Really Simple SSL, a popular plugin used on more than five million sites for installing SSL certificates, handling website migrations, mixed content, redirects, and security headers, has added a new feature in its most recent major update.
Version 7.0.0 introduces vulnerability detection as part of a partnership with WP Vulnerability, an open source, free API created by Javier Casares with contributions from other open source, freely available databases. Once enabled, it notifies users if a vulnerability is found and suggests actions.
“Really Simple SSL mirrors the free database with its own instance to secure stability and deliverability, but of course provides the origin database with an API to enrich, or improve its current data,” Really Simple Plugins developer Aert Hulsebos said.
The new vulnerability detection feature is not enabled by default, so users will need to enable it in the settings. A modal will pop up where users can configure their notifications and run the first scan.
When emailed about a vulnerability users can manually respond with an action or set the plugin to automatically force an update (when available) after 24 hours of no response. There are other automated actions the plugin can take based on how users configure the Measures section of the settings.
For the past several years Really Simple SSL has been providing SSL certificate configuration and installation via Let’s Encrypt as a first pass at securing WordPress sites. To finance this for the free users, the plugin also has a Pro version that handles Security Headers, such as Content Security Policies, which are highly complex for most and not easily configured.
“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next.
“The nature of our partnership with Javier and WP Vulnerability is sponsoring the efforts of WP Vulnerability and appointing a security consultant ourselves to this open-source effort to improve, and moderate the open-source database daily. WP Vulnerability does not compensate us, nor does it have a stake in Really Simple SSL. Vulnerability detection is available for everyone and always will be.”
Because Really Simple SSL started as a lightweight SSL plugin, Hulsebos said they have taken a modular approach to minimize impact on users who only want or need certain features. Following the launch of the new vulnerability detection feature, the plugin’s authors plan to add login security with 2FA to better secure authentication on WordPress sites.
I see it’s got very high ratings, nice. I wonder what’s the impact on performance though. Might test it out in some smaller project.