Serving WordPress sites securely

[First off this is not an invitation to hack my websites. I don’t claim perfect security. This is about fixing on particular vulnerability across my 5 WordPress websites.]

Over 60 million websites run WordPress. Most people don’t think about the need to publish WordPress sites securely. After all, most don’t collect personal data, save a few contact forms. So why is having that little 🔒 important on websites that just serve information?

INTEGRITY

Websites served over HTTP can be altered by any intermediary in the path, such as an ISP or VPN.  For instance, Verizon did this to their mobile customers allowing Verizon to better track where customers were surfing. But it’s not just for advertising purposes. Hackers can inject malware into websites over insecure links. Governments can also piggy-back on insecure links to track individuals. To counter this, there is a movement afoot to secure the entire web with HTTPS, with many of the big internet companies squarely behind it.

This blog post is about my journey to secure my little corner of the Internet, in particular 5 WordPress blogs that I host. Here are the steps I took:

1 First I needed digital certificates for my domains. That used to be an expensive and laborious process, having to purchase certificates from one of the certificate authorities, supplying registration information and then downloading and installing those certificates. However, thanks to Let’s Encrypt, the process is much less painful and expensive. “Let’s Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.” – Wikipedia.  Great! So I contacted my WordPress host and inquired about using Let’s Encrypt. “We don’t support it at this time.” 🙁 I then contacted DreamHost, one of the supporting hosting companies listed on the Let’s Encrypt website. [Note: DreamHost was also recently in the news for refusing to turn over log data to the Justice Department fishing for information on protestors.] After moving one blog for testing, I moved my additional blogs over to DreamHost and installed Let’s Encrypt. The installation process couldn’t have been easier. All I had to do was check a box in my DreamHost management panel  for each domain.

Securing the domains with digital certificates was only the first step. There are a number of additional steps to ensure my web pages were being served securely. First, I had to change to settings in WordPress so that the site URL includes the HTTPS scheme for any links. Next I had to include appropriate headers in the response to any HTTP requests. Luckily someone has a WordPress plugin for that: HTTP headers to improve web site security

Here are the security headers that plugin provides

  • HSTS – Strict Transport Security to ensure use of HTTPS over HTTP
  • CSP – Content Security Policy to guard against cross site scripting (XSS)
  • XFRAME – to disallow iframes and other included content loaded from another site
  • MIME sniffing – to prevent IE from executing images with embedding javascript
  • Remove PHP and WP version – to reduce risk of exploits in certain versions being found

After all was said and done. I ran the domains through securityheaders.io for a grade report. A+ across the board!

3 The final steps. I’m submitting the domains to HSTS Preload, which hard codes the domains in the Chrome browser (and others that support it). I also noticed while submitting the domains to the SSL Labs Server Test that I need to add support in my domain zone files for DNS CAA, which as of September 2017 is adopted as part of the Certificate Authorities baseline requirements.

My hope is that this post encourages others to secure their WordPress installations as well as other information only website. Let’s secure the web together!