# SSL



## KandCfamilyfarm (Nov 4, 2017)

Don't let me fool you with anything I say I don't know nothing about computers.

OK so let's get to the question. I had someone start a site for me on sitebuilder and I am trying to get ssl certification for free that works properly. When I say SSl I mean the little security lock thing in the address bar that makes my site secure.


----------



## KandCfamilyfarm (Nov 4, 2017)

they call it sitelock


----------



## Nevada (Sep 9, 2004)

I'm not sure what you're doing that requires SSL (Secure Socket Layer), but SSL certificates are not expensive and easy to find. People use SSL to do two things.

1. SSL encrypts communications. That prevents anyone from using a packet sniffer to see sensitive information, such as passwords or credit card data. A packet sniffer can still see the communications, but the communications will be encrypted so it won't do them any good.
2. To insure that your website isn't being spoofed by a scammer. That's accomplished by checking your website's encrypted key against a recognized certificate vendor. That prevents a scammer from misdirecting your visitors to another website to steal their credit card data.

You can use SSL encryption without a certificate but your visitors will get a warning that your site might not be secure. If potential customers see that warning then they might not have confidence to use a credit card at your website.

There's a lot more competition in SSL certificates than there used to be, so certificates have become inexpensive. Look at your domain registrar to see if they offer them. The last I looked at Godaddy.com they offered SSL certificates for about $10/year. Your web host should be able to help you get the information you'll need to apply for a certificate.

Why do you believe that you need a certificate? Since most hosting is done today as "shared" IP address hosting, you'll have to make sure that your hosting includes a dedicated IP address, since a unique IP address is necessary for a SSL certificate. That will probably increase your hosting cost by a few dollars per month.


----------



## KandCfamilyfarm (Nov 4, 2017)

Nevada said:


> I'm not sure what you're doing that requires SSL (Secure Socket Layer), but SSL certificates are not expensive and easy to find. People use SSL to do two things.
> 
> 1. SSL encrypts communications. That prevents anyone from using a packet sniffer to see sensitive information, such as passwords or credit card data. A packet sniffer can still see the communications, but the communications will be encrypted so it won't do them any good.
> 2. To insure that your website isn't being spoofed by a scammer. That's accomplished by checking your website's encrypted key against a recognized certificate vendor. That prevents a scammer from misdirecting your visitors to another website to steal their credit card data.
> ...


Thank you! In a month or so we plan on excepting credit/debit and paypal transactions. again thank you!


----------



## Nevada (Sep 9, 2004)

KandCfamilyfarm said:


> Thank you! In a month or so we plan on excepting credit/debit and paypal transactions. again thank you!


You won't need a certificate for PayPal, since you simply direct customers to PayPal and they have their own certificate. Note that PayPal now offers customers the option to use a credit card for a purchase without joining PayPal. That could be good enough for your needs without getting a merchant account or a certificate.

If you'll have a merchant account and accept credit cards online then you'll need a certificate.

1. Host your site with a dedicated IP address. You won't be able to use a certificate without your own unique IP address.
2. Generate a key request (Certificate Signing Request, or CSR). Your web host will help you with that.
3. Buy your key from a recognized vendor. When accepting credit cards don't use a free key.
4. If you plan to store credit card information then make sure your processing application uses a database. Information stored in a database is protected with strong encryption.

If your hosting service comes with control panel access then you can generate your SSL key information yourself. If you're new to this then you need a web host with good technical support.

Notice that this domain (HT) forces https with a certificate of authority. You can see that in the address bar. They're doing that so when we login our passwords are encrypted, which avoids a hacker getting access to the forum. HT is using Thawte for their certificate vendor.


----------



## KandCfamilyfarm (Nov 4, 2017)

Nevada said:


> You won't need a certificate for PayPal, since you simply direct customers to PayPal and they have their own certificate. Note that PayPal now offers customers the option to use a credit card for a purchase without joining PayPal. That could be good enough for your needs without getting a merchant account or a certificate.
> 
> If you'll have a merchant account and accept credit cards online then you'll need a certificate.
> 
> ...


WOW!!! There are other reasons also I want my site to have ssl but ppl ordering and entering personal information at the site need to be protected also when you go to the site people don't know if it is safe or not because their browser tells them there is no ssl and messes up my bounce rate. Right now it's at 52% before that it was at 100%


----------



## Nevada (Sep 9, 2004)

KandCfamilyfarm said:


> WOW!!! There are other reasons also I want my site to have ssl but ppl ordering and entering personal information at the site need to be protected also when you go to the site people don't know if it is safe or not because their browser tells them there is no ssl and messes up my bounce rate. Right now it's at 52% before that it was at 100%


Yes, a message that your website is unsafe is a real wet blanket for business.


----------



## KandCfamilyfarm (Nov 4, 2017)

do you know anything about wordpress and sitebuilder?


----------



## Nevada (Sep 9, 2004)

KandCfamilyfarm said:


> do you know anything about wordpress and sitebuilder?


I install WordPress for clients regularly, but I don't use it myself. Hopefully someone will come along who can provide advice for you.


----------



## royB (Dec 15, 2004)

You may want to check with your merchant account/payment gate on their requirements for PCI compliance for website processing. Anyone that accepts credit cards is required to meet some level of compliance, some simple some not so much. 

A word of caution on Wordpress, its a great tool and has many options, but with them come security risks. If you go with Wordpress you will NEED to keep all plugins and Wordpress updated. Lots of scanning done targeting Wordpress sites because of it. If its not a huge site you might be better off using a shopping cart site like Sparkpay or one of the others.


----------



## KandCfamilyfarm (Nov 4, 2017)

royB said:


> You may want to check with your merchant account/payment gate on their requirements for PCI compliance for website processing. Anyone that accepts credit cards is required to meet some level of compliance, some simple some not so much.
> 
> A word of caution on Wordpress, its a great tool and has many options, but with them come security risks. If you go with Wordpress you will NEED to keep all plugins and Wordpress updated. Lots of scanning done targeting Wordpress sites because of it. If its not a huge site you might be better off using a shopping cart site like Sparkpay or one of the others.


Thank you for the information!


----------



## Nevada (Sep 9, 2004)

royB said:


> You may want to check with your merchant account/payment gate on their requirements for PCI compliance for website processing. Anyone that accepts credit cards is required to meet some level of compliance, some simple some not so much.


Just make sure that at least one of the the payment gateways supported by your merchant account provider is also supported by your website shopping cart. The authorize.net gateway has the widest support base. Pretty much everyone is compatible with authorize.net.



royB said:


> A word of caution on Wordpress, its a great tool and has many options, but with them come security risks. If you go with Wordpress you will NEED to keep all plugins and Wordpress updated. Lots of scanning done targeting Wordpress sites because of it. If its not a huge site you might be better off using a shopping cart site like Sparkpay or one of the others.


That's probably the most frustrating security problem I have to deal with. A client install a web application and 5 years later it's never been updated. I hate that!

But for WordPress security, follow these guidelines.

1. Whenever you login as administrator, look in the upper left corner to see if there any updates available. If so, click on the update notices to automatically update your installation. Update everything, including themes, since there can also be vulnerabilities in themes.
2. Don't use "Admin" for the administrator login name. Since "Admin" is created by default it gives away half the username/password puzzle.
3. Install WordPress from an install utility (usually part of your hosting control panel). That will preserve the optimum file permissions for the best security. If you upload the files by FTP then all files will have the default permission set, which would be less secure.
4. Make sure that your hosting provider is using Apache. WordPress uses .htaccess files for access permissions. Other html servers, such as nginx, don't support .htaccess.


----------



## KandCfamilyfarm (Nov 4, 2017)

Nevada said:


> Just make sure that at least one of the the payment gateways supported by your merchant account provider is also supported by your website shopping cart. The authorize.net gateway has the widest support base. Pretty much everyone is compatible with authorize.net.
> 
> 
> 
> ...


Honestly I tried wordpress and couldn't get it to extract the file properly. Probably has something to do with my operating system I have had to recover and rebuild the windows 7 on my laptop a few times and it still dont run right but it runs and I think that is not bad considering this is my third hard drive.


----------



## Nevada (Sep 9, 2004)

KandCfamilyfarm said:


> Honestly I tried wordpress and couldn't get it to extract the file properly. Probably has something to do with my operating system I have had to recover and rebuild the windows 7 on my laptop a few times and it still dont run right but it runs and I think that is not bad considering this is my third hard drive.


I have a utility that installs any of about 150 of the most common open source web applications, including wordpress. It's extracted and installed automatically. Clients love it.


----------



## CajunSunshine (Apr 24, 2007)

What utility do you use?


.


----------



## KandCfamilyfarm (Nov 4, 2017)

CajunSunshine said:


> What utility do you use?
> 
> 
> .


mostly freeware winzip, 7-zip I get most my download from cnet. Unless i am messing around trying to stress test then I use things like loic, hoic but then I have to go outside my personal network which I don't like to do. I prefer to us notepad++ joke lol. but seriously loic and hoic could probably be a big contributor to some of my fried hard drives of the past and the reason I need new thermal compound for my cpu. Honestly not trying to download any thing shady this is my only pc right now. but if it is on the up and up and free I will give it a spin.


----------



## Nevada (Sep 9, 2004)

CajunSunshine said:


> What utility do you use?


It's called the APS Installer. It comes as part of ISPConfig 3, a web hosting control panel.



KandCfamilyfarm said:


> mostly freeware winzip, 7-zip I get most my download from cnet.


The application catalog is limited to website applications. Things like e-commerce shopping carts, image galleries, web traffic analytics, content management, as well as website/blog applications like WordPress and Joomla. About 150 applications in all.

It's nice because it creates required databases and sets file security permissions for you. Just install, login as administrator and begin configuration.


----------



## royB (Dec 15, 2004)

Nevada said:


> That's probably the most frustrating security problem I have to deal with. A client install a web application and 5 years later it's never been updated. I hate that!


 yea I've had the pleasure of fixing sites for clients that their "web guy" didn't bother to update and they were hacked

All great advice for Wordpress security changes Nevada


----------



## Nevada (Sep 9, 2004)

royB said:


> yea I've had the pleasure of fixing sites for clients that their "web guy" didn't bother to update and they were hacked


The problem is actually worse than that. While it's never happened to me, when a hacker gains access to a WordPress installation it's possible to create other mischief in the server. Unfortunately, clients working with WordPress and Joomla is the hosting reality today.


----------



## KandCfamilyfarm (Nov 4, 2017)

Nevada said:


> It's called the APS Installer. It comes as part of ISPConfig 3, a web hosting control panel.
> 
> 
> 
> ...


Just wondering have you ever had to break into your own system? I been trying to brute force my router to gain access to my inverters network and my isp won't come off how to get in to it. I used to have my own router I did use but lighting fryed it and I had to go with my isp equipment for my ADSL.


----------



## Nevada (Sep 9, 2004)

KandCfamilyfarm said:


> Just wondering have you ever had to break into your own system? I been trying to brute force my router to gain access to my inverters network and my isp won't come off how to get in to it. I used to have my own router I did use but lighting fryed it and I had to go with my isp equipment for my ADSL.


Fortunately I've never bricked my system (knock on wood).

If you can't get into your router then reset the router to factory settings. Using a straightened paperclip, press and hold the reset for 30 seconds.


----------



## KandCfamilyfarm (Nov 4, 2017)

Nevada said:


> Fortunately I've never bricked my system (knock on wood).
> 
> If you can't get into your router then reset the router to factory settings. Using a straightened paperclip, press and hold the reset for 30 seconds.


tried the paper clip thing and checked for information on the sticker. It's cool.


----------



## CajunSunshine (Apr 24, 2007)

Don't forget to change the name, password and security settings on it ASAP (like right now). If you leave your router on factory settings, you are leaving yourself wide open for hackers to access your network.


.


----------



## KandCfamilyfarm (Nov 4, 2017)

CajunSunshine said:


> Don't forget to change the name, password and security settings on it ASAP (like right now). If you leave your router on factory settings, you are leaving yourself wide open for hackers to access your network.
> 
> 
> I don't think they would get anything my system couldn't take the extra strain it would just crash.


----------



## KandCfamilyfarm (Nov 4, 2017)

my installer is broke I am running sfc/scannow in admin mode to try and fix it I need to just replace my cd drive so i can use my recovery cd


----------

