Since the big names in tech like Google now require SSLs for all websites – or else present you with a warning – it’s easy to think that if you have an SSL certificate, your website is magically secure against everything. It is not.
We get messages all the time from customers who had their website hacked and couldn’t understand why, simply because they had an SSL certificate installed. They thought they were protected.
Let’s be very clear here, having an SSL certificate is the bare minimum a website should be taking for security, and doing it properly is the first step in making sure your website is secure. They only work when they’re implemented with proper security measures for your website and server environment.
The SSL is the START!
First, what is an SSL certificate?
It stands for secure socket layer, and at the most basic level, an SSL certificate creates a secure tunnel between your web browser and the website you’re connecting with. It encrypts the data so that the connection cannot be eavesdropped on. SSL is actually a deprecated term; they’re now called TLSs (Transport Layer Security), even though colloquially, most people still just call them SSLs (and to make it easier – that’s how we refer to them in this article).
You can tell if a website has an SSL certificate installed by looking at the address in your browser – there should be a tiny little lock next to it. This means your connection to the server is secure. If you click the little lock, you get details on the certificate itself.
The actual SSL is a piece of code signed by an authority that is installed on the server. This signature means that the SSL is installed and valid. They’re usually renewed on a yearly basis now. Longer-term SSLs are now not approved by Google as they can be spoofed. Getting an SSL certificate requires buying one from your web host, who will likely use a third party to ‘sign’ them. Then it needs to be installed on your server (we can help you with this).
What an SSL certificate isn’t
It is not a magic piece of software that makes your website completely secure. An SSL certificate simply encrypts the temporary connection between your website and the end user’s browser. It doesn’t secure the website itself or your backend processes. It simply secures the tunnel to the customer. So, just buying an SSL certificate and thinking “my websites can’t get hacked” is simply not good enough.
SSLs are good for many things
SSLs aren’t just good for establishing trust with a user of your website; they’re also good for SEO as the search engines will rank you better than if you don’t have one. Browsers like Chrome will also now show secure connection errors when a user visits your site, warning them that your site is not secure if you don’t have one. They establish trust. Any website without an SSL certificate installed is a red flag. If you got, say, a phishing email and you clicked the link, it does not likely have an SSL. A legitimate link to say PayPal would have an SSL.
‘Old’ SSLs can be a problem
If an SSL certificate is of a vintage standard like SSLv2 or SSLv3, it is not actually secure anymore, as they have been superseded by newer standards – the most recent of which is TLSv1.2. SSLs need to be maintained, updated every year. Old ones will just not do. You can see the type of SSL you have by visiting your website and then clicking the lock. You should find all the info you need there. And, of course, Blacknight can help you install a new, updated one!
They’re not just for eCommerce anymore!
In the past, you only needed to think about having an SSL certificate if you processed data like credit cards – as they were required by credit card processors. But now, every website, even if there is no eCommerce element, needs to have an SSL certificate installed. Why? Because Google says so – something, we’ve written about before here. But basically, if you don’t have an SSL certificate, Google will warn visitors to your website that it’s not secure. You definitely do not want that!
So, what else should you be doing for basic website security?
Other than an SSL certificate, here are few best practices to help keep your website secure. And I feel I should be clear; no website is really 100% secure.
- Keep software updated – This is the most important aspect. Keep the software running your website updated. New vulnerabilities are found all the time in old software. These can be exploited by bad actors. For example, if you install WordPress, then forget about it for a few years, the software – which is updated regularly by WordPress will be very insecure. The same goes for WordPress plugins, which can create their own vulnerabilities. WordPress now has auto-updates turned on by default, which helps. A good web host, like Blacknight, will keep the server software hosting your website updated and secure, but we are generally not responsible for your website itself. That’s on you.
- Keep passwords complicated – Any user with access to your website should have a complicated password – password1234 will just not cut it. The most secure passwords are randomly generated by a password manager. It’s also a good idea to generate a random username as well. Common user names like ‘admin’ or ‘editor’ will be easy for a bad actor to try and hack. This also applies to things like access to your server and the database. If someone tries to hack into your server itself or the database – they can do way more damage than just getting in your CMS. You should also have a policy of regularly changing the password every few months.
- Limit user access – Only a select few trusted people should have root or admin access to your server or hosting environment. And those that do – make sure they set secure complicated passwords (that you can reset if you have to).
- Brute force protection – Bad actors will send scripts at your website that will repeatedly try to log in with common usernames and passwords. Not only does this affect your site performance, but it can actually work. Try to install software to block this kind of thing – there are many good WordPress plugins that do this (like Wordfence). They will automatically block anyone that tries to log in too many times.
- Use two-factor authentication where you can – This is a very good way to keep your web environment very secure – require two-factor authentication on any logins that have access to admin areas. As a web host, we support two-factor for your logins to our control panels, but you can also install it on WordPress and many other web hosting software. It’s simple; in order to log in, you need the regular login information but also a unique code generated by an app on your phone like Google Authenticator, Authy, Microsoft Authenticator, etc.
- Restrict file uploads – If you run a type of website that allows users to upload files – restrict the file types they can upload, and crucially don’t give them any kinds of permissions that would allow files to be executed – like scripts or programs. That way, no one can upload a simple script to your server and run it indiscriminately – that’s how botnets are formed.
SSLs are important to the security of the web, but just having one isn’t the end of the process – it’s the beginning. With the above tips, you’ll be on the way to having a more secure website for you and your customers. Need an SSL certificate for your website? Then head on over to our main site to order one.