Why your Website Needs an SSL Certificate

  • Jan 2017
  • Read Time: 8 Mins

In previous years an SSL Certificate was only required for e-commerce websites. In 2017 it is now an essential requirement for every site. Don’t know the difference between packet-sniffing and phishing exploits? Never fear! In this post, we will explore what exactly SSL is, benefits for your website and how you can get one.

Table of contents

What is SSL?

If you are a website owner or manager you have undoubtedly heard the term SSL thrown around over the past few years. If you have found nodding approvingly while secretly wondering if it’s a new model Mercedez-Benz model, you’re not alone.  SSL is short for Secure Socket Layers.  The confuse matters further, SSL is actually the predecessor to what is now known as TLS or Transport Layer Security, but everyone still calls it SSL. For the sake of our sanity, we’ll keep calling it SSL too.

So now that we can impress everyone by explaining what SSL stands for, let’s find out what it actually does.

Data Encryption

If your website includes a method of gathering information from a user, then that data can potentially be intercepted without proper security. An SSL Certificate will establish an encrypted link between a users web browser and a web server so that data is unreadable anyone watching. This is the reason that all payment gateways require SSL to be active when processing payments directly on your website.

Why SSL is Important

Aside from the security of data that SSL provides, it can also improve other factors related to your website performance.

Google Rankings

Back in 2014, Google announced that they would begin to use SSL as a ranking signal. What this means is that sites that run over the https protocol will be given a higher page rank than sites running on standard http.

Then in 2016, Google announced that it would be updating their Google Chrome browser to clearly indicate sites that do not have an SSL Certificate in place.

Credit: Google Online Security Blog

Site Performance via HTTP/2 Support

In the past, encrypting data at both ends of the transfer would slow a website down, but these days SSL will actually improve your site performance if you have a good hosting provider. Almost all recent versions of web browsers support the new http/2 protocol. This protocol is an updated version of the http protocol, which has been the backbone of the internet since it’s inception. One of the major benefits of http/2 is that it supports something called multiplexing. This allows browsers to download multiple resources concurrently, rather than the standard method of waiting for a file to download before starting the next one.

While the official documentation does not state that SSL is a requirement for http/2 it is only supported at present by all browsers if the site has an SSL in place. So.. no SSL Cert, no multiplexing!

Authentication

Having an SSL Certificate associated with your domain is a way of proving ownership over that domain name. There are many fraudsters out there who can accurately replicate your website and pose as a legitimate business in order to gather sensitive data. When an SSL Certificate is set up, the server hosting your website will also have a server certificate in place. This allows your SSL Cert and the server to ensure that data input through the browser cannot be intercepted and prevent phishing attacks.

How can I Tell if a Site is using SSL

Most browsers will make it clear that a website is using SSL by displaying a padlock symbol near the website address bar. If you are unsure whether a web page is using SSL, you can be sure by checking that the website URL begins with https://.

Google Chrome SSL
Google Chrome SSL

How to get an SSL Certificate

There are hundreds of companies that provide SSL Certificates as a paid service and a few newer ones that offer them for free. Here are two that I have had a positive experience with in recent times.

Let’s Encrypt

These are the guys who are leading the charge for a more secure internet. Let’s Encrypt offer free SSL/TLS for everyone and are quickly becoming industry leaders in this space.

Trustwave

Trustwave is a cyber security company who offer a multitude of security solutions for online and offline requirements. They offer extended validation certificates, which provide that bit of extra authority by including your company name as part of the certificate. Some browsers will display this in the address bar along with the padlock symbol.

Host with us!

If your site is running on WordPress and you want an SSL Cert as standard, then you should consider one of our Website Care Plans. As part of all of our plans we provide an SSL Certificate as standard. We’ll migrate your site over to our WordPress-optimised environment and have your site fully secure and performing at it’s best.

Tristan Fagan

As our Director of Development, Tristan’s primary role is to oversee the completion of every new project embarked upon at Big Dog. With his extensive experience and knowledge in the fields of Web Development and Internet-based Software, Tristan provides the team here at Big Dog with the tools and expertise to ensure the success of every new project, whether big or small. When away from his desk, Tristan can generally be found training for a marathon or hiking deep in the Dublin mountains with his beloved bulldog, Turbo.

Dublin, Ireland https://www.bigdog.ie

How to Clean a Hacked WordPress Website

  • Jan 2017
  • Read Time: 10 Mins

WordPress is the most widely used content management system on the internet. The most recent figures suggest that it now powers over 27% of websites globally. While this is great news for the WordPress community and for companies like Big Dog, who develop and support WordPress websites for a living, it also means that WordPress is one of the biggest targets for hackers worldwide.

If you have had your site hacked and want to know how you can get your website back online, the following tutorial will show you how.

Signs that your WordPress site has been hacked

Before we dive into the steps you need to take to clean your website of an infection, it is important to identify whether your site has actually been hacked or infected with malware. Here are a few things to look out for:

  • Your site has been blacklisted by Google, Bing, etc
  • Unusual images or content appearing on your site
  • Pop-up windows suddenly appearing
  • Pages displaying a blank white screen (500 error)
  • Analytics data displaying unusual traffic/SEO content
  • Your host has suspended your site due to hacking or malware

If you suspect that your site has been hacked you can run a free scan using the following tools: 

Sucuri Website Scan

How did my site get hacked?

In order to be able to prevent your site from getting hacked in future, it is important to understand how a WordPress website is usually hacked. The following are considered to be the top reasons a site will be hacked or infected with a virus.

1. Incorrect File Permissions

Setting the correct file permissions on your WordPress website is vitally important for the security of your website. If you have not setup your file permissions correctly, you could be vulnerable to attackers modifying your code.

As a rule of thumb your site permissions should be set up as follows:

Item Permission
Directories 755
Files 644
wp-config.php 600

Check out this tutorial to learn more about setting WordPress file permissions correctly.

2. Out of date WordPress, plugin or theme files

A common mistake that website owners make after launching their site is not keeping their version of WordPress, Plugins and Theme versions up to date. It is considered best practice to have your WordPress version updated automatically and to frequently check your site for plugin and theme updates.

WordPress

When a new version of WordPress is released, it is often due to a security patch being added after a potential exploit has been identified.

Example of new version of WordPress available

To update your version of WordPress you can follow these steps:

  1. Backup your site so that you can roll it back if any errors occur as a result of the update
  2. Login to your WordPress admin area
  3. Select Dashboard > Updates
  4. If a new version is available: select Update Now

Check out this article for a more in-depth look at updating WordPress.

Plugins

Updating your plugins is equally as important as updating WordPress itself. An out of date plugin can have potential security holes within the codebase. When a new version of WordPress is released it is common for plugin developers to release an update for their plugin to fix any issues related to the update.

Example of available plugin updates

The steps required for updating your plugins are very similar to updating the version of WordPress:

  1. Backup your site in case of issues caused from the plugin update
  2. Login to the admin area
  3. Select Dashboard > Updates
  4. If updates are available: select the plugin(s) you wish to update
  5. Select Update Plugins

Note: It is recommended that you update each plugin individually so that you can test your site for errors before moving on to update the next plugin.

3. Insecure hosting environment

If your site is hosted within a hosting environment that does not employ strict security measures and frequent file scanning, it is possible that your site can become infected from another site within your shared hosting environment or that your file permissions will leave your site vulnerable to an exploit. While WordPress is extremely easy to setup and use, implementing the best security protocols within the server environment can quite difficult and not all hosting providers are focused solely on WordPress hosting.

While WordPress is extremely easy to setup and use, implementing the best security protocols within the server environment requires considerable knowledge and technical expertise in the field of WordPress hosting. For example, our hosting partners at WP Engine provide automated security scans, daily backups, firewall protection and automated file permissions so that we can provide total security to our clients’ website hosting environments.

4. Insecure admin or FTP/SFTP password

While it may seem obvious, there are still a lot of websites hacked due to users not having secure passwords for their admin and SFTP logins. If a hacker can guess your admin password they can potentially modify all of your theme files, add/remove plugins and make changes to your site content at will.

If a hacker can gain access to your codebase via FTP/SFTP they will be able to take your site offline completely, edit your website code, access your database and download all of your site files.

Check out last year’s list of worst passwords for an indication of what not to use!

Here are some handy tools for generating strong passwords:

How to clean your infected WordPress website

Now that you have confirmed that your site has been hacked or infected with a virus it’s time to remove the corrupted files and restore your site to its original state.

1. Install anti-virus

Before you start working on removing malicious code from your site, it is important that your computer is protected against any potential virus or malware contained in your site code before you download it. If you have not already got some form of anti-virus running on your computer, there are a lot of free versions out there for you to choose from.

Here two examples:

2. Backup your site

If your hosting provider provides you with the ability to create site backups of your site code and database, then this is the best place to do this before getting started. There are many hosting providers who do not provide this facility as standard, but this can also be achieved with the help of a plugin or by doing it manually.

Backup option 1: Using a Plugin

There are lots of website backup plugins available in the official WordPress plugin directory to choose from. Here are some popular choices:

  • Updraft – A free plugin that allows you to backup your site to a multitude of 3rd party storage providers (eg: Amazon S3, Dropbox, Google Drive, etc)
  • Snapshot –  A premium service provided as part of the WPMU Dev suite of plugins
  • BackupBuddy – Another popular premium plugin

It is important that you also backup your WordPress database along with your site codebase.

Backup option 2: Doing it manually

In the event that you are unable to access your website admin area, or you prefer to do things yourself you can create a backup of your site by downloading the source code using SFTP and creating a backup of your database via phpMyAdmin.

Check out these detailed instructions on how to create a backup of your website manually.

3. Cleaning your site

Now that all of the necessary steps have been taken to prepare for your website to be cleaned, there are two methods that can be used for cleaning.

Cleaning option 1: Using a Plugin

Using a plugin to detect and clean infected files within your WordPress website is by far the easiest method of virus removal. Here are some great plugins for cleaning up your site:

  • WordFence – This security plugin will detect which files have been modified and allow you remove or restore them as needed. There are free and premium versions available
  • VaultPress – This plugin provides both backup and security for WordPress sites. It will also help you to remove your infected files if your site is compromised
  • iThemes Security – Much like the previous plugin, this is both a backup and security solution that will allow you to clean your infected files (premium version only)

Cleaning option 2: Doing it manually

If you are unable to install a plugin then you will have to identify and clean out the infected files manually. The following are things to look out for when searching for compromised files within a WordPress install:

HTML Files

A WordPress website will typically have no HTML files within the codebase. If you run a search on your site files and find HTML files, they may have been put there by a 3rd party. Removing these files and running a scan on your site again using the security scanning tools listed above will help to identify if these files are related to the hack.

Recently Modified Files

Another indication of a compromised file is a more recently modified date than other files within the codebase. There are some files which are updated regularly, such as log files and files within a cache folder so the date modified might not always indicate that a file has been infected, but analysing newly updated files can be a good way to find the source of infection.

Search for text from hacked pages

If you see content on your website that was added by a hacker such as “hacked by” or “buy cheap..” you can search your codebase for that text. If the content has been added to the site code rather than the database, then you can identify the files that have potentially been hacked.

Search for commonly used hacking code

There are a number of methods that hackers will use to execute their code after compromising a WordPress site. By searching your code for the following strings you can identify potentially infected files:

  • iframe
  • exe
  • base64
  • base64_decode
  • eval
  • isadmin
  • inurl
  • gzip_uncompress

Compare site backup to the hacked version

If you have a backup of your website you can compare the contents of files from the backup to the files within your hacked website to identify which files have been altered. This can be a very time-consuming process and should only be considered when all else fails.

How to test files for infection

If you identify any files that are potentially infected you can upload them to the VirusTotal website for free and they will automatically scan them and return the results.

  • VirusTotal – Test potentially infected files for free

WordPress support and hosting from the experts

As you can see it takes a lot of experience, work and technical skill to clean a hacked WordPress site. At Big Dog, we specialise in WordPress hosting and support. If your site has been hacked or if you just don’t want to have to worry about your WordPress site’s security, then please contact us to discuss our WordPress Business Support plan.

We will migrate your site, clean any virus infection and provide you with super-fast hosting and bullet-proof security so that you can get back to growing your business.

 

Tristan Fagan

As our Director of Development, Tristan’s primary role is to oversee the completion of every new project embarked upon at Big Dog. With his extensive experience and knowledge in the fields of Web Development and Internet-based Software, Tristan provides the team here at Big Dog with the tools and expertise to ensure the success of every new project, whether big or small. When away from his desk, Tristan can generally be found training for a marathon or hiking deep in the Dublin mountains with his beloved bulldog, Turbo.

Dublin, Ireland https://www.bigdog.ie

Tapping into the Irish E-Commerce Market

  • Nov 2015
  • Read Time: 3 Mins

According to a recent study into the consumer habits of Irish online shoppers, €4.1bn was spent on online shopping in Ireland in 2012. According to this study, however, almost 75% of this total revenue went to e-commerce stores outside of Ireland. One of the primary reasons for these numbers – experts agree – is that very few Irish businesses have attempted to design online stores that are both easy-to-use and appealing for Irish customers.

In order to reverse this trend, the Department of Communications, Energy & Natural Resources (DCENR) recently launched the Online Trading Voucher Programme, run through the Local Enterprise Offices. The Online Trading Voucher offers funds to Irish businesses to help set-up or improve their e-commerce capabilities.

Want to find out how you can take advantage of this new programme? Take a look here

If you need advice about setting up or upgrading your e-commerce website, don’t hesitate to get in touch with us here at Big Dog Digital. Here at Big Dog, we specialise in designing and developing successful, user-friendly e-commerce sites for a wide ranges of businesses and services.