SSL and TLS are both cryptographic protocols, and TLS is an evolution of SSL. However, TLS is sometimes referred to colloquially as SSL, such as “SSL certificate”, even though all versions of the SSL protocol are disabled at VIP.
A VIP Go site must have an TLS certificate installed in order to be active. TLS is a requirement because every site uses a custom domain for both the front-end and admin area, and because we want to ensure each site has a secure admin area and login process.
Note that our TLS implementation is SNI based, which means some legacy browsers will not be fully supported in their access to pages served over TLS.
By default, the VIP team will handle the procurement, installation and renewal of TLS certificates for all VIP Go sites, beginning with the initial site setup process. We procure and install certificates from Let’s Encrypt.
If you would like to provide your own TLS certificate, please mention that during initial site planning conversations, and open a support ticket making note of it during the site setup process. From there:
- The VIP team will provide you with a CSR to use in obtaining a certificate.
- You can obtain the certificate from a certificate authority of your choosing. The certificate needs to include both “www” and the root version of a hostname, so a SAN or wildcard certificate is probably best.
- The maximum certificate length that can be accepted by VIP is 398 days.
- Deliver the certificate to us via support ticket. If you want to also provide a private key, please contact us for notes on how to do so securely; please do not attach a private key to a support ticket or regular email message.
- The VIP team will install the TLS certificate and confirm that it is working as expected.
Whole-site HTTPS is enabled for all sites by default. This means all front-end and all admin traffic requesting the site over an insecure HTTP protocol will be redirected to HTTPS.
If another mode of HTTPS is required, please let VIP know as soon as possible. These modes are available:
- HTTPS Admin/Dual Frontend — Redirect all admin area traffic to HTTPS, but allow HTTP or HTTPS traffic for the front end. If you require certain URLs within your site to be HTTPS only (such as a checkout or donations page), then you can apply the appropriate redirections in WordPress theme or plugin code.
- HTTPS Admin/HTTP Frontend — Redirect all admin area to HTTPS, and redirect all front end traffic to HTTP.
HTTP Strict Transport Security
VIP Go supports and strongly encourages the use of HTTP Strict Transport Security (HSTS) headers, which declares to supporting web browsers that a website is accessible only over an HTTPS connection. HSTS headers are an important security measure as they prevent person-in-the-middle attacks, protocol downgrade attacks, and cookie hijacking. When HSTS is activated, it adds the
max-age=31536000 (or a lower number if needed) header. The
includeSubDomains options are also available.
Please be aware that if you configure HSTS headers for your site and then revert the site to responding over HTTP only, any previous visitors will effectively be blocked from accessing your site as their browser will not allow HTTP requests to be made. This is not a bug; this is how HSTS is designed to work.
If you would like your site to be configured for HSTS, please open a support ticket.
Non-production sites on VIP Go
Non-production sites on VIP Go can use a subdomain of the
go-vip.co convenience subdomain, which is covered by a wildcard TLS certificate. All sites using this convenience subdomain are set to the whole-site HTTPS option described above, with all HTTP traffic being redirected to HTTPS; this cannot be changed.
Please note that sub-subdomains of the convenience domain are not currently supported.