I know, it sucks.

There are a ton of people out there with nothing better to do with their time than snoop around on the Internet watching for people who send login information, such as Usernames and Passwords, unsecured through the webs of the Internet.

Then when they capture someone’s login credentials, they take it upon themselves to easily log into the person’s account and fill it up with spam links and viruses.

Like I said, it sucks.

Unfortunately, it’s true and unless you take steps to protect what you’ve spend so many hours away from your family building, someone some day may take great pleasure in destroying. Even worse, they don’t even care that your website is what helps put food in your children’s mouths or collect donations to help fight cancer.

The worst part is many times they don’t even know who you are.

They use automated scripts/bots/spiders or whatever your choice term is for automated programs designed to sniff you, the unprotected WordPress users, out.

Where They Find Your Username & Password

As a web host, we have to deal with protecting customer Usernames and Passwords when they connect to their web hosting control panel, but when it comes to 3rd party programs like WordPress, it is up to the user to secure their program.

But that’s why I’m here, right?

When it comes to WordPress, there are 3 primary ways your Username and Password will be sent to your web hosting server unprotected:

1. When logging into WordPress
2. When changing passwords and/or adding new users to WordPress
3. Through your FTP connection (independent of WordPress)

In this article, we’ll discuss how to protect your Username and Password through SSL when logging into WordPress and doing things like adding new WordPress users and changing passwords.

In a follow-up article, we’ll discuss our FTP problem.

Encrypting Your WordPress Session

I know, no body wants to spend more money on something that doesn’t immediately get them a return on their investment.

But what does a business owner of a brick and mortar store think when she purchases a security system for their shop? That’s how you should think about your WordPress blog’s security.

The best way to encrypt your WordPress session is through SSL.

SSL stands for Secure Sockets Layer and basically what it does is allow for transfers of information over the Internet, such as your Username and Password, to be done in an encrypted manner.

You can buy one from our company by visiting our SSL Certificate page.

If you’ve ever purchased something online where you had to enter in a credit card number, chances are the web page you were on was encrypted with SSL. You can easily spot if this is so by looking up into the address bar and seeing if the web address starts with https:// as opposed to the standard http://.

The https:// means that when you fill in your name, address, credit card information, etc., it’ll all be transmitted over the Internet encrypted.

We can use this same method e-commerce sites use to encrypt our credit card information to encrypt our WordPress login information.

Setting Up SSL

To set up WordPress to work under SSL, you’ll need the following:

1. Your own domain name
2. Web hosting with WordPress installed
3. A dedicated IP address for your web hosting (purchased through your web hosting provider)
4. An SSL Certificate ($30/yr. if purchased from us)

Assuming you have your own domain name and WordPress blog already set up, the next thing you’ll need to do from the list above is purchase a dedicated IP address for your web hosting. To do that, you’ll need to contact your web hosting provider or visit their products page and purchase one.

Setting this up is easy. For the most part all you need to do is purchase it and tell it which domain name you want it applied to.

Once that is done, you’ll need to purchase an SSL Certificate. Some web hosts sell them while others do not. You can also find other companies that sell them, such as VeriSign; but in my experience, those companies are usually more expensive. Notice how they don’t even advertise the price on their landing page, you have to contact them for a quote.

How to install an SSL Certificate on your web hosting server is beyond what I want to get into in this article, but after you purchase one what happens is you will download the certificate and need to upload and install it on your web hosting account.

The process typically isn’t fun for those of you who think SSL was some kind of Saturday Night Live skit, but your web hosting company should help you get it installed. If not, tell them “Hey . . . thanks, buddy!”

The good news for WP Blog Host hosting customers is that we make this process very easy for you!

What else would you expect from a company whose target customers are newbie bloggers?

If you are a hosting customer of WP Blog Host, we will include free with your SSL Certificate (when purchased from us) a dedicated IP address and best of all, we’ll even install everything for you so your website is SSL ready.

All you’d need to do is wait for an email informing you everything is set up.

From that point, once you have managed to get your website SSL ready, you can move on to the next step and actually apply it to your WordPress admin area.

Setting Up WordPress To Use SSL

Now that you got SSL set up to work on your website (i.e. https:// is available), you can move on to the simple step of telling WordPress it can use SSL to log you into WordPress securely and encrypt the stuff you do from within your Dashboard (write posts, create users, change passwords, etc.).

Log into your web hosting control panel and head over to your File Manager.

From there, locate your wp-config.php file and open it up using your control panel’s file editor.

Once opened, paste this code anywhere inside it:

/* Force Login and Admin SSL */
define(‘FORCE_SSL_LOGIN’, true);
define(‘FORCE_SSL_ADMIN’, true);

Source: WordPress.org SSL

I know adding security to your blog is not fun, but it really is a necessity.

I think $29.99 a year for an SSL Certificate is money well spent. I know it might suck getting it set up (unless you’re a hosting customer of WP Blog Host), but once it’s done, it’s done – and you’ll be logging into your blog over an encrypted channel from now on.

You can see that I’m using SSL for this blog, just go up to the address bar and add a “s” to the http (i.e. https://wpbloghost.com/blog).

I don’t run my frontend encrypted because many of the images I have linked to are not https and would cause Internet Explorer to pop up a warning box to users which I feel might scare some of them away. It just tells them there are some items which are secure and some which aren’t (like pictures).

Questions:

Do you think your blog’s security is worth $30 a year?

How many of your are convinced this is something you really should do but in reality you probably will never get around to it?

UPDATE: I forgot to mention WP Blog Host is running a few promotional codes you can use when purchasing products. If you purchase an SSL Certificate, you can save 5% or more by using the promo codes below. Codes are good through Thanksgiving.

Promo Code Description Start Date End Date 100CN15 15% discount off any order $100 or more 11/2/2009 11/27/2009 50CN10 10% discount off any order $50 or more 11/2/2009 11/27/2009 5NC25 5% discounts on orders $25 and over 11/2/2009 11/27/2009 Visit our Product Catalog to view all our hosting and domain products.

Related posts:

1. WP Blog Host Domain, Blog Security, & Hosting Promotions – Get'em While Their Hot
2. 2 Killer WordPress Security Plugins You Probably Don’t Know About
3. Start A Blog: Free or Paid? WordPress or Blogger?
4. WordPress Defender: 30 Ways to Secure Your Blog from Attack Anyone Can Do
5. WordPress Security: The First Thing You Should Understand