE is Godaddy (who now own Tsohost!) who run cPanel but don't offer it, as per the LE website:

https://letsencrypt.org/docs/godaddy/ said:
We get a lot of questions about how to use Let’s Encrypt on GoDaddy. If you use GoDaddy shared web hosting, it’s currently very difficult to install a Let’s Encrypt certificate, so we don’t currently recommend using our certificates with GoDaddy.
....
We don’t recommend using Let’s Encrypt certificates on hosting providers that don’t directly implement the ACME protocol, because it means you can’t fully automate renewals.
Click to expand...
Nothing to do with their SSLs which are available from an ongoing price of £59.99/year, I'm sure. Or £149.99/year for a service where they'll install it for you.

Finally in case the original dev reads this thread, the steps to install an SSL on wordpress are:

1. Install an SSL on hosting (move hosting if not possible - so let's give him that point - slight pain to do that)
2. Install the Really Simple SSL plugin
3. Activate plugin, tweak settings if needed depending on environment
4. That's it! (99% of the time)
 
rxodium said:
Because you're a mug that's content to waste money on certs? I don't know. What validation do your "credible" certs go through that make them any better than open or locally generated certs? I'm really interested to know what your credible certificates offer over Let's Encrypt aside from support...
Click to expand...

What was I saying about credible providers... https://www.thesslstore.com/blog/lets-encrypt-to-revoke-3-million-ssl-certificates-on-march-4/

Thats a fairly massive problem right there.
 
Last edited:
Vince said:
What was I saying about credible providers... https://www.thesslstore.com/blog/lets-encrypt-to-revoke-3-million-ssl-certificates-on-march-4/

Thats a fairly massive problem right there.
Click to expand...
Owning up to a bug and sticking to the agreed deadlines to sort it out? Not ideal, but this is life....and it's free!

It's as if you think the other CA's are all perfect for some unknown reason. Lol. Let's see....

https://www.thesslstore.com/blog/sy...-ssl-certificates-will-be-distrusted-tuesday/
 
Beansprout said:
Owning up to a bug and sticking to the agreed deadlines to sort it out? Not ideal, but this is life....and it's free!

It's as if you think the other CA's are all perfect for some unknown reason. Lol. Let's see....

https://www.thesslstore.com/blog/sy...-ssl-certificates-will-be-distrusted-tuesday/
Click to expand...

No at all dude we all get it wrong, we are human. I guess the difference is simply time. One gave 24 hours notice the other had quite a bit more. I wouldn't have had any issue at all and wouldnt have posted but remembered that im a mug and an idiot as I was reading the article. :D
 
You must log in or register to reply here.
Back
Top Bottom