Free certificates from Letsencrypt.org
Here at Presslabs we’re continuously looking to improve performance and maximize security for our customers’ sites, so we are glad to let you know that we are enabling HTTPS on all sites using Let’s Encrypt. Every site hosted at Presslabs will automatically get a certificate from letsencrypt.org. Of course, it’s possible to use a custom certificate, purchased from any other certificate provider, for example Namecheap or CertSimple.
Let’s Encrypt is a free certificate authority that allows everyone to get free SSL certificates to encrypt their sites. It is an initiative started by Mozilla and is backed by many major Internet companies and non-profit organizations – Akamai, Cisco, the Electronic Frontier Foundation (EFF), Facebook and others.
This means you’ll have at hand as a site owner the added security and privacy for your readers for which Google promises to reward with better ranking in its searches. We’ve written about this previously.
This means that besides saving money on HTTPS certificates, you will also be saving time, as this service will be on auto-pilot with no need for you to deal with renewals, funky command lines or SSL terminology.
These changes come together with the change of our approach for securing the wp-admin. Since the beginning, we have enabled secured wp-admin on our secured domain, plssl.com. The reason behind this is to keep your communication with the backend encrypted at all times, so for example logging in your admin from a public wi-fi would not expose in clear text passwords and data you add on your site. The pitfall for this approach was that a lot of WordPress plugins do not respect the Codex specifications (here to our initial surprise, has been included Jetpack, as well…) and needed either local patches or public contributions to make them work properly on our platform.
The new approach means dropping the common domain in favor of your site domain, but with https enabled by default for logged in users. This is the best way we’ve found to ensure security and flexibility for the already written plugins.
Uniquely flexible HTTPS set-up
By default sites will work in http mode but you can email firstname.lastname@example.org to pick from a few combinations:
- dual – both HTTP and HTTPS versions of an URL work, and do not do any kind of redirects. Due to the fact that having both versions enabled, some SEO issue might arise, this mode is recommended only if you have pages where users must enter some sensitive informations (like checkout pages). With this mode we recommend that you redirect from non-sensitive pages to their HTTP counterparts.
- http – The HTTPS urls are redirected to their HTTP counterparts for non logged-in users. This will be the default mode.
- https – The HTTP urls are redirected to their HTTPS counterparts for all visitors.
- https with HSTS – this is the same as https mode, redirecting everything to HTTPS links, but also enables the Strict-Transport-Security header. We currently recommend enabling the https mode first then, after some testing (1-2 months), enabling the Strict-Transport-Security header.
The very important bit: maintenance and time of deployment
We are scheduling the maintenance for next Tuesday (June 21st) (subscribe on status.presslabs.com). When it completes, you will probably need to reconnect some plugins (JetPack and Vaultpress being the most notable ones). On top of that, you need to set your preference for serving the content as described in the previous paragraph.