-
Notifications
You must be signed in to change notification settings - Fork 23
Administration security guide
Wiki ▸ Documentation ▸ Administrator documentation ▸ Administration security guide
Protect against eavesdropping by using a free TLS certificate from LetsEncrypt.org for HTTPS browsing
Unless you take additional precautions, everything anyone does on your site, including sending and responding to Buoy alerts, will be visible to anyone who cares to look even if they are not signed into your site. This is a clear and present danger to the privacy of your Buoy's users. To prevent this, you must secure your site's Web browsing connections.
Adding a TLS (sometimes called an "SSL") certificate to your website is a good way to make it more difficult for attackers to snoop on the site's transactions. What adding a TLS certificate does is change the way your website and a user's web browser communicates from HTTP (the regular, insecure hypertext transfer protocol) to HTTPS (the private, secure hypertext transfer protocol). We encourage Buoy admins to always enforce secure (HTTPS) connections and to automatically redirect any insecure (HTTP) connections over to the secure channel for all users, all the time.
This security technology (TLS, which stands for "Transport Layer Security") is the same technology used by banks and other e-commerce sites to, for example, protect credit card information, passwords, and other sensitive details from being observed during an online sale, log in operation, or other page load. Although you have to take extra steps to make sure your site and its users are protected in this way, the good news is that for most popular hosting setups, it is completely free of charge if you obtain your certificate from the LetsEncrypt certificate authority.
Setting up your site for private Web browsing is usually a matter of pressing a few buttons on the management interface provided by your Web hosting company. The following is a non-exhaustive list of Web hosting companies where you can enable TLS with a LetsEncrypt certificate for free with a few clicks, and links to their instructions of how to do so:
For a complete list of Web hosting companies that allow you to use a free LetsEncrypt certificate, see LetsEncrypt's Web Hosting Supporting LE wiki page.
Once you added a LetsEncrypt security certificate to your site, you should ensure all insecure connections a user might make to your site are redirected to secure connections. The easiest way to do this is to install the Easy HTTPS Redirection or the Really Simple SSL plugin for WordPress. You install this plugin in the same way you installed Buoy itself. Once installed, turn the plugin on from its settings page as shown in its screenshots.
TK-TODO
Use the WP PGP Encrypted Emails plugin.
Questions? Double-check the Frequently Asked Questions. Otherwise, if you want help from other users, try the Buoy Support Forum. To contact the developers, open a new issue.