Yes, suffering, not surfing. One of the ever present dangers for those running a blog, or any website for that matter, is that it can become compromised due to a hack or a Man-In-The-Middle (MITM) or other attacks. A hack is usually a direct attack on your PC or the server where your website is hosted and an MITM basically involves someone ‘listening’ in to your web traffic, notably when you’re logging on to your site and intercepting your username and password (amongst other things), taking over your connections, and using that to their advantage. A hack can occur at any time, but can be avoided (to a large extent) using appropriate procedures, security software (depending on your website) and ensuring that all of your software is up to date, amongst other things. To that end, this story is about my trials and tribulations of setting up security for my blog (avoiding the gory – highly technical – bits), as getting clear help for someone that’s not experienced in coding was like the Labours of Hercules and most of the time it felt like I was working in the Augean Stables with a brush and dust pan.
Finding useful assistance was the most difficult aspect, especially with the enabling of an SSL Certificate on my blog. Purchasing a personal certificate was one option but, given that I don’t run an e-commerce site (not yet anyway), I thought that might be somewhat of an overkill. So some suggested that I use a product called Let’s Encrypt, a free SSL Certificate that must be renewed every 60-90 days, except that my host won’t allow the installation of third party certificates. I was then advised to change host, which is like advising someone to buy a different brand of car because there’s no dealer servicing in your area for the brand that you own. Another suggestion was to use Cloudflare, which provides free SSL certificates through their servers, but this means all of your traffic must be routed through the Cloudflare servers, which creates other issues leading to potential security problems. Then I discovered that I could get a shared SSL Certificate from my host and use that, all I had to do was enable it, which is where the fun began and led me to undertake a steep learning curve, which had no end of hits and misses (lots of misses).
Initially, all that I wanted to achieve was to make the login and administration dashboard of WordPress secure but not the entire site, but as I fumbled around with trying to understand this foreign language that I was learning, I somehow managed to get the entire site delivering securely. However, it’s the login and administration sections that are the most vital to secure in the first instance, as this is what gives access to your entire site and everything behind it. Now when you go onto a website there are two forms of access, http and https the former means that any traffic travelling between the requesting computer and the site server is not encrypted (it can be intercepted) and the latter means that it is encrypted (it can’t be intercepted, except perhaps by certain government entities). That doesn’t mean that the former sites are unsafe to visit, because in most cases all that you’re doing is downloading text and images, as you do with this blog; but it is possible that a site could be hacked and you could be redirected to an unsafe site (which can even happen with some loosely issued certificates – it’s happened with Let’s Encrypt). Sites where you conduct financial transactions etc, must be secure and must be https (it will show a lock somewhere on the address bar).
As I said, I just wanted to make the login and administration side of my blog secure and that meant making any such connection https. In my initial endeavour, something went wrong and I couldn’t log in for days, I found a solution, and then other things went wrong and thus the wheels on the bus kept going round and round. A week later, I had fixed everything, found a way to install the shared SSL Certificate without needing a plugin (one that would no longer install properly and would break things, and which probably broke things in the first place) and understood, more or less, what was going on. And just when I thought things were rolling along smoothly, I did something and again things were broken. Once again, trying to find solutions on the internet was the most frustrating thing ever, as no one wrote in clear and concise English.
Now the internet is a cornucopia of information on just about anything and whatever you type into Google, it will return pages and pages (often millions) of articles related to your search query. But, as I found, 99.9% (or more) of coding articles are simply rehashes of previously written articles (often copied word for word and just given a different appearance) with no value adding and little to no recognition that those looking for such information are doing so because they are effectively lost. Time and again I came across potential solutions to my overall problems, but all too often they were incomplete and assumed too much. Most respondents in forums and the like always seem to assume too much of the person asking questions and just leave many obvious things hanging. These obvious things are usually the basics of coding, simple things like where to actually place some code. Usually those experienced in programming or coding try to be helpful, but they speak a foreign language and simply don’t realise that they aren’t communicating effectively.
So, after much effort and anguish, I finally managed to get this blog working fully under https and thought that my work was done. Not so. My blog had disappeared from Google search and when I had a look at Google image search, where many of the photographs from my blog show up, I found that the links weren’t taking viewers to the actual site/photographs, but were returning a 404 error (page not found). Thus started another round of research and pain, trying to find a solution to this issue and, once again, I came across the same issues as I had with implementing https. Nothing seemed to work and then my photographs started disappearing from the Google Images entirely. And I did update my Google account details, analytics, custom search engine etc, so hoped that things would return to normal in a reasonably short timeframe.
However, after going through all of this and things still looking bleaker every day, I decided to purchase an SSL certificate. Why? despite getting things working, there were all manner of ongoing issues with a shared SSL Certificate, including redirections, pages/images not found etc and my Google rankings and image links etc were going the way of the Dodo. In the end, the easiest way was to start afresh with just a http site, buy the SSL certificate, let the host install it and then just change all of the references to https (in WordPress and Google). But in doing this, I still had to be careful with my WordPress changes, for if they weren’t done properly, I could get locked out of my site, as I found out the hard way earlier on (again something rarely mentioned).
If the internet, read Google etc, really does start imposing tighter security on websites, then this is something that everyone that has a website that requires some form of login or comments sign-in may well have to endure at one point or another, as Google and browsers begin to clamp down on insecure sites. Avoid the shared SSL certificate route if that’s available, and save yourself a lot of hassles, but note the options that I mentioned, especially Cloudflare, which are so often recommended. Browsers have already started warning users of insecure sites and won’t open them unless specifically told to do so (giving scary warnings), and this will only become more common as time goes on. And it doesn’t matter whether your site is quite basic, it appears that everyone will be affected by these changes sooner or later. Moves are also afoot to help people use https websites whenever possible.
As a final note, when I finished this story, made all the necessary redirects, notified Google Webmaster etc, I wondered how long it would be before my blog was back on the first page of Google, where it’s been for several years now, instead of page four and dropping. So I was gobsmacked to discover that only a few days after I enabled https, my blog was back on page one of Google. My images also began reappearing and everything is now as it was before and even one of my photographs appears on the Google search page (the 4WD), so that too is amazing. All in all, while I eventually reverted to a paid method for obtaining https, the prior drama wasn’t completely a waste, as it provided a lot of knowledge about coding. Sometimes doing things the hard way, making mistakes and learning from them has it’s own rewards as, in this instance, I learned a lot about the tools that I’m using, notably WordPress.
Addendum: Prior to posting this story I also wanted to include a Google custom search box on the site (I had this earlier), but the plugin I used wouldn’t work for some reason (possibly due to incompatibility with the newer version of WordPress I was using), so I went about trying to install this manually via code. The code itself and where to place it appeared to be relatively simple; however, every guide I used, including Google’s, left me with an invisible search box and search page. It was only after scouring Google for days that I finally found a clear and concise explanation and it worked the first time. Everyone, except for this one person, kept repeating the same information and leaving out one small, but vital, detail that prevented things from working. Computer games indeed.