getButterfly Logo getButterfly

We have just released a Lighthouse update, bringing the plugin into 2017. The plugin now recommends HTTPS by default, HTTP/2 by default and PHP 7.1 by default. They are all textual recommendations, though, and they do not block the plugin from functioning.

Here are the first steps you need to take in the first months of 2017 in order to secure your website and make it more performant.

Security

Get Lighthouse. Obviously.

Lighthouse will secure your website and it will make it run faster. Tests showed at least 30% in loading speed increase. Combined with the latest server software and HTTP/2, your site should get blazing speed. Get it!

Get an SSL certificate. Obviously.

You have two options:

  1. Get a free SSL certificate from Let’s Encrypt.
  2. Get a certificate deal. A good one.

Depending on your hosting provider, you might get access to free SSL certificates from Let’s Encrypt. Let’s face, this is the future. Let’s Encrypt is a free, automated, and open Certificate Authority. I use Dreamhost for some of my clients and I am very happy with their free SSL setup.

For paid certificates, I recommend SSLs.com. I got a great deal for 4.99/year for 2 years. I moved to Let’s Encrypt since then, but if my hosting provider wouldn’t have offered me this option, I would have stayed with SSLs.

Note: SSLs.com is a Namecheap brand.

Upgrade your server software.

Start chatting, open a ticket or check your hosting control panel. You might be able to get your PHP version to the latest one, 7.1. I, personally, know at least 2 hosts here, in Ireland, who offer (but not recommend) PHP 7.1. The idea behind not recommending it is that users might run into various issues by running outdated scripts, plugins, content management systems and so on.

Also, ask for HTTP/2. If you don’t have a VPS, you will need to ask your host if they support it. If not, you should consider moving to another host.

If a host will not support PHP 7, Let’s Encrypt and HTTP/2 in the next 3 to 6 months, it’s time to ditch them. Competition will be very fierce this year.

Secure your site with these small, but effective, changes.

In order to prevent XSS, framing and injection, add the following lines to your configuration files, based on your server type (nginx.conf or .htaccess):

X-Frame-Options

nginx: add_header X-Frame-Options "SAMEORIGIN" always;
Apache: Header always set X-Frame-Options "SAMEORIGIN"

Valid values include DENY meaning your site can’t be framed, SAMEORIGIN which allows you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify sites that are permitted to frame your own site. Note that this directive will prevent your site from being embedded into another site. Also note that you cannot specify multiple allowed sites.

X-Xss-Protection

nginx: add_header X-Xss-Protection "1; mode=block" always;
Apache: Header always set X-Xss-Protection "1; mode=block"

X-Content-Type-Options

nginx: X-Content-Type-Options "nosniff" always;
Apache: always set X-Content-Type-Options "nosniff"

That’s it. This quick guide ends here and, if followed correctly, it will make your site 100% more secure and more performant.


Subscribe to getButterfly Blog

Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.



If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.

Leave a Reply

Your email address will not be published. Required fields are marked *