SSL for WP Multisites & Website Security tips

By Kurt Vonnegut:

“When I was 15, I spent a month working on an archeological dig. I was talking to one of the archeologists one day during our lunch break and he asked those kinds of “getting to know you” questions you ask young people: Do you play sports? What’s your favorite subject? And I told him, no I don’t play any sports. I do theater, I’m in choir, I play the violin and piano, I used to take art classes.

And he went WOW. That’s amazing! And I said, “Oh no, but I’m not any good at ANY of them.”

And he said something then that I will never forget and which absolutely blew my mind because no one had ever said anything like it to me before: “I don’t think being good at things is the point of doing them. I think you’ve got all these wonderful experiences with different skills, and that all teaches you things and makes you an interesting person, no matter how well you do them.”

And that honestly changed my life. Because I went from a failure, someone who hadn’t been talented enough at anything to excel, to someone who did things because I enjoyed them. I had been raised in such an achievement-oriented environment, so inundated with the myth of Talent, that I thought it was only worth doing things if you could “Win” at them.”

– Kurt Vonnegut

Turning on a word

It’s called “Turning on a Word.”

Hopefully, we can have such positive experiences in the business world!

Today’s Bulletpoints

A brief refresher on what is SSL & Why it is important
SSL for WP vs SSL for WP Multisite
Free vs Paid
Subjects: https://www.Zapmap.com; https://www.Scriptsteps.com; https://www.SpecialGigs.com (Doug’s site on Siteground now a Multsite but 2 subdomain sites, although have padlock, can’t access the dashboard. Fyi, Siteground is not really setup for Multisite support, although we did stumble getting padlocks set up.
Two Support threads that can explain the process of adding SSL to Multisites:
- https://www.epiphanydigest.com/2020/11/17/setting-up-wordpress-multisite-with-subdomains-and-a-wildcard-lets-encrypt-certificate-on-nginx/
- https://premium.wpmudev.xn--5ca/forums/topic/ssl-for-subdomains-on-a-multisite/
Resources: Youtube: Tony Teaches Tech – 10 tips for website security & will look at doing video on SSL for WP Multi-site https://youtu.be/s3WGgmj4bxE
SSL Resources: https://www.SSLTrust.com.au –Paid SSL for WordPress Multisite domain & wildcard domains; https://www.SSLShopper.com; https://www.Jitbit.com/SSLCheck; https://www.whynopadlock.com. (Let’s visit these sites and test out Zapmap.)
Stumbled Upon: Elementor Plugin Divider (utilizes external pen via tablet, WP Theme Socrates 5–fast load times, author has interesting background, https://www.Kibi.one –Incubator: Code-less websites using WP and other platform for non-technical entrepreneurs

What is SSL ?

Secure Socket Layer (SSL) provide security to the data that is transferred between web browser and server. SSL encrypt the link between a web server and a browser which ensures that all data passed between them remain private and free from attack.

Why is SSL important ?

Every website on the Internet should be served over HTTPS. Here’s why:

Performance: Modern SSL can actually improve page load times.
Search Ranking Boost: Search engines favor HTTPS websites.
Security: Encrypting traffic with SSL ensures nobody can snoop on your users’ data.
Trust: By displaying a green lock in the browser’s address bar, SSL increases visitor’s trust.
Regulatory Compliance: SSL is a key component in PCI compliance.

You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users’ personal information, HTTPS is a requirement for many new browser features, particularly those required for progressive web apps.

SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world’s computer networks. SSL is essential for protecting your website, even if it doesn’t handle sensitive information like credit cards. It provides privacy, critical security and data integrity for both your websites and your users’ personal information.

SSL Encrypts Sensitive Information

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.

Free vs Paid

SSL Trust –paid. (email exchange)

Do you require wildcards?
A wildcard will secure unlimited sub-domains for each root domain.
So if you don’t need that, best not to select wildcards, as they are more expensive.
If you just want the domain.com and www.domain.com, you can select the standard additional domains.

https://www.ssltrust.com.au/comodo-ssl/positivessl-ucc-sanhttps://www.ssltrust.com.au/comodo-ssl/positivessl-ucc-san

ZapMap

Gary, any luck with the 1st resource below?

Good summary from WPMUDEV

Hi Adam, sorry what I meant by “improvements” is, is there a streamlined all-in-one solution for example Let’s Encrypt, as opposed to a standalone wildcard cert for the domain and then cloudflare for mapped domains. My site is hosted on DigitalOcean with ServerPilot web server, which unfortunately doesn’t support SSL for wildcard domains yet through their platform, so I am disabling their native SSL and trying to manually install LetsEncrypt using this bash script: https://github.com/lesaff/serverpilot-letsencrypt so I was curious if there is a one-stop-shop to cover my main domain, wildcard subdomain, and mapped domains. Thanks Adam!

I’m not sure how that works with Digital Ocean but regardless of that, I’d say that there’s no “one stop shop”. You do need a wild-card cert for your original domain and its sub-domains and you do need separate certs for you mapped domains so one way or another, it’s a hassle anyway.
There is a a way to overcome it but it’s got its downsides: it’s a multi-domain certificate. That means that there’s “one cert to rule them all” :slight_smile: But the difficulty with it is that you need to know all your domain (to be covered by the cert) upfront, at the time of certificate generation and if you add up any domain in future you need to re-generate certificate manually (which – depending on a provider might be free up to some number of domain and/or re-generations – or might need additional payments each time) and also usually those certs are pretty costly.
As for Let’s Encrypt wild-car, you might need to actually ask DigitalOcean about that to make sure this will work. Let’s Encrypt requires renewal every 3 months so you’d need to make sure that nothing will “block” that.

Force HTTPs

Forcing the use of HTTPS:// on your site will ensure that visitors to your site are always using https://www.zapmap.com and aren’t able to access an insecure http://www.zapmap.com URL. This is recommended since if a visitor does access your site as http://www.zapmap.com everything will be marked as “Not Secure”.

Below code is for forcing HTTPs on an Apache webserver. If you are using another webserver such as lighttpd, nginx, etc you will need to contact your web hosting provider for assistance.

Add the following code to the .htaccess file in your webhosting account:

RewriteEngine On
RewriteCond %{HTTP_HOST} zapmap\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.zapmap.com/$1 [R,L]

Once this change is made your site will no longer be accessible on the insecure “http://www.zapmap.com” URLs and all visitors will be redirected to “https://www.zapmap.com” instead.

How to force multisite to use subdirectories/

My site SpecialGigs.com is at least temporarily a multisite. I added a couple sub-domains but couldn’t get access to the dashboard. Just read this post and added code to the wp-config folder as well as the .htaccess folder. Now, I can add subdirectories. Follow the link below for the code. The ssl was automatically added, too.