Migrating my WordPress blog to SiteGround

I was looking around for a different web hosting company, and decided to give SiteGround a try, because they seem to have a good quality service at a reasonable price.

I signed up for their GrowBig hosting plan that allows you to host multiple domains/sites on one account, and also fully supports the Let's Encrypt free SSL service

Google are keen for the whole of the web to be encrypted. They announced a few years ago that they started to boost web pages in their search results that are hosted on secure sites, and also that later this year the Chrome browser will highlight "Not Secure" web sites.

I had already played around with installing an SSL certificate for my richardbloomfield.com site, but SSL certs can be expensive to buy and maintain, and my old host would only allow me to install one cert on my shared hosting account – so I could only secure one of my domains.

To perform the migration of my WordPress blog between hosts, I followed the instructions on this page:

How to Move WordPress to a New Host or Server With No Downtime

It uses a plugin called Duplicator that does all the heavy lifting of creating a complete backup of your existing site – including the WordPress database (that stores all your posts, pages, comments, and settings), and all the WordPress files (the WordPress software itself plus any themes and plugins you've installed).

The blog installed without any problems on my new hosting account, and I was left with an exact copy of my old WordPress installation.

Then all that was left was to log into the SiteGround control panel and enable the Let's Encrypt SSL for that domain with a couple of clicks, and I was all set.

I also installed the SG Optimizer plugin that allows me to make use of the SiteGround dynamic web cache (which really speeds up my web site) and allows for a one-click option to force all blog traffic over the HTTPS secure connection.

Gmail two-factor authentication

It's interesting that Google had revealed that fewer than 10% of people using Gmail have two-factor authentication active on their account. Most people are relying on just their password to protect them!

So why should anyone be worried about their email getting hacked? A lot of people might say that their email doesn't contain anything of particular value to worry about – but they forget that your email is often the access key to every other service you use online.

Think about all the forgotten password reset forms you've ever filled in. Most of the time, all they require is for you to enter your email address, and then click on a link in the subsequent email they send you.

So, if I have access to your email account, I can start accessing all your accounts: all your social media accounts, all your online utility accounts, and maybe even some of your bank/financial accounts. I can certainly find out a lot of information about you that I could use for identity fraud.

I also have full access to all your contacts, and can approach them, pretending to be you, and try and scam them out of money or information.

So I'd certainly recommend that your email account should be the most secure account you have online – precisely because its the gateway to all your other accounts.

So what is two-factor authentication then?

Two-factor authentication requires you to enter two pieces of information to access your account. The first authentication is your password, and the second is typically something like a 4 or 6 digit code sent via SMS to your phone.

With two-factor authentication enabled, you need to have access to both your password and a physical device (your mobile/cell phone) to access your account. And so it makes it a lot harder for someone to hack into your account.

Google makes it even easier to use, in that it offers alternatives to the typical SMS code sent to your phone. You can do your second authentication by using any of these methods:

  • clicking a button on your phone
  • running an authentication code app (useful if you don't have signal to receive an SMS)
  • receiving an automated voice call to your mobile or landline
  • storing a security code on a USB stick
  • having a printed list of codes

And once you have authenticated yourself on a particular computer or device you often don't need to re-authenticate yourself for a month or more – and so it's not that big a hassle.

And to enable it, all you have to do is visit the Google 2-Step Verification site and turn it on. It takes only a few minutes, and could go a long way to securing yourself online.

What about other services?

You can enabled two-factor authentication on all major sites such as Facebook, Twitter, Instagram and LinkedIn. Your bank probably forces you to use it, or has some additional security steps to try and protect your account.

And you can visit the site Two Factor Auth to find out what online services you use have it available.

Playing around with SSL certs

Inspired by a blog post I was reading recently, I started having a play around with an SSL cert.

An SSL cert is what enables a website to encrypt the traffic to and from the end user. This improves security and trust, and I’ve read that it also improves your search rank in Google. The most notable difference to a web site visitor is that the URL of the site changes from http:// to https:// and a little padlock symbol is displayed next to the URL in the address bar.

Some SSL certs can be really expensive to buy. The ones from my own hosting provider range from €30 to €700 a year, depending on the type of cert you want. However by shopping around a bit on the web, I came across SSLs.com who sell certs from as low as $5 a year!

Buying the cert is the easy bit. Configuring it and installing it is a bit more tricky, and I couldn’t find any easy instructions online.

  • First of all you need to generate a CSR (Certificate Signing Request). When generated it looks like a really long string of random letters and numbers. Often you need to ask your web host to create the CSR for you, but I found this tool from SSL Store to generate mine. Make sure you keep the CSR and Private Key safe!
  • Back at SSLS.com you then need to activate your SSL cert – and you will be prompted to enter the CSR. Copy and paste the full value into the box provided. The SSL cert will then be generated and emailed to you in a ZIP file.
  • I installed the supplied SSL cert myself using my web host’s control panel. Make sure you install all the certs provided, together with the Private Key you supplied earlier. In the ZIP file you’ll find your domain cert and three CA certs. Install them all.

The cert should now work for your domain, and you should be able to view your site securely using https at the start of the domain.

For my WordPress site, I also installed the WP Force SSL plugin to automatically redirect non-secure traffic to the secure domain.

Anyway, so it all works, and my richardbloomfield.com site is now encrypted and secure!