No https on Wordpress login page?


#1

Hello,

Just bought a GrovePi and subscribed to this forum. I’m a system engineer with 10 year experience in servers, storage and monitoring.

I wanted to let you guys know that http://www.dexterindustries.com/login/ is not ssl encrypted, which is a serious security issue. You guys should fix asap, as not setting https for Wordpress login page makes it very easy to steal logins and passwords. Also the webshop part of your website is not encrypted…
Noticed same problem for http://bazaar.seeedstudio.com/login.html Not sure if ‘Dexter Industries’ and ‘Seedstudio’ are the same company but seriously guys, you really can’t make a webshop which has no decent SSL confgured… One of these days you or they will have a problem.

Please know that SSL certificates don’t have to cost anything this time. Consider reading through this: https://letsencrypt.org/ and https://outsideit.net/naf-letsencrypt-autorenew/

Also please note that the forum is very slow.

I hope you guys are not offended by my remarks and will be making an effort and fix this. Personally I would never buy a product on a webshop which has no decent SHA256 certificates configured. :slight_smile:

Willem


#2

I’ve ordered through dexter’s website several times. You’ll notice that checkout is secured with HTTPS and if I select pay with Amazon, that’s over https as required by amazon. The cost of using HTTPS for all web traffic is over kill in my bias opinion. HTTPS for the forum is also over kill, unless it’s using hardware SSL.

my bias 2/10 cent


#3

Hey willemdh, thanks so much for your input and advice on this. We weren’t aware that the WP login needed to be https, but we’ll get in touch with our website folks about it and report back.

As woolfel points out, we run HTTPS on checkout to protect folks there, as required by amazon and stripe. We may not expand it out to the entire site because as you point out, it’s already running slow.

We’re a different company than Seeed, based out of the U.S.

Any ideas on how we can speed up our website?

John


#4
The cost of using HTTPS for all web traffic is over kill in my bias opinion. HTTPS for the forum is also over kill, unless it’s using hardware SSL.

I never said to use https for the whole website. Although I don’t see a reason why not if you got the resources. The difference in speed is not that big.

But at the very least the login parts and the webshop parts need to be protected. I could Google up for you a bunch of reasons why to do this, but I’m sure you know how to use Google yourself. :slight_smile: Check out the letsEncrypt links I sent you, as I said it doesn’t have to be that difficult and costs nothing.

About speeding up your website. In order to find out what the exact bottleneck is, you will need to monitor your server. If you have a VPS of course and not shared hosting. You should be using some kind of monitoring system to monitor your server such as Nagios, Icinga, Check_mk, Zabbix. The problem could be CPU Load, Memory Usage, Disk IO, network congestion… Too many factors for me to just guess what the issue could be.

As it it Wordpress, you should check if your website use compression, if not, you could use this plugin: GZip Ninja Speed Compression

You could use a caching plugin too, but that’s not really optimal for the forum…