How to secure your WordPress Multisite instance using SSL.
What is SSL/TLS?
Simply put SSL stands for Secure Sockets Layer with the new standard called Transport Layer Security. So, what is it and why do you need/want to use it?
SSL/TLS is a method used to encrypt the content on your website. In other words the content on your site is encrypted so that it cannot be changed when it gets sent to a user.
What is HTTPS?
This leads us into the next piece which is HTTPS. So, what is HTTPS and why should you care? HTTPS stands for Hypertext Transfer Protocol. It is a means to transport encrypted data to its destination and back again.
So, it takes the encrypted data created by SSL/TLS and puts it on a bus. Then drives that bus of encrypted data back and forth between your WordPress site and the users browser. If the data is intercepted it cannot be read by anyone and therefore remains private.
How to secure the communication on my WordPress Multisite instance?
First, you need an SSL Certificate. You can purchase an SSL certificate or on most hosting plans you can use Lets Encrypt to generate a free one.
An SSL Certificate is like a key you would use for your house. Just like the key for your front door, you use a certificate to lock the door and protect the data. The only one with a “key” can access the content you create. A certificate is the key but instead of locking your front door it is locking/encrypting the data on your website to be sent to someone who wants to access it.
What you don’t see under the hood is that any user who wants to access your website securely gets a key. This authenticates your site and proves they are communicating with the intended website, it authorizes them and allows them to access the content.
It also provides encryption of the data as well as integrity of the data. In other words, the data cannot be viewed by someone who is unauthorized and the data cannot be modified without being detected.
This type of key is a public key, which means that anyone who is authorized can access the content. The content is delivered in a secure manner so no-one can alter it, everyone gets authorized to view the content.
A WordPress Multisite can mean different things but in this article it means:
- A multisite setup as subdirectories
- A multisite setup as sub-domains
- A multisite setup as multiple domains
Lets go over each one briefly
Multisite | Subdirectories
Think of a subdirectory as a folder withing a filing cabinet. The filing cabinet is your website and the folder is a different page, post, or category on your website
Here are some examples:
Once you install SSL on the url [wphostinggeeks.com] all the other subdirectories “aboutus”, “contactus”, “home” will inherit the SSL. There is no need to configure them individually.
Multisite | Sub-Domains
Sub-domains are just that, a sub-section or tertiary domain name you can use to point to different sections of your websites content.
Here are some examples:
If your site consists of multiple sub-domains, you should use a wildcard ssl certificate. This means that when you create the certificate you would use the “*.wphostinggeeks.com”.
The asterisk in front of the main domain is critical because any sub-domain you setup will inherit the SSL certificate and provide the needed security.
Multisite | Multiple Domains
If you have different domains on a single hosting account or setup under a multisite tenant, you will need a certificate for each one. However, there are options available to create what is called a multi-domain SSL certificate which will cover all domains hosted on a single server.
Here are some examples:
As you can see each site is independent in its own way. However, using a multi-domain SSL certificate is one option to streamline your security and provide a high level of trust for your website patrons.
Securing your site does not have to be scary. There are a few different ways to build trust with your website users.
To help streamline the actual process, here is a quick step guide on setting up SSL and securing your website.
- Disable any caching and minifying plugins
- Make sure all your external assets are loaded over
https(scripts, css files, images etc)
- Create a SSL-certificate (most hosting companies allow you to do this with the click of a mouse – thanks to https://letsencrypt.org/)
- Change all hardcoded URLs of your site that begin with
https. You´ll need to dive into the database to do this. I use this search and replace script, but you can also use Adminer or PhpMyAdmin. WPEngine has a list of where to look. Don´t forget to delete the script from your server when you´re done!
- If your site doesn’t redirect automatically from
https, add Apache redirects.
- Make sure everything works as expected.
- Change the URL in external services like analytics and monitoring sites.
Please comment or email us if you have any questions!