While chatting with some colleagues this past week, I realized that I was running this WordPress blog completely over HTTP, including the login page. Ugh, security fail. A quick Google search revealed that GoDaddy managed WordPress sites do not enable any SSL/TLS by default, even with a self-signed or shared certificate. This is important because anyone capturing network traffic will be able to view the login information to your site in cleartext. This means an attacker is able to login to your WordPress site as you and do whatever they please. Today I went on a search to see how I could add SSL to the site without any additional cost.
I found a post from SeedProd discussing how to add SSL to a WordPress site via CloudFlare for $20/mo. and for free in the future. I had no idea that CloudFlare had a free plan but they do, and today it includes SSL. The free plan includes many features that will enhance the security and performance, including the addition of SSL, of the site so this is a real no-brainer for anyone. Take a look at CloudFlare’s plan comparison chart to get a quick idea of other features available for free.
Following the instructions outlined at SeedProd, I was able to get all of my domains registered and running with CloudFlare in just a few minutes. Thus, we have a quick how-to on adding HTTPS to GoDaddy WordPress via CloudFlare. It was as simple as:
Done. Now my WP is 100% SSL/TLS to site visitors. This discovery was a good validation of why 2-factor authentication is important. Even though this site was using cleartext passwords and exposing my credentials to anyone with visibility, having 2-factor authentication setup with Duo Security setup gives me a warm fuzzy that no one could not have successfully logged into the site.
I still need to go back and setup SSL/TLS between CloudFlare and my WP server (Full SSL), but this is a good start for today.