Developer for MainWP

We’re always excited to discover new WordPress plugins that we can work with. It’s one of the benefits of providing services across a wide range of industries and to clients with a variety of website from elearning to ecommerce. Recently we were hired to work on a MainWP project. If you’re not familiar with it already, MainWP is a dashboard for managing multiple websites within the WP admin. It provides many of the same features found in SAAS (software as a service) dashboards available for WordPress. The advantage over those external system is MainWP is a WordPress plugin, and it runs in your own website. That means you own it! And yes, it’s free. Both the MainWP Dashboard plugin, and the MainWP Child Plugin (which is installed on all the child sites) are available for free in the WordPress directory. There are also numerous MainWP extensions, some are free, and others premium.

MainWP can clearly save time and help create a more systematic approach to content development and distribution across a network of websites. It also simplifies management of sites and updates, saving development time and cost. Are you sold yet? We were immediately sold on the idea of using MainWP, and added it here to GoldHat.ca.

The project we worked on with MainWP involved a custom integration of the MainWP Spinner plugin. The client had hired a previous developer to build a custom approach to creating posts that would be published across their network of over 200 websites. MainWP Spinner extension integrates with online article spinner services such as The Best Spinner, Chimp Rewriter and many more. It is however limited in the content it can spin, only posts and pages. In this case the client had a customization where there was a custom post type, and fields were setup for images, headlines and various body text sections. After the article was “spun” all these fields would be aggregated together as post content, and published using the MainWP bulkpost feature. At this point the 1 article would be published to 5 sites, 10 sites or more and would be sufficiently unique on each site to qualify as unique content.

The problem with the implementation our client faced was a typical case of offshore development gone wrong. The previous developer “hacked” MainWP (the core plugin), hacked MainWP Spinner extension, and put only about 10% of the functionality into the actual custom plugin he built! Best practices be damned I imagine the developer saying! Well the result is the client updated MainWP, and voila the custom functionality broke. Fortunately it did not down his website, which is not uncommon in these cases. Reversing the damage done by the previous developer was a painstaking process of moving code from MainWP and MainWP Spinner into the custom plugin which we named MainWP Spinner Upload.

If you’re a site owner contemplating hopping on Upwork and hiring an offshore developer for customizations or plugin development just remember that it is very common to have this situation where work has to be redone later by a qualified WordPress developer. Mistakes made can be very costly in terms of downtime, cost to debug errors, and finally the obvious cost of having to eventually rebuild the features that you’ve had added. This is not to suggest that all Upwork developers are problematic, we still sell on Upwork to this day! There are also offshore developers, particularly in places such as Russia, Eastern Europe who do quality work. However the most common “help me my website is broken” situation we find is from “Built in India” or “Built in Pakistan” websites. While there are probably many great developers in these countries, unfortunately there are thousands of developers and firms that violate the most basic principles of WordPress development such as don’t edit the plugins (extend them) and don’t edit base themes (use child themes). Edits to plugins and base themes render your site unable to receive updates and because the entire ecosystem of WordPress is constantly evolving, it’s only a matter of time until something breaks, or a security flaw opens up that hackers can exploit.

Now that we have experience with MainWP and MainWP Spinner, we’re looking at opportunities to build custom MainWP extensions. We already have one new project with MainWP underway, it’s an integration with MainWP Spinner called MainWP Spintax Templates. It solves the problem that sometimes when spinning content you may want to embed a link, video or other content that is very lengthy when pasted into a text editor. Also organizing that content is time consuming. With our MainWP Spintax Templates plugin content managers can setup these spintax templates that then generate a shortcode. The shortcode is then copied into the editor and processed when the content is published.

We welcome our readers to comment on their experiences with MainWP and other topics in this blog post. Thanks for reading!

Installing SSL certificates for WordPress sites

Welcome to the GoldHat guide for installing SSL certificates. Here at GoldHat.ca we started serving the entire site in HTTPS recently. Up until a few years ago serving a site in SSL meant some loss in performance, but not anymore. There are two main benefits to having HTTPS throughout the entire site. The first is it’s more secure for our users. We’re less likely to have various types of attacks on user information. We all know the importance of this when it comes to credit card data, checkout forms, but we should care about personal information and even the possibility of malware installation as well. The second benefit is that we may see a small boost in search engine rankings. It’s considered a positive factor for SEO to serve a page in HTTPS. And rumor has it, this benefit may increase in future search algorithm updates.

Overview for Installing SSL certificates

Now whether your goal is to secure part of your site, or all of it, you need to start by purchasing and installing an SSL certificate. In this guide we look at the generic steps involved in the process. Like other process guides we’ve created, the goal here isn’t to outline every detail of a specific certificate install on a specific server. There are many different certificate vendors, many different certificate types, and of course a lot of different servers and hosts. And then there is your actual website, in this case we’re focused on WP sites. But each site can have a different configuration of plugins and different theme. The challenge of solving insecure content warnings and other problems can be as much or more significant in terms of time and cost than the actual install. For the purpose of this guide, we will be focused on getting the certificate installed and working, and debugging the most common errors (mixed content) that you might find in your WordPress site after switching to SSL.

Step 1: Purchase from SSL Vendor

installing ssl certificates from thesslstore.com

You’ll need to open an account at an SSL vendor. This can be the issuer of SSL certificates, most sell directly, or it can be a reseller. There is no real advantage to buying directly from issuers, often the resellers have better prices than the issuers. We recommend GoGetSSL, and are authorized resellers for them. Another notable option is TheSSLStore.com. If you’re an agency or developer, you might also want to check out the GoGetSSL.com reseller program for yourself. Buying from either of these reputable vendors is a simple and reliable process, all have full integration with the CA (Certificate Authorities) that issue the SSL certificates. Once you have an account, you select the type of certificate you want and place your order. The initial order information (address/phone etc.) is not used to determine the SSL certificate, that’s handled later. So it’s fine to use your business or personal information, even if the certificate is for another party such as your client or a different business.

Step 2 – Generate a CSR (Certificate Signing Request)

The purpose of the CSR (Certificate Signing Request) is to identify the server you plan to install the certificate on. The steps to generate a CSR vary based on the type of server. A common server is Apache, and a manual generation of a CSR involves logging into the server with SSH, running server commands via command line and entering the information for your domain. A CSR will be generated, along with a Private Key File. The private key file is the mechanism that the server will use to decrypt the certificate, and it has to be stored in the correct place on the server. Clearly the manual generation of a CSR is not suitable for most site owners, and even many website developers find these steps difficult. It’s really a process best suited to experienced server managers. Nonetheless there are numerous guides for various server types, which you can find by searching for something like “generate csr apache”, and replace Apache with your server type if your running something else. Many hosts also have guides to SSL install, and searching “digital ocean generate csr” for instance will bring those up.

If you have cPanel, you may be able to use the SSL management features inside the control panel to generate a CSR. At GoldHat we buy our hosting from Digital Ocean, and we manage the servers using ServerPilot. We especially like this combination because the ServerPilot system makes SSL certificate installation very easy. Every app (domain) that we add to ServerPilot has an SSL tab, and getting the CSR is a one-click process. Note that this feature is only available with ServerPilot’s Coach (paid) license that is $10/month. Their free service does not have this feature. Also to manage a server with ServerPilot, you have to set it up when you create your droplet or server, before you setup your domains. So this option will only help you with an existing site if you are willing to setup a new droplet, install ServerPilot on it and then configure the site as an app. Having done all this for our sites, we can say it’s worth it not only for SSL install but just the many other time saving features of ServerPilot.

Step 3 – Request the SSL Certificate

We request the SSL certificate at the vendor where we made the purchase. The vendor will provide a form to complete with domain information and of course, the CSR that you created in the previous step. After you pass any validation in their forms, you should see confirmation on screen and by email that your request has been received. This will initiate a domain ownership verification email that will go to the email you specified when requesting the certificate. You usually have a limited range of emails to choose from and they have to be at the domain, so for instance “admin@your-domain.com”. Make sure you have your email setup and working for the domain before doing this step, and make sure you have access to the email address you select to perform the verification.

Step 4 – Verification for SSL Certificate

You’ll receive a domain verification email from the CA (Certificate Authority) such as RapidSSL, Comodo. It will contain a link to verify the domain ownership, and a code that you need to enter. For basic SSL certificates, once you verify the domain ownership the CA will usually issue the certificate immediately and the files will be sent to you via email, and/or available for download from the vendor where you purchased the SSL certificate.

EV (Extended Validation) certificates, and other types of certificates that have various extra validation will require further verification. These steps will be provided by the CA, and some will send you an email linked to a guide on their website. With EV certificates, the CA will attempt to automatically validate the existence of your business if your located in a region such as US/Canada, Europe, where they can find your business in a public registry. If this process fails either because you didn’t provide an accurate business name, or because your company isn’t registered, or other problem, they will email you asking you to prove your business information by sending in copies of registration documents.

Step 5 – Install the SSL Certificate

When your certificate is issued by the certificate authority, they’ll send you the package via email. This is often the first time we start celebrating in the process of installing SSL certificates. If you’ve purchased from a vendor, they’ll often have a download area for your certificates which helps when you need to get the files again. Manual install of a certificate using SSH is not a step suitable to most site owners. Even developers often are challenged by the process, but there are guides for nearly every available server that outline the process. An important step if you’re managing the server yourself is after the certificate files are in the right place, setting up the virtual host to serve traffic over the secured port (usually port 80).

As with the earlier step of issuing CSR’s, we utilize ServerPilot to take care of this otherwise time consuming process. With ServerPilot we can paste in the certificate to the correct app, and ServerPilot takes care of putting the files in the right place. We can also force SSL, rather than relying on the app (WordPress) to switch to SSL. Whether using the force SSL option or not, ServerPilot finalizes the install and from this point forward the focus is on serving SSL pages or the entire site, and fixing any issues that are causing a problem on secured pages.

Step 6 Configuring & Debugging WordPress SSL

If you haven’t setup your server to force SSL throughout the site, you’ll need to configure WordPress to serve secured pages. If your site runs WooCommerce, you’ll want to active the Force SSL option under the checkout settings in WooCommerce. See the WooCommerce docs page SSL and HTTPS for further details.

Other plugins that provide a checkout process usually contain support for SSL. You’ll want to find the documentation for that support by searching the plugin documentation. Once you activate SSL, be sure to test your checkout process to make sure it’s functioning correctly.

If you want to secure other parts of your site that don’t involve checkout, there are various WP plugins that can help. Search the WP directory for one that fits your implementation, or consult a qualified WP developer.

One of the most common and frustrating challenging issues we face in securing WordPress sites is the frequency of mixed content errors. These errors can be seen in the browser address bar as a warning, and aside from the actual security risk, it largely defeats the purpose of building trust with your users. These errors must be fixed in order for the browser to indicate the page is secured and confirm the connection is private. Mixed content errors show up when a non-secured asset, usually an image or script is included in the page served over HTTP. When your WP site serves an SSL secured page in HTTPS, all content on the page must also be secured. If you’ve integrated scripts or images by defining “http://” in the URL, then this will cause the page to be flagged as serving mixed content. Developers can identify which assets are being served unsecured by HTTP by opening the developer console, and these errors will be listed.

Fixing unsecured content that has been added to a page is relatively easy if it’s available via the WP admin, or in a widget. Where it becomes much more problematic is when the issue comes from a 3rd party theme or plugin. Developers may have to create filters, or take other steps to debug the error. In some cases it will not be possible to fix the problem without resorting to hacking the 3rd party plugin. And because that’s usually not a good idea, it may be better to contact the plugin/theme author, and ask them about releasing a fix to better support SSL. Unfortunately many WordPress themes and plugins define assets in a way that causes these mixed content errors, and sometimes there is no practical way to work around it. As a site developer you may have to consider removing plugins or switching themes, or resort to editing the original plugin/theme and then managing it without the original authors updates. These are difficult decisions to make, but are sometimes needed to fully resolve all mixed content errors.

Installing SSL certificates wrap-up

This concludes our guide on the processes of installing SSL certificates. Hope you found it helpful and have been successful in following the steps. If you discovered by reading this guide that the process is too technical or time consuming to do yourself, consider our SSL certificate install service which is just $35 for basic SSL installs. We can also perform more complex SSL certificate installations, such as EV certificates, multiple site domain certificates and wildcard certs. If you’re just setting up your site and don’t yet have a server or hosting, contact us about setting up a Digital Ocean droplet with ServerPilot account which is the combination of server/management that we use for this site and dozens of others.


Affiliate Disclaimer

GoldHat Group is an affiliate for ServerPilot and TheSSLStore.com. We’re also an Authorized Reseller for GoGetSSL.com. Some links contained in this article are from these affiliate programs, and some products listed on goldhat.ca are delivered via these affiliate programs or resellers.

 

 

 

Green bar SSL certificates, are they worth the high cost?

Green bar SSL certificates can cost up to 40x as much as regular SSL certs. Is it worth the added cost and effort to get the green bar?

Are green bar SSL certificates worth their high price tag? Like many site owners, have you ever wondered why some websites have a green security tab in the browser address bar?The short answer is buy and install an EV SSL certificate. First if you’re not familiar with SSL, it’s the security protocol that is used to encrypt website traffic. Once reserved for ecommerce websites, today delivering content via HTTPS (Secured HTTP) is becoming more common. This is partly because so many sites now store private data, and need to secure this data securely. It’s also about satisfying users concerns about their information being visible to 3rd parties.

An EV SSL certificate offers the highest available levels of trust and authentication to your website.

  • Comodo sales site about their EV certificates

What is an EV SSL Certificate?

The EV stands for Extended Validation. And that’s in a nutshell what differentiates EV certificates from regular SSL certificates. There is more validation of the business behind the site, and thus validated by the certificate. Regular SSL certificates can be purchased and installed by anybody, for virtually any domain. And even a shady operation without a real business presence can buy an SSL certificate and make it work on a domain. As a website user, SSL certificates only ensure you of some level of privacy when browsing the site thanks to the HTTPS protocol, they don’t really guarantee much about the business your dealing with. EV certificates thanks to additional screening offer at least the perception of greater safety. But is the green bar SSL certificate worth the cost?

Green bar SSL certificates

How to get the green bar SSL certificate

Simply put the type of SSL certificate and the process to install it are different than regular SSL certificates. Regular SSL certificates can be purchased for under $10/year from a number of resellers. And if you’re not after the green bar, users might not pay much attention to what brand of certificate you’ve purchased. A lot of site owners shop for SSL certs mainly on price. Developers also consider the ease of install, and the verification process involved. For green bar SSL certificates, the cost is higher, and the verification process relatively time consuming.

Examples of how green bar SSL certificates look in different browsers

DigiCert has a page that shows screenshots of how the green bar SSL certificate will look in each major browser. Note that the way the green bar SSL certificate is displayed varies but is quite similar across browsers. It also doesn’t matter that much which brand of EV certificate you choose, so long as it’s a true EV SSL certificate. Take a look at https://www.digicert.com/ssl-support/code-to-enable-green-bar.htm.