Moving to a more secure web protocol

When you visit most websites you will see in the address bar the protocol that the site uses to deliver content across the Internet. For most websites this will be http which stands for "Hypertext transfer protocol". The exception to this are sites such as Internet shopping and banking where (often just during the checkout process) the protocol will be https which stands for "Hypertext transfer protocol secure".

Https uses encryption which means that when you are communicating with a website using https you can be fairly certain that you are dealing directly with that website and the traffic you are sending and receiving is not being diverted or eavesdropped on. More about https here. Https has become the standard for all websites dealing in financial and other sensitive transactions.

Google to mark websites with http as "Not Secure"

Deploying https comes at a cost, and for most websites, where there is no sensitive traffic, the additional support overhead exceeds the benefit gained. However, Google recently announced that the Chrome browser will display websites that do not use https as being "Not Secure" in the address bar. This will look something like the image below:

In time, Google say the circle with the i in will be replaced by a red warning triangle.

It is important to note that we have not changed anything with regard to the way we handle security on our servers. Your website is still fully protected by our Wordfence anti-hack and anti malware scanning system and by the firewalls on our servers.

Your site is no more or less secure than it was before.

Here is what our security software provider, Wordfence, has to say on this issue.

We have decided that, since other browsers have either already announced that they will follow Google Chrome's lead or are considering doing so, moving our blogs on to the https protocol is a sensible upgrade to the security that we already offer. To that end we have started to trial https using the open source certificate authority, Let's Encrypt, on some of our sites. Once this has been done you will see the protocol change in the browser and the "Not Secure" message in Chrome will disappear. For example:

What you need to do

At this stage you need to do nothing. We will roll out https across our network quietly with minimal disruption. However, for some of our older customers rolling out https will present more of a challenge for us. This is because Wordpress Multisites can be set up to use either sub folders or subdomains. If your blogs use sub folders then we can use a single Let's Encrypt certificate. However, in the case of blogs with subdomains it is much more complex as each directory requires a separate Let's Encrypt certificate. So, every time you add a new blog to your system you would require a new certificate. Automating this process is likely to be extremely challenging. 

How do I know which type of installation I have?

It's easy to tell the difference between a sub folder and a subdomain structure. For sites with subdomains, web addresses (URLs) for class blogs will look like: (subdomains)

In a sub folder structure the URL will look like: (sub folders)

Any site purchased from us in the last two years will be in a sub folder structure.

What happens next?

Assuming the trial of Let's Encrypt proceeds satisfactorily on the sites upon which we have installed https, then we will begin a program of rolling out https on all sites with sub folders. We do not have a timescale as to when this might be completed at present. We do not foresee any reason that this process will disrupt our service and we won't notify you that this is happening. You'll simply notice the change in the address bar of your browser when the switch to https has been made.

At the same time we will be considering and testing possible solutions for older sites with a subdomain structure and we will make announcements about our intended strategy once we have arrived at a satisfactory solution. We would stress that your site will remain protected by our firewalls and security software at all times.

Will this affect the cost of the service?

While the installation of https gives us a significant challenge in terms of additional support overhead, at this time of extremely challenging school budgets we will be absorbing the cost of the transfer in house and will not be passing this on to our customers. Your annual hosting fee will not change. Should this position change we will provide plenty of notice before implementing any price rise.

We believe that upgrading to https represents a significant step forward in the level of security our customers can expect to receive from Creative Blogs.

Update 15/11/17

All sites with a sub folder structure as described above have now been running with SSL for several months. However, we have not found a cost effective way of providing SSL certificates to sites with a sub domain structure. Recently, our SSL certificate provider, Let's Encrypt, announced that wildcard SSL certificates suitable for use in Wordpress multisites with a sub domain structure will start to be issued in January 2018. At this point we will test their function on a few sites prior to rolling out across the remaining domains in the early part of 2018.

More info:

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk