wordpress ssl_如何使用SSL保护WordPress

wordpress ssl

This article was peer reviewed by Adrian Sandu. Thanks to all of SitePoint’s peer reviewers for making SitePoint content the best it can be!

本文由Adrian Sandu同行评审。 感谢所有SitePoint的同行评审人员使SitePoint内容达到最佳状态！

Ever since Google started taking HTTPS into consideration as a ranking factor in 2014, people have slowly been switching their sites over to use encrypted connections. This can be one reason to set up SSL to secure WordPress – SEO. However, as of January 2017, Google made things a bit more serious by having Chrome indicate that sites which still use HTTP are insecure. When a site uses a form that gathers potentially private user data, such as login credentials, there’s an even more stringent notification showing that the site is not secure.

自从Google在2014年开始将HTTPS列为排名因素以来，人们就逐渐将其站点切换为使用加密连接。这可能是设置SSL以保护WordPress – SEO的原因之一。但是，截至2017年1月，Google让Chrome指出仍在使用HTTP的网站是不安全的，从而使事情变得更加严重。当网站使用收集潜在的私人用户数据(例如登录凭据)的表单时，会出现更严格的通知，表明该网站不安全。

These notifications are still in a gray color, but it probably won’t take long before we start seeing the red notification messages for all of these situations. These red messages are already visible when there is, in fact, an SSL certificate in place, but it can’t be verified. And it isn’t just Chrome — browsers like Safari, Internet Explorer and Firefox all have similar ways of showing the security, or the lack of security, on a site.

这些通知仍为灰色，但是不久之后我们就可以在所有这些情况下看到红色的通知消息了。实际上，当存在SSL证书时，这些红色消息已经可见，但无法进行验证。不仅是Chrome，诸如Safari，Internet Explorer和Firefox之类的浏览器都具有类似的显示网站安全性或缺乏安全性的方式。

An added benefit is having your site served over HTTPS is that you can make use of HTTP/2, for which SSL is a requirement.

通过HTTPS为您的站点提供服务的另一个好处是，您可以使用HTTP / 2，而SSL / 2是必需的。

So there’s no better time than now to make the switch. In this article I will show you three ways to get the green padlock:

因此，没有比现在更好的时间进行切换了。在本文中，我将向您展示获取绿色挂锁的三种方法：

Using CloudFlare to secure your site with a generic SSL certificate the easy way.
使用CloudFlare通过通用SSL证书保护您的站点很简单。
Using Let’s Encrypt to get domain level encryption.
使用“让我们加密”获得域级加密。
Getting an Extended Validation SSL to achieve the highest level of certificate, wíth your business name shown instead of just the “Secure” notice.
获取扩展验证SSL以达到*别的证书，显示的是您的公司名称，而不仅仅是“安全”通知。

轻松保护WordPress：CloudFlare SSL (Securing WordPress the Easy Way: CloudFlare SSL)

Using CloudFlare to secure your site is the easiest way to do it, but it does have some caveats. Kray Mitchell did a great tutorial on how to install CloudFlare, along with its Universal SSL feature.

使用CloudFlare保护您的网站是最简单的方法，但确实有一些警告。 Kray Mitchell就如何安装CloudFlare及其通用SSL功能进行了出色的教程。

The process is very simple: Sign up for CloudFlare, change the DNS of your site to activate CloudFlare, and turn on “Flexible SSL” in the “Crypto” section.

该过程非常简单：注册CloudFlare ，更改站点的DNS以**CloudFlare，然后在“加密”部分中启用“灵活SSL”。

To make it even easier, you can have CloudFlare overwrite links to non-secure URLs with the HTTPS version to prevent mixed content warnings. You do this by turning on “Automatic HTTPS Rewrites,” at the bottom of the “Crypto” section.

为了使其更容易，您可以让CloudFlare使用HTTPS版本覆盖指向非安全URL的链接，以防止出现混合内容警告。您可以通过打开“加密”部分底部的“自动HTTPS重写”来完成此操作。

If you install the CloudFlare WordPress plugin you can specify some of the required settings from within the WP admin. Additionally it helps to overcome an infinite loop that’s triggered sometimes when changing the URL structure to HTTPS, by modifying the header. The plugin is also the easiest way to setup Server Push, which is one of the main benefits of HTTP/2.

如果您安装了CloudFlare WordPress插件，则可以从WP管理员中指定一些必需的设置。此外，通过修改标头，它有助于克服将URL结构更改为HTTPS时有时触发的无限循环。该插件还是设置Server Push的最简单方法，这是HTTP / 2的主要优点之一。

It is really that simple! But there are two important points to acknowledge:

真的就是这么简单！但是有两点需要承认：

Flexible SSL only encrypts traffic between the browser and CloudFlare. This means the traffic between CloudFlare and your site (on the origin server) is unencrypted, which still leaves room for a “Man-in-the-Middle” attack. This method also isn’t allowed when you’re using forms to sensitive information like credit card data or passwords. To be clear: You can’t use this method for e-commerce sites.
灵活的SSL仅加密浏览器和CloudFlare之间的流量。这意味着CloudFlare和您的站点(在原始服务器上)之间的流量是未加密的，仍然为“中间人”攻击留有余地。当您使用表格处理敏感信息(例如信用卡数据或密码)时，也不允许使用此方法。需要明确的是：不能将这种方法用于电子商务网站。
CloudFlare is using a shared SSL certificate, which means that your visitors won’t be able to verify it’s really you behind the scenes. Even though most visitors won’t go through the effort of checking a certificate, it’s still something to keep in mind. Again, when it comes to becoming PCI compliant for e-commerce (maintaining an SSL certificate is one of the steps), this isn’t allowed.
CloudFlare使用的是共享SSL证书，这意味着您的访问者将无法在后台验证它确实是您。即使大多数访问者不会花精力检查证书，也要记住这一点。同样，当要成为电子商务的PCI兼容标准(维护SSL证书是其中的步骤之一)时，这是不允许的。

CloudFlare also offers “Full” and “Full (Strict)” SSL protection. The latter also validates the certificate on the origin server, which at least mitigates the first point above. However, it is still a shared certificate. For $5 per month, you can order a dedicated certificate, but there are cheaper ways to do this; for example, using Let’s Encrypt, which is covered later in this post.

CloudFlare还提供“完全”和“完全(严格)” SSL保护。后者还验证了原始服务器上的证书，这至少减轻了上面的第一点。但是，它仍然是共享证书。每月只需支付5美元，您就可以订购专用证书，但是有更便宜的方法；例如，使用“加密”，我们将在本文后面介绍。

CloudFlare Flexible SSL is a simple way to get your site secure, but, as you’ve seen here, it gives a bit of a false sense of security. While this will prevent any punishment Google can come up with, it won’t always be the best way to actually secure your site and its visitors. But, for a basic informational site, this will do the trick.

CloudFlare Flexible SSL是一种确保站点安全的简单方法，但是，正如您在此处所看到的，它给人一种虚假的安全感。尽管这可以防止Google受到任何惩罚，但这并不总是真正保护您的网站及其访问者安全的最佳方法。但是，对于基本的信息站点，这可以解决问题。

免费进行域验证：让我们加密 (Domain Validation for Free: Let’s Encrypt)

Let’s Encrypt is a non-profit certificate authority where you can get a free Domain Validation SSL certificate. This means you will be issued a certificate for your own domain name, instead of a shared SSL. And because of the growing support of many large and medium sized hosting providers, the steps to implement it and create a more secure WordPress site are growing less difficult.

让我们加密是一个非盈利性的证书颁发机构，您可以在其中获得免费的域验证SSL证书。这意味着您将获得针对您自己的域名的证书，而不是共享的SSL。而且由于许多大中型托管服务提供商的支持日益增加，实现它和创建更安全的WordPress网站的步骤变得越来越困难。

On a mission to make the web more secure, Let’s Encrypt has automated the process of issuing certificates at the domain level, which is the lowest level of protection. There’s a manual route to get the certificate yourself. Or you could ask your host to assist you. Most hosting providers are willing to provide an SSL certificate installation for free, or for just a nominal fee. The easiest way is to find a host which offers Let’s Encrypt support.

为了使网络更安全，Let's Encrypt使域级别的证书颁发过程自动化，这是最低的保护级别。有手动获取证书的手动方法。或者，您可以要求房东为您提供帮助。大多数托管服务提供商愿意免费或仅收取象征性费用提供SSL证书安装。最简单的方法是找到提供“让我们加密”支持的主机。

With Let’s Encrypt certificates, you have to keep in mind that they expire every 90 days. In their Why 90 Days post, the organization explains that the main reason they do this is because it limits damage from key compromise, and mis-issuance. They also think it encourages automation, which many supported providers have in place.

使用Let's Encrypt证书，您必须记住它们每90天过期一次。该组织在“ 为什么要90天 ”一文中解释说，这样做的主要原因是因为它可以限制关键妥协和误发布造成的损失。他们还认为这鼓励了自动化，许多支持的提供商都采用了自动化。

While their reasons are valid, it requires you to either ensure your certificate is automatically renewed, whether by your hosting provider or by a process that you have set up, or to do this manually yourself every 90 days. If not, you’ll still end up with the dreaded “insecure” message.

尽管它们的理由是正确的，但它要求您要么确保通过托管服务提供商或已设置的过程自动更新证书，要么每90天手动进行一次更新。如果不是这样，您仍然会收到可怕的“不安全”消息。

WordPress hosts like WPEngine, Dreamhost, and SiteGround either have this automation already in place, or instructions on to have their support handle it for you. Most decent hosts shouldn’t charge you for the Let’s Encrypt certificate or the installation.

诸如WPEngine，Dreamhost和SiteGround之类的WordPress主机要么已经具有这种自动化功能，要么有说明要使其支持为您处理。大多数体面的主机都不应该向我们收取“加密”证书或安装费用。

处理混合内容 (Dealing with Mixed Content)

There’s one caveat, though, which you will also experience with the EV certificates covered later in this post. Unlike with CloudFlare, you have to make sure yourself that all resources are loaded over HTTPS. If not, you will see the dreaded mixed content notification. This results in images and CSS scripts not being loaded, which means your layout will be messed up.

不过，有一个警告，您还将在本文后面介绍的EV证书中体会到。与CloudFlare不同，您必须确保自己所有资源都通过HTTPS加载。如果没有，您将看到可怕的混合内容通知。这导致图像和CSS脚本未加载，这意味着您的布局将被弄乱。

The most important thing to do is changing the WordPress address to the HTTPS version, as this will change most files and images to be loaded over HTTPS right away, if you use relative paths to call them.

最重要的事情是将WordPress地址更改为HTTPS版本，因为如果使用相对路径调用它们，这将立即更改大多数要通过HTTPS加载的文件和图像。

You can’t always spot straight away that you’re serving mixed content. In some cases, the padlock just won’t turn green, where in other cases it does. This has mostly to do with your browser cache. Sometimes a site may display a secure notice, but the developer console in Chrome shows otherwise. Luckily, the security tab of the console is very helpful in tracing these issues.

您不能总是马上就发现您正在提供混合内容。在某些情况下，挂锁只会变成绿色，而在其他情况下会变成绿色。这主要与您的浏览器缓存有关。有时，网站可能会显示安全通知，但Chrome中的开发者控制台则显示其他信息。幸运的是，控制台的“安全性”选项卡对于跟踪这些问题很有帮助。

In this example, it was all a matter of changing the WordPress URL to the proper HTTPS version, after which it was all green. Another issue can be the use of absolute URLs for images, which might still be served over HTTP. There are various ways to solve this:

在此示例中，只需将WordPress URL更改为正确的HTTPS版本，然后全部变为绿色即可。另一个问题可能是图像使用了绝对URL，但仍然可以通过HTTP来提供。有多种解决方法：

Change the URLs in the database manually from HTTP to HTTPS or to relative URLs.
手动将数据库中的URL从HTTP更改为HTTPS或相对URL。
Use a plugin to change the links, such as the SSL Insecure Content Fixer.

使用插件来更改链接，例如SSL不安全内容修复程序。
Go through all of your images one by one, to make their paths relative.
一张一张地浏览所有图像，使它们的路径相对。
If you use a CDN, make sure to have that changed to SSL, or else you will still be serving insecure files.
如果您使用CDN，请确保将其更改为SSL，否则您仍将提供不安全的文件。

最终解决方案：扩展验证 (The Ultimate Solution: Extended Validation)

Extended Validation (EV) certificates, rather than just showing “Secure”, display your business name, indicating that you’ve gone through a process to validate that your business is, in fact, what you say it is.

扩展验证(EV)证书不仅显示“安全”，还显示您的公司名称，表明您已经通过了验证您的公司实际上是您所说的事情的过程。

An EV certificate provides the highest level of security because both the domain used and the organization behind it are vetted. It’s also backed by a warranty which compensates the end user, should the site owner (you) have obtained the certificate on fraudulent pretenses, and something goes wrong. While this warranty won’t benefit you directly, it helps to assure your visitor that you are trustworthy.

EV证书提供了*别的安全性，因为所使用的域和其背后的组织都经过了审查。如果站点所有者(您)获得了有关欺诈性借口的证书，并且出了点问题，它还提供了可以补偿最终用户的保修服务。尽管此保修不能直接为您带来好处，但可以帮助确保访问者值得信赖。

In addition, the added vanity effect this certificate has is great. For example, on mobile Safari:

另外，该证书具有的附加虚荣效果很大。例如，在移动Safari上：

So how you get an EV SSL certificate? Well, it certainly requires more effort and paperwork than with CloudFlare and Let’s Encrypt, as it isn’t called “extended validation” for nothing!

那么如何获得EV SSL证书呢？好吧，与CloudFlare和Let's Encrypt相比，它当然需要更多的工作和文书工作，因为它没有被称为“扩展验证”！

The following steps are involved:

涉及以下步骤：

Ordering the certificate
订购证书
Documents: This typically involves a signed agreement to request the certificate, identify the requester, and for the legal warranties.
文件：通常涉及签署的协议，以请求证书，识别请求者并提供法律保证。
Verification of business documents: The paperwork about the business.
验证业务文件：有关业务的文件。
Verification behind the scenes: The CA will do research to verify information about your business, and about you.
幕后验证：CA将进行研究以验证有关您的业务以及您的信息。
Verification by phone: Both for the certificate requester and for the business contact.
通过电话验证：证书申请者和业务联系人都可以。

我的扩展验证经验 (My Experience With Extended Validation)

I ordered an extended validation certificate for a website of mine, and the process went relatively smoothly. I’ve briefly documented the required steps here to give you an inside look into the process.

我为我的网站订购了扩展的验证证书，该过程相对顺利。我已经在此处简要记录了所需的步骤，以使您深入了解该过程。

步骤1：订购证书 (Step 1: Ordering the Certificate)

Domain validation is part of the whole process, and NameCheap has a few steps in place to set this up, after which Comodo takes over. I ordered a Comodo EV SSL certificate, which you can get at most larger registrars, as well directly from Comodo.

域验证是整个过程的一部分，NameCheap采取了一些步骤进行设置，然后由Comodo接管。我订购了Comodo EV SSL证书，您最多可以从Comodo获得最大的注册商。

步骤2：签署文件 (Step 2: Signed Documents)

I first needed to sign a certificate request by hand, which was followed up by a more extensive certificate subscriber agreement. The first form was used to identify both my company and me, as well as the domain involved. This is also where I needed to fill in my Assumed Name (Let’s Grind Some Coffee), to be used instead of my business name.

我首先需要手动签署证书申请，然后再签署更广泛的证书订户协议。第一种形式用于识别我和我的公司以及所涉及的域。这也是我需要填写自己的假定名称(让我们研点咖啡)而不是公司名称的地方。

Next up was up 8-page subscriber agreement, which is used to cover the all the legal implications that come with a certificate. Both forms are used in step 4, where I had to verify myself, the application, and my business by phone.

接下来是8页的订户协议，该协议用于涵盖证书附带的所有法律含义。在第4步中都使用了这两种形式，在这里我必须通过电话验证自己，应用程序和业务。

While this document isn’t something to worry about, it is used to set the boundaries for certification fraud. All documents had to be printed, signed, scanned, and sent back.

尽管不必担心该文档，但它可用于设置证书欺诈的界限。所有文档都必须打印，签名，扫描并寄回。

步骤3：验证商业文件 (Step 3: Verification of Business Documents)

As my business was incorporated in the Netherlands, the Comodo verification team didn’t have access to the local Chamber of Commerce register. I had to send in an extract of my registration, which was a digitally signed document.

由于我的公司在荷兰成立，因此Comodo验证小组无法访问当地的商会注册。我必须发送我的注册摘要，该摘要是经过数字签名的文档。

Important note about Assumed Names: If you intend to use an Assumed Name, it’s important that you have this name registered as a trade name prior to your EV application. If you don’t have a trade name registered, you can’t have an Assumed Name in your certificate.

关于假设名称的重要说明 ：如果您打算使用假设名称，那么在申请EV之前，必须先将此名称注册为商品名称，这一点很重要。如果您没有注册商标名称，则证书中不能包含假定名称。

步骤4：幕后验证 (Step 4: Verification Behind the Scenes)

I don’t know all the actions which were performed as a part of their verification, of course. However, investigators can check social profiles, such as LinkedIn, use tools like Google Maps to check the physical location of your company, or potentially even send someone to the listed address to check it out.

我当然不知道在验证过程中所执行的所有动作。但是，调查人员可以检查社交资料(例如LinkedIn)，使用Google Maps之类的工具来检查公司的实际位置，甚至可能将某人发送到列出的地址以进行检查。

As both I and my company were easy to find on the internet, this step didn’t cause any real delay, but depending on the circumstances, it could take longer than it did in my case.

由于我和我的公司都很容易在互联网上找到，因此这一步骤并没有造成任何实际的延迟，但是根据具体情况，这可能要比我的情况花费更长的时间。

步骤5：通过电话验证 (Step 5: Verification by Phone)

The final step was for them to call me to verify my request, business details and domain name, and actually speak to me. The call lasted a few minutes, where I had to answer a few verification questions like “Are you Jacco Blankenspoor?“, “For which domain name are you requesting this certificate?“.

最后一步是让他们给我打电话，以确认我的要求，业务详细信息和域名，然后与我进行实际交谈。通话持续了几分钟，我不得不回答一些验证问题，例如“ 您是Jacco Blankenspoor吗？ ”，“ 您要求哪个域名的证书？ ”。

The agent confirmed everything was correct, and that I would receive my certificate within a day. A few hours later, I received the mail containing both my certificate, as well as a Comodo Trust logo to display on my site.

代理确认一切正确，并且我将在一天内收到我的证书。几个小时后，我收到了包含我的证书以及要显示在我的网站上的Comodo Trust徽标的邮件。

The whole process requires quite a bit of paperwork. If you’re just interested in getting a regular SSL certificate, with just the green padlock and not your business name, any regular domain validated SSL certificate will do. In either case, once you have it, all you have to do then is get it uploaded to your hosting environment, which you can check your host’s support are for instructions on doing.

整个过程需要大量的文书工作。如果您只想获取常规的SSL证书(只有绿色的挂锁而不是您的公司名称)，那么任何经过域验证的常规SSL证书都可以。无论哪种情况，一旦有了它，您要做的就是将其上载到托管环境，您可以检查托管人的支持以获取有关执行说明的信息。

结论 (Conclusion)

Whether you get a basic Domain Validation certification or go full-on with an Extended Validation certification to have your business name displayed, it’s now easier than it ever was before to build a secure WordPress site, and make your users feel safe.

无论您是获得基本的域验证认证还是全面扩展认证来显示您的企业名称，现在都比以往任何时候都更容易构建安全的WordPress网站，并使您的用户感到安全。

In the end, it comes down to this:

最后，归结为：

A CloudFlare certificate is the most convenient process of all. It will do, but given all of its downsides, this wouldn’t be my preferred choice.
CloudFlare证书是所有过程中最便捷的过程。它可以，但是考虑到它的所有缺点，这不是我的首选。
If you’re looking for basic security, a free Let’s Encrypt certificate will do and shouldn’t be too much of a hassle to get up and running. Also, it will keep Google off your back about your site being insecure.
如果您正在寻找基本的安全性，那么免费的Let's Encrypt证书就可以了，并且不应该让安装和运行变得很麻烦。此外，这会使Google避免您的网站不安全。
If maximum security and maximum customer peace of mind is what you’re after, an EV certificate is what you need.
如果您追求最大的安全性和最大程度的客户安心，则需要EV证书。

If you have any questions, please let me know in the comments, where I am happy to help.

如果您有任何疑问，请在评论中让我知道，我们很乐意为您提供帮助。

翻译自: https://www.sitepoint.com/secure-wordpress-with-ssl/