- October
Posted By : Michele Pariani
How I made my website more secure

In this post, I will describe how I made my website more secure by integrating a free SSL1 certificate into my WordPress website with the Really Simple SSL plugin. Before doing that, I will give a brief introduction about how data is transferred over the Internet, and why encrypting and signing that data is very important.

Data over the World Wide Web is transferred with the HTTP (Hypertext Transfer Protocol) protocol2. HTTP messages can be categorized in two main groups: requests and responses. I will now briefly describe what HTTP requests and responses are.

An HTTP request is generated when a user interacts with their web-browser (e.g., Firefox). For example, when a user enters info.cern.ch in their URL bar and press enter, their browser will send a series of HTTP GET requests in order to get the information necessary to render that page.

The image here below, which I took while monitoring my WiFi traffic with Wireshark,3 shows how such a request looks like:

Example of an HTTP GET request

HTTP requests go to a server4 and that server generates an HTTP response which looks similar in its form to an HTTP request. As you can see, HTTP responses and requests are sent across the Internet as plain text. This means that any data, sensitive data included, that users send or receive can be read by anyone who is monitoring the session. Another problem with HTTP is that the recipient of a message cannot be confident that the message was sent by the legitimate sender, and that it hasn’t been changed while in transit.

The solution to this problem is called HTTPS, where the S stands for secure. HTTPS uses TLS/SSL5 to encrypt HTTP requests and responses. In this way, anyone monitoring your traffic will only see gibberish. Moreover, TLS/SSL signs your data. Both these results are achieved by using public and private keys6.

This is how a TLS/SSL encrypted HTTP request sent to my own website looks like when monitored with Wireshark:

Example of an HTTP over TLS request

My website didn’t have HTTPS when I opened it. In order to provide secure communication from/to my website server, I first got hold of an SSL certificate and then integrated it into my WordPress website using the Really Simple SSL plugin.

An SSL certificate is a data file hosted on a website’s origin server. It is what enables websites to move from HTTP to HTTPS7. It is possible to obtain a SSL certificate from Let’s Encrypt8 for free. Let’s Encrypt certificates need to be renewed every 90 days.

In order to request a Let’s Encrypt SSL certificate I first had to connect to my server via SSH9. After updating the packages on my instance, I installed Certbot – a client used to request a certificate from Let’s Encrypt and deploy it to a web server.

The next step was to request a Let’s Encrypt SSL wildcard certificate10. In order to do so, I had to prove that I owned the domain I asked a certificate for. I did this by adding TXT records to the DNS records of my domain. Once the TXT records had been propagated to the internet’s DNS, I completed the Let’s Encrypt certificate request.

As Certbot saved my SSL certificate, chain, and key files into /etc/letsencrypt/live/michelepariani.com/, I created links to these files in the Apache directory11 on my server.

Finally, I installed the Really Simple SSL plugin on my WordPress website and used it to integrate the SSL certificate with a few clicks on the website admin page.

A detailed tutorial about the steps described above can be found here: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

  1. SSL (Secure Sockets Layer) is an encryption-based Internet security protocol.
  2. A protocol is a set of rules for formatting and processing data. HTTP is an application layer protocol. According to the OSI model, the application layer is that layer where human-computer interaction takes place: https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi
  3. Wireshark is an open-source packet analyzer.
  4. They go either to the origin server or to a CDN edge server: https://www.cloudflare.com/learning/cdn/glossary/origin-server
  5. Transport Layer Security / Secure Sockets Layer. TLS evolved from SSL.
  6. For more information read: http://www.steves-internet-guide.com/ssl-certificates-explained/
  7. You can read more about SSL certificates here: https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/
  8. Let’s Encrypt is a non-profit certificate authority.
  9. Using the Secure Shell (SSH) protocol I can access the terminal on my Linux instance as if I were sitting in front of it.
  10. A wildcard certificate lets one use a single certificate for a domain and its subdomains.
  11. For background information read: https://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html

Leave a Reply