Be Devious

Friendly, helpful, personal web services. Seriously.

LetsEncrypt – Securing the internet, for free!

by Leave a Comment

I was surprised recently when speaking with a friend about the Be Devious WordPress Hosting services I’ve just launched, when I told him that I’ll be including SSL for free for all the websites I sell. He didn’t know what SSL was, but that wasn’t what surprised me, he’s far less geeky than I.

But when I went on to say “you know, when you get the little green padlock at the top? That one you’re supposed to check for before entering your card details online?“. Nope, he had no idea. I thought that message had gotten through!

So turns out some people still don’t know what this is. But if you have a website you need to, and it is becoming more and more the consensus that you should have it.

LetsEncrypt - Be Devious Web Development

What is SSL / TLS / HTTPS?

Secure Socket Layer / Transport Layer Security / Hypertext Transfer Protocol Secure.

That cleared it up for you?

No?

OK, I’m not going to go in to detail about this works right now, as it’s not specifically required for this article. In general, without SSL, any information that is sent from your browser to a web server is sent “as is”. i.e. it’s just sent as text. So if I log in to a site with myusername and mypassword, anyone clever enough and with a mind to intercept or log that message can pretty much just pick out my login details.

When SSL is in place, before your browser sends anything out it encrypts it. That is, it turns it into a meaningless mess of letters, numbers and special characters. The only way it is possible to translate this back to what it was in the first place is to pass it to the web server which has the key to unlock the code.

That’s it in a nut shell.

SSL can be considered relatively expensive, especially for small businesses, blogs or non-profits. It is considered by many that making whether or not you secure user’s personal information or not a financial one isn’t a good thing. Enter LetsEncrypt…

LetsEncrypt - Be Devious Web Development

What is LetsEncrypt?

SSL certificates are issued by bodies called Certificate Authorities. Those who are trusted to issue SSL certificates work with those who make browsers so that if a website attempts to use a certificate that isn’t trusted, your browser can warn you of this.

LetsEncrypt is a new Certificate Authority backed by some big players including Automattic (WordPress) and Google (Google). Their advisory board has also got some big boys sat on it including folks from Mozilla, Akamai and Cisco, so you know it is the real deal.

These guys are committed to six key principles – Free, Automatic, Secure, Transparent, Open, Collaborative. I think we can all get on board so far yes?

What you can take away from this is that they want to take the financial angle out of security and make the internet a safer place for all.

Another important point to note is a new technology HTTP2, a major upgrade in how websites work and will have a large impact on website speed only works with SSL, therefore it’s in everyone’s interest to secure their sites to be ready for their servers to be upgraded to use HTTP2.

LetsEncrypt - Be Devious Web Development

Ways to use LetsEncrypt

So first off theirs a couple of ways to get a certificate from these guys that does require some technical knowledge. And by that I mean you need to know how to use the command line. If this doesn’t sound like you, or you’ve never heard of SSH or Shell access, I suggest you don’t attempt this.

If you think this is for you, I’m not going to reinvent the wheel, there’s a couple of really decent run throughs of this provided on the WPMU blog:

Personally I’ve found that it is considerably easier to pass the “heavy lifting” of this process to someone else. Fortunately Plesk has provided an add-on to not only install certificates but manage the renewals for you, and for a small price you can purchase one for cPanel.

Did I mention that all Be Devious WordPress Hosting comes with a LetsEncrypt certificate set up for you on your domain? And that all Be Devious Web Hosting uses Plesk and has the LetsEncrypt extension available for you to install certificates to your heart’s content?

Maybe I did, oh well, you definitely know now!

LetsEncrypt - Be Devious Web Development

Limitations

Of course there have to be some limitations. I’d be interested in hearing from people if there are more that need to go onto this list…

Wildcards

When you set up an SSL certificate, you need to specify the domains that you want to include. Normally you’d want at least mydomain.com and www.mydomain.com covered. You may also wish to cover all of your sub-domains as well, i.e. subdomain.mydomain.com – in the general SSL market, you can get something called a wildcard certificate. This means all your subdomains are included automatically, often written as *.mydomain.com ( * = all ).

LetsEncrypt have stated that they don’t support wildcards and don’t plan to.

Via the command line and Certbot methods you can list multiple domains for one certificate and so you could include numerous sub-domains, however you’d need to update this every time you created a new sub-domain.

The Plesk extension currently only supports the www. and non-www. versions of a domain and there are no further options.

I’ll come on to how to work around this shortly

[bedev_widget_area]

Browser Compatibility

During the Beta stage of testing there were a number of issues raised with compatibility of certain browsers on certain operating systems. Google Chrome on Windows XP and Windows Vista to name a couple. These were resolved, but it is possible that older browsers and operating systems could in future throw security warnings for valid LetsEncrypt certificates.

It’s something to be aware of. Personally I have opted for the more affordable, higher level of security and at every opportunity recommend people stop using outdated and unsupported browsers and operating systems.

Renewals

Depending on the method of set up, you may need to manually manage certificate renewals. LetsEncrypt certificates are only valid for 90 days. This is to enforce faster and more frequent updates that is especially handy if security vulnerabilities are discovered. i.e. if someone figures out how to hack LetsEncrypt, you are a maximum of 90 days away from getting a new certificate. If you’re smart and engaged you will renew sooner.

The extensions offered for Plesk and cPanel handle all the renewal processes for you, and the Plesk extension even revokes certificates automatically when a domain is deleted from the control panel.

Rate Limits

There are limits on how many certificates can be registered per week, per domain and per IP address. If you’re requesting enough for this to affect you, I’m assuming you’re technical enough to read about the limits directly from the source.

LetsEncrypt - Be Devious Web Development

WordPress

LetsEncrypt works just fine with WordPress. Here’s a few handy tips to look at.

.htaccess

.htaccess is an Apache file that essentially is the last point that your server might interject on a request being made by a visitors browser before it hands of to the WordPress php files to generate a webpage. It is commonly used for enforcing redirects and can be handy for managing requests and forcing them to head to the https version of your site.

A quick Googling of the topic will show you numerous options of what to use here, but through my experimentation, here’s what works best:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This is my preferred method because it captures every request not using SSL and dynamically redirects to the host AND the URL. It is assumed a lot of the time that your website only makes use of one domain. If you are using WordPress multisite with multiple domains, sub-domains, sub-directory sites and mapped domains, this should have you covered.

Updating everything to HTTPS

An important point to note is that when using SSL, all requests for resources on a website must also be requested over SSL. If they are not they will either not be downloaded – which would cause the page to look terrible or malfunction in the case of images, style sheets and javascript files, or to throw a security warning.

My recommendation is to use the Really Simple SSL plugin – this adds another few rules to your .htaccess as well as makes some updates to the database to ensure that requests for resources are updated.

If you are using a CDN, you’ll also need to make sure that they offer SSL access to your pull zones.

Are you using SSL? What’s your experience?

Setting up SSL can be easy, but it can also cause some headaches. Share your experiences and tips in the comments below.

[bedev_widget_area]

Website backups – do you KNOW how?

by Leave a Comment

You gotta love a good backup. A few months ago I found that I didn’t love backups enough. Or at least I hadn’t been paying my backup processes nearly enough love. We won’t even talk about whether or not I’d ever fire drilled a recovery. A simple mis-typed command into a linux terminal while necessarily logged in as the root user started me on a path of learning that a neglected relationship with your backups leads only to pain.

Website backups - Be Devious Web Development

Since this horrific ordeal I’ve come to be considerably more of an expert in backups than I was previously. Here’s a run down of the various backup methods I’ve tried and or now employ to ensure I’ve got things covered, including their pros and cons when it comes to attempting to restore.

First off I’ll give you some food for thought on what your situation might be, then I’ll give you some tips on how to improve things.

If you are a web hosting customer of whoever, know what is being backed up

Shared hosting

Shared hosting, not normally called shared hosting, but if you’re paying a few quid a month on hosting, you’re on shared hosting. These services are pretty much always backed up, to an extent.

Shared hosting essentially means your websites, the files and databases are on a server with other people’s websites, their files and databases. As you share an operating system and the hardware (memory, processors, hard disks – at least in a virtual sense), all this will be managed by your hosting company. If they make a mistake, they better hope they’ve got their customer’s data backed up and are able to restore it quick smart but they will likely not take any responsibility for the impact to you or your business for downtime during a restoration.

It’s worth checking your shared hosting Ts&Cs to see what the deal is on your hosting package.

[bedev_widget_area]

VPS & Dedicated Server

So contrary to share hosting, here it’s unlikely that your hosting provider has your back when it comes to securing your stuff. Here’s a list I find useful when it comes to backups to make sure I have everything covered. Ask yourself, if your server disappeared tomorrow, how quickly could you restore:

  • Your server software, including – operating system, php, apache, nginx, apache MySQL files and updates
  • Your server control panel, including – domain settings, DNS settings, account settings for resellers
  • Your websites files
  • Your website databases

These tend to come in a couple of different flavours – managed and not managed. If managed, you may find that they take care of the first couple but it’s worth checking. It’s rare that backups for the second two are included as part of a standard package. Even though they might sell them as extras, just consider whether you want your backups stored in the same place as your server, ehem, 123-reg…

Cloud Servers

Here I’m really talking about those who have their own servers and VMs spun up on services like the Google or Microsoft Clouds. These services should be pretty solid, you hope, but you can still backup an entire sever image in one, perhaps not the best for a regular backup, but before and after any major updates it could be a good way to keep hold of stable versions of your systems.

Hosted / Managed Website Services

Now here is somewhere you definitely want to check what your provider is doing to look after your site(s). It’s common that you won’t have any access to files or databases, and with a CMS like WordPress you probably won’t have the ability to install any backup plugins. If you want an extra layer, you can always look at regular exporting your content and storing it somewhere.

Website backups - Be Devious Web Development

OK, so make sure you know what’s being backed up, now, how can you go the extra here?

Via Control Panel

For those using a popular server control panel such as cPanel, Plesk or Direct Admin, you’ve got a few easy options at your disposal.

In the Tools & Settings look for “Backups” or “Backup Manager“. These tools will normally allow you to schedule backups of your control panel configuration – your settings, domain settings and customer settings for resellers – as well as your files and databases.

You should also get options to store these backups in a remote location via FTP. Use this option. What? Your hosting costs just went up from needing another server to store this stuff on? A necessary cost.

Another handy setting is incremental backups. Setting these every hour or so will mean only files that have been added, removed or changed will be added, removed or changed in the backup location. This can be great for going easy on your server’s resources. While a daily snapshot / total backup can give you something to roll back to if you need to, in case of a hack, for example.

Resources:

CMS

I’m really only an expert in WordPress here, so let me tell you about a few good options.

I mentioned using the WordPress export functionality already (under tools). Though not ideal as you can’t automate, plus this actually only generates an XML file, i.e. text only. Obtaining your images later via this method actually relies on them still being in place on your server.

Here’s some other plugins that might make your life a bit easier:

iThemes Security

A classic for securing WordPress, and one I recommend every time, especially given that the free version is actually pretty damn good. A feature of the free version is automated daily database backups that can be sent to you by email. Make sure this is sent to an email that IS NOT hosted on the same server as your website…

Resources:

Backup Buddy

Also from iThemes, a well renowned backup plugin that can backup your files and databases at regular intervals and automatically send them to remote locations. Backup Buddy also makes it very easy to restore from backup files which can be used to recover from a rogue plugin or user error.

Resources:

WPMU’s Snapshot Pro

My favourite plugin for backups in WordPress, mainly because it’s great for WordPress Multisite Networks. You can set the plugin to backup a specific sites files and or it’s database tables. I’ve been able to use it in the past to restore a site to a version backed up an hour ago whilst not touching or impacting any other sites on the network. A missing feature is the ability to backup the entire network in one, but word on the street is that this is in the pipeline, along with remote storage for WPMU members to go alongside it’s current FTP, GDrive, OneDrive and DropBox options.

Resources:

Website backups - Be Devious Web Development

Some others that may interest you

Mover.io

Got to give a shout out to Mover.io. This service can be used not only for backups but also migrating files between numerous other services including OneDrive, GDrive, DropBox (for free I might add) as well as “Premium Connectors” like FTP and sFTP for $20 / month. This can be used to effectively create a mirror of your website’s files on another web server, FTP storage server or cloud storage service like the ones mentioned above.

As with other method mentioned here, the incremental option is a powerful one enabling an hourly update of files that have changed since the last run.

Something to watch for – if you delete files from your website, they are not deleted from the mirror which adds an extra thing to think about if using it for restoration.

Something else to watch for – an hourly process like this requires Mover.io to login via FTP every hour and check through the created and modified time stamps for every file, this can be a little intensive on server resources.

Databases

A clear shortfall of using a service like Mover.io to backup via FTP is that it won’t include your databases. Not to worry, dumping your database into your website directory on a regular basis will include it in one of your regular incremental. Just be sure to update the dump file’s permissions so that it isn’t publicly accessible.

Here’s some methods you can use for this:

  • MySQL Export – via phpMyAdmin, click the export tab and export an SQL file.
  • Cron MySQL Dump – set up a cron or scheduled task containing the mysqldump command to save a copy of the database
  • WP CLI DB Export – If you are using WordPress, installing the WP CLI utility and using the wp db export command will pretty much do the same as mysqldump but will take care of the username and passwords for you

So there you have it

Some food for thought for many I’m sure. I’m not sure that I ever would have focused on my backup processes so closely if I hadn’t had to experience a disaster first hand, so perhaps a blessing in disguise.

Of course having backups is only one half of the game, ensuring their integrity and knowing how to restore, and restore quickly, is the other half. I’ll come to that soon.

Please use the comments board to share you’re preferred methods of backing up!

[bedev_widget_area]