There are changes ahead for WordPress users as the platform evolves to promote aspects of security including moving towards SSL.
WordPress plan to only promote hosting partners that provide an SSL certificate to their accounts by default. This will happen in early 2017.
Later WordPress will consider making features available only enabled if SSL is present. Such features would be those that would benefit from SSL encryption and like API authentication.
For my own experience working with WordPress, I am always really pleased to see changes is this in a direction that will help improve the security of my WordPress websites and the reputation of WordPress overall. For all the flexibility and wealth of resources available it can be a sometimes be struggle or inconvenience to keep on top of attacks on some of the most popular websites, I look after.
I would say this is probably one of the most frustrating aspects of being a WordPress user.
It will certainly be interesting to see how much of an impact this change will make to how well received it is by the development community.
So what is SSL and why is it worth considering?
SSL is a way for sensitive information, like credit card details, to be transmitted in a secure way between server and client. This is typically between the web server and the browser.
A website with SSL encryption is actually a website with that uses the SSL Protocol and is a website that has an SSL certificate applied which makes this encryption possible.
Aside from being necessary if you want to take payments on your website, SSL does have several benefits. One of these is that it provides authentication and also helps guard against Phishing. Another being an improvement of customer trust. The green padlock has long been a hallmark of a secure website in the e-commerce world, even among the less that IT literate.
I know from experience in the PHP community that some WordPress users have even felt that WordPress continue to make them jump through hoops to maintain their website in an acceptable order. Adopting SSL encryption can feel this way but I feel it’s worth the benefit overall.
It’s now easier than ever to introduce SSL and can be done at no cost at all.
What do you need to do?
For your website to have SSL encryption in place then you will need an SSL certificate. There are several ways to get an SSL certificate on your website. I covered these in a past article.
The simplest of these is to use a service like Let’s Encrypt who handle the process for you and for free. WordPress themselves have mentioned this service on their own blog as a means to meet requirements of having an SSL enabled.
Alternative methods include setting this up certificate yourself and requesting this from your hosting provider.
Will this have any effect on my websites Google ranking?
If you are concerned with your websites Google ranking then SSL is worth putting into practice for this reason alone as Google do consider SSL as a ranking factor.
Google have an idea, that is ‘HTTPS Everywhere’ It is designed to raise awareness and encourage developers to turn websites into safe spaces that offer the maximum amount of privacy for their users. This started out with treating HTTP encryption with SSL as a lightweight signal. More recently Google has given a boost to those websites that use encryption and started letting allowing search engines by default crawl HTTP pages.
So as the ‘HTTPS Everywhere’ idea gains momentum then SSL encryption will undoubtedly become a bigger factor in your ranking. In fact, Google plan to start flagging unencrypted websites next year in Chrome.
It would seem that WordPress are heading in a similar path in regards to the importance of SSL.
Are there any more improvements in store?
In addition to security WordPress Foundation are keeping a close eye advances in web technology. WordPress is run on PHP so naturally PHP 7 and it’s performance improvements – which are pretty substantial, have been noted.
The co-founding developer of the open source WordPress software and the WordPress foundation board member Matt Mullenweg
has said “The performance improvements in PHP7 are particularly impressive, and major kudos to everyone who worked on that. We will consider whether hosts use PHP7 by default for new accounts next year as well.”
It, therefore, may be possible that we will see WordPress take a similar road to promote the most up to date PHP version is installed on the web server to run WordPress.
I’m actually a big advocate of upgrading to PHP 7 myself. So I can’t resist the opportunity to say why.
High load capacity – PHP is simply now more efficient and can, therefore, do more while saving on memory
More suited for mobile – It’s a mobile world so PHP 7’s reduced memory storage makes it especially suited to mobile
Higher performance – Tests on WordPress 4.1.1 show that PHP can execute twice as many requests
My recommendation to other developers is that if your host allows this then defiantly do consider upgrading or finding a host that supports PHP 7.
How else can I improve my WordPress website security?
Aside from basic tips like changing your username from Admin and disabling the login hints. The best way to improve your security, in my opinion, is to enable 2-factor authentication for your login. This combines how you log in by requesting a code generated as required sent by email, text or even in the case of one WordPress plugin, authenticated by using the camera on your phone. the downside is it can be irritating to make quick edits this way.