SAVE 25% when you purchase our Theme Bundle and Make Plus together. View bundle deal.

SSL everywhere

By Zack Tollman on January 31, 2014

Graphical representation of the words https://

On Wednesday night we switched this website to a brand new server. If you look at the URL bar, you’ll see https at the beginning of the URL. That extra s after “http” means you’re browsing over an encrypted and secure connection. We’re now serving 100% of our web traffic over a secure, SSL connection. We have always protected the e-commerce portions of our website, but we’re excited to roll out SSL everywhere. This doesn’t yet include our theme demo sites, but we’ll be moving those over as well.

What is SSL and why does it matter?

An SSL connection encrypts all the data that is passed between your browser and our web server. This prevents someone from intercepting those communications. SSL is like two people talking in a private room. Unencrypted connections of the http variety are like talking in a crowded bar, where anyone on the network can listen in. As the web matures, and attacks get more sophisticated, SSL is becoming more and more important.

Did you know that Surf Office, Postmatic, Yeah Dave, and over 700,000 small businesses run their websites with Make, our free WordPress page builder. Discover the Make page builder now.

We take security seriously at The Theme Foundry and we are excited to offer this extra layer of privacy and security to our customers and visitors. We are constantly working hard to improve security, both in our theme products and our website.

New infrastructure

We’ve also invested time overhauling our infrastructure. Implementing SSL usually slows down your site. An SSL connection takes longer to establish because the browser and the server need to exchange additional information in order to secure the communications. We’ve always been proud of having a fast website, and wanted to preserve the site’s excellent performance. To help mitigate this performance hit, we implemented Nginx with SPDY 3.1, which speeds up HTTPS requests and makes up for the time lost with the initial SSL connection.

More details coming soon

You may not notice much of a difference with the site, but you should know it’s now much more secure and performant. We put the same care and effort into our website as we do our themes.

For the technical minded, we’ll be diving into some of the details around setting up our new infrastructure over the coming weeks.

10 Comments

  1. Zack Tollman

    Hi Pothi! We’ll have a cool article looking at the performance aspects of this change next week. We found some really cool things.

  2. Sami Keijonen

    Do you mind if I ask one question. In what way you serve only HTTPS urls? Meaning that when I go to HTTP url, it takes me automatically to HTTPS.

    I have searched everywhere but can’t seem to find decent way to do it.

  3. Zack Tollman

    Hi Sami!

    Great question! We have added a redirect at the Nginx level. Any request coming in on port 80 with “http” is automatically redirected to port 443 with “https”.

    The Nginx rule to handle this looks like:

    server {
    listen 80;
    server_name thethemefoundry.com;
    return 301 https://thethemefoundry.com$request_uri;
    }

    Alternatively, if you want to handle this at the WordPress level, you should checkout the WordPress HTTPS (SSL) plugin. It helps you configure these sorts of options. We chose to do it at the Nginx level because there is a lot of overhead in loading a PHP app just to redirect from http to https.

  4. Sami Keijonen

    Thanks Zack! I’ll talk to my host if there is something they can do.

    I have tried WordPress HTTPS Plugin but I had some issues with it. For example theme customizer was blank but I’ll take another look at it.

  5. Zack Tollman

    I had some issues with it too, primarily related to redirect loops. If you have access to your Apache or Nginx configs, I would highly recommend doing your redirect at that level. It’s much more straight forward and stable. It’s not too hard to set up either.

  6. Zack Tollman

    No problems, Sami! Good luck getting everything set up.

  7. Gita

    I use SSL for my Admin login, but not for blog posts.
    Was thinking about it, but SSL everwhere surely increase load for server. :(

  8. Zack Tollman

    Hi Gita!

    SSL does incur some extra processing cost, but on modern hardware, the cost is nominal. In fact, if coupled with SPDY, you can actually save extra processing as only a single TCP connection will need to be established to your server.

Comments are closed.