Adding SSL to website

damodude · 28 Jan 2020 at 20:18

Thanks all for your comments and advice, as suspected you have confirmed the web dev is a div will start looking for alternatives.

Deleted member 77746 · 28 Jan 2020 at 20:23

damodude said:
the web dev is a div

He might not be a div or a mug as to what someone else got called in here, however they might just not know certain aspects of web development. At the end of the day I highly doubt it was SSL to blame for the issue that you have encountered.

Shoeyuk · 28 Jan 2020 at 20:33

Do you keep Wordpress install up to date as well as the plugins as that’s usually the most common reason sites end up with issues

Deleted member 77746 · 28 Jan 2020 at 20:39

He should have been able to add SSL to your site within 10 mins even less than that if they understood it properly. If you move it to a cpanel host, some hosts will even do it for you for free to help you migrate it fully over including SSL cert.

the-evaluator · 29 Jan 2020 at 08:35

Pho said:
You can't generate certificates for non-public URLs.

That's note quite right. If you use DNS challenge then the host doesn't have to be publicly accessible plus you can create wildcard certificates this way. I'm using this method for a couple of test systems at work, all the systems are only accessible on the internal network but they have perfecly valid Lets Encrypt SSL certificates.

alec · 29 Jan 2020 at 08:57

damodude said:
The connection strings to the database will change

Is that all there is? Rewrite connection strings and be done. Why do you make it sound like end of the world.

Vince said:
After heartbleed id be looking at an ssl cert from a credible provider

Lets Encrypt is the most credible out there. There is no hidden agenda except to promote 100% sites to have traffic encrypted.
After heartbleed I would be making sure that software in my server is always upgradedwith latest security patches. Which concerns OP with WordPress as well.

Pho · 29 Jan 2020 at 09:38

the-evaluator said:
That's note quite right. If you use DNS challenge then the host doesn't have to be publicly accessible plus you can create wildcard certificates this way. I'm using this method for a couple of test systems at work, all the systems are only accessible on the internal network but they have perfecly valid Lets Encrypt SSL certificates.

Oh I didn't know that, thanks for pointing that out. Could be quite handy

Deleted member 77746 · 29 Jan 2020 at 09:49

DNS challenge should be the only way an SSL can be generated.

makes it a little bit more secure to say that you actually own the domain!

that’s of course a hacker hasn’t got into your cPanel and got access to your whole dns lol

the-evaluator · 29 Jan 2020 at 10:01

In theory I agree but that would require a degree of DNS knowledge that's likely beyond your average person running a Wordpress site. There are a number or DNS providers that provide an API but even that's not overly trivial.

touch · 29 Jan 2020 at 10:15

mrbell1984 said:
On another note SSL isn't going to stop wordpress from being hacked.

I agree with this. SSL would have made no difference at all to your site getting hacked.

There's only 1 connection string in WordPress. It's in /wp-config.php and takes 30 seconds to update.

Looks like your developer might have been struggling with the URL when trying to setup SSL? There's some images (including one in the footer) which dont load because the URL is wrong: http://kennankay..co.uk (extra .)
It should be an easy process to set up SSL on a WordPress site. Some hosts don't allow using your own certificate and may require that you buy one from them but there's no way it should take 10 hours.

Deleted member 77746 · 29 Jan 2020 at 10:19

I would say get it moved to a brand new host. Ask the host if they could assist with you migrating + SSL setup. Tell them it’s a wordpress site.

Then let someone else manage it!

damodude · 30 Jan 2020 at 10:36

Thanks again to all for your comments and advise, can anyone suggest a good trusted website for hiring freelance web developers? A google search throws up a few websites but would rather trust the advise of the helpful peeps here

Deleted member 77746 · 30 Jan 2020 at 13:20

damodude said:
Thanks again to all for your comments and advise, can anyone suggest a good trusted website for hiring freelance web developers? A google search throws up a few websites but would rather trust the advise of the helpful peeps here

Post 8
https://forums.overclockers.co.uk/posts/33316011/

damodude · 31 Jan 2020 at 14:00

mrbell1984 said:
Post 8
https://forums.overclockers.co.uk/posts/33316011/

Cheers but isn't that referring to hosting sites and not actual developers?

Deleted member 77746 · 31 Jan 2020 at 14:49

damodude said:
Cheers but isn't that referring to hosting sites and not actual developers?

Yeh sorry it’s for hosting not developers. There’s people on here that are into websites. Someone might be able to help.

I still would get it moved to a proper host.

The host will be able to help you migrate and make it secure for you.

Beansprout · 31 Jan 2020 at 19:55

Bit late to the party here but firstly, Heartbleed was an SSL library issue (openssl) and *not* related to the type of SSL certificate being served. And the site redirect would've been a dodgy plugin, there have been so many exploits like this in the past year - at one point I think I was fixing 5 a day at Fixed.net.

Let's Encrypt are doing great work in making security affordable for all.

Yes, at my old company we made a decent bit of money from selling SSLs, but we also had the cost of the dedicated IPs and the staff time to manage it all, and dealing with inevitable issues/complaints etc. So actual profit I couldn't tell you.

Nowadays a dedicated IP isn't a requirement like it was before thanks to various improvements.

So now I run cPanel AutoSSL (configured with either Sectigo or LE) on all my servers at my new company and I can count how many certs I've bought in the last year...none! It all just works, saves me time, saves my clients money, life is great.

OV and EV SSLs can still be bought but I see these only rarely.

A huge number of people also use Cloudflare who include free automatic SSL. Modern life is good!

But....some large legacy hosts have old tech and/or shareholders to please!

visibleman said:
Find out who the host is and contact them directly regarding adding a SSL certificate - how it's done etc.

Looks like the site is now with Godaddy (I didn't see the thread at creation time so maybe it always was) and has a Godaddy SSL installed, probably at some expense

And even with a web panel backed host (cPanel, Plesk etc), some require the host to intervene to add/modify certificates - certainly the case with our VPS's from Tsohost, as we don't have root access to the cPanel for the AutoSSL module.

Indeed, however root access isn't a requirement for AutoSSL, so there's little reason any provider who is offering cPanel/WHM systems can't enable AutoSSL unless for some reason they explicitly don't want to. I would ask them. Maybe it's running an older Centos version in which case account copies to a new install would be a good idea.

One of the companies who don't support LE is Godaddy (who now own Tsohost!) who run cPanel but don't offer it, as per the LE website:

https://letsencrypt.org/docs/godaddy/ said:
We get a lot of questions about how to use Let’s Encrypt on GoDaddy. If you use GoDaddy shared web hosting, it’s currently very difficult to install a Let’s Encrypt certificate, so we don’t currently recommend using our certificates with GoDaddy.
....
We don’t recommend using Let’s Encrypt certificates on hosting providers that don’t directly implement the ACME protocol, because it means you can’t fully automate renewals.

Nothing to do with their SSLs which are available from an ongoing price of £59.99/year, I'm sure. Or £149.99/year for a service where they'll install it for you.

Finally in case the original dev reads this thread, the steps to install an SSL on wordpress are:

1. Install an SSL on hosting (move hosting if not possible - so let's give him that point - slight pain to do that)
2. Install the Really Simple SSL plugin
3. Activate plugin, tweak settings if needed depending on environment
4. That's it! (99% of the time)

Deleted member 77746 · 4 Feb 2020 at 13:41

Glad to see you got this resolved.

Vince · 3 Mar 2020 at 22:37

rxodium said:
Because you're a mug that's content to waste money on certs? I don't know. What validation do your "credible" certs go through that make them any better than open or locally generated certs? I'm really interested to know what your credible certificates offer over Let's Encrypt aside from support...

What was I saying about credible providers... https://www.thesslstore.com/blog/lets-encrypt-to-revoke-3-million-ssl-certificates-on-march-4/

Thats a fairly massive problem right there.

Beansprout · 4 Mar 2020 at 01:10

Vince said:
What was I saying about credible providers... https://www.thesslstore.com/blog/lets-encrypt-to-revoke-3-million-ssl-certificates-on-march-4/

Thats a fairly massive problem right there.

Owning up to a bug and sticking to the agreed deadlines to sort it out? Not ideal, but this is life....and it's free!

It's as if you think the other CA's are all perfect for some unknown reason. Lol. Let's see....

https://www.thesslstore.com/blog/sy...-ssl-certificates-will-be-distrusted-tuesday/

Vince · 4 Mar 2020 at 08:03

Beansprout said:
Owning up to a bug and sticking to the agreed deadlines to sort it out? Not ideal, but this is life....and it's free!

It's as if you think the other CA's are all perfect for some unknown reason. Lol. Let's see....

https://www.thesslstore.com/blog/sy...-ssl-certificates-will-be-distrusted-tuesday/

No at all dude we all get it wrong, we are human. I guess the difference is simply time. One gave 24 hours notice the other had quite a bit more. I wouldn't have had any issue at all and wouldnt have posted but remembered that im a mug and an idiot as I was reading the article.