As we wrote in September, Google announced SSL would be mandatory in January 2017. Chrome 56 is now here, which means, sites without SSL will now see a “not secure” warning when logging into your website. This includes self-hosted WordPress sites.
Today, Chrome updated to version 56. Immediately we decided to confirm the “not secure” warning for when visiting self-hosted WordPress login pages. We were able to confirm the “not secure” warning on both /wp-admin/ and /wp-login.php pages. Because we don’t want to expose any live vulnerable sites, below is a screenshot of how the warning looks for a staging build:
As per the original Google SSL announcement, this is just the first step. This first step includes the above “not secure” warning not only on login pages or any other page that requires a password, but also on pages that capture credit card information. The next step will most likely be on pages that capture email addresses, such as comment boxes. The final step will be a warning in red on all pages that do not have an SSL certificate.
How To Get An SSL Certificate
The first thing you should do is talk to your website host. Let’s Encrypt has free SSL certificates that can be used on shared IP address. You no longer need a dedicated IP address for SSL certificates! Do not let your website host tell you otherwise. Let’s Encrypt is trusted by WordPress, Mozilla, Google, and more.
If you host uses cPanel and they are not running cPanel 62, demand that they update to cPanel 62 and turn on autoSSL. autoSSL is a WHM setting that automatically installs SSL certificates issued by Comodo — 200 certificates per server — to domains. There is also a Let’s Encrypt plugin for WHM/cPanel that allows for an additional 100 certificates, for a total of 300 certificates per server. There is no reason for you hosting provider to not provide free SSL if they are running WHM/cPanel. If they refuse to do so, then it’s time for you to look for a new host.
Skookum Monkey Provides Free SSL Certificates
All of Skookum Monkey’s hosting packages come with free SSL. We have provided this service for a year, free of charge, as we anticipated this move by Google. We have done this in three phases.
When we first implemented free SSL, customers had to email us to install the certificate for them because, at that time, Let’s Encrypt didn’t have a cPanel plugin. Then, Let’s Encrypt created a plugin for WHM/cPanel and we wrote a tutorial about how to install your own Let’s Encrypt SSL certificates via cPanel. Then, to make it even more convenient to our customers after Google made the mandatory SSL announcement, we turned on autoSSL. This translates to: Existing domains on our servers got an SSL certificate installed automatically and all future domains have the SSL certificate installed when the domain is added to the server. Then, we updated our Let’s Encrypt SSL certificate installation tutorial to reflect these changes.
And we’ve made it clear to customers following our Softaculaous WordPress installation tutorial to always choose SSL installation.
Aside from following Google’s SSL guidelines, we also follow WordPress’ hosting guidelines, which are PHP version 7.x and MariaDB 10.x. Below you’ll see full details of Skookum Monkey’s hosting environment:
If you have any questions about what these changes to Google Chrome mean to you, how to talk with your existing host about turning on autoSSL, or would like more information about Skookum Monkey’s hosting packages, do not hesitate to contact us.