Really Simple SSL has rebranded to Really Simple Security as of version 9.0.
Rogier Lankhorst originally launched Really Simple SSL in 2015 as a simple and performant solution to migrate WordPress sites to HTTPS/SSL. Back in 2015, getting WordPress sites up and running over HTTPS/SSL was often a cause for headaches. Website owners had to configure various aspects such as enabling a (performant) redirect from http to https, getting rid of mixed content and account for server-specific variables; to adjust their WordPress configuration accordingly for their websites to work correctly over HTTPS/SSL.
The ability to simply enable a plugin which detects the changes that are needed for the website to function over HTTPS and applies those adjustments automatically, made Really Simple SSL a popular choice for many WordPress users. Over the years, this resulted in the Really Simple SSL becoming the go-to solution to migrate WordPress sites to HTTPS, with the plugin being actively used on millions of WordPress sites worldwide.
As SSL has become a standard for every site, migrating legacy sites from HTTP to HTTPS (with all possible issues it involves) is less of an issue these days, though correctly enforcing SSL/HTTPS remains essential for every website. Websites without a valid SSL certificate or with SSL configuration issues will result in browsers displaying “insecure site” warnings, and results in most visitors leaving your website immediately.
Over time, we optimized the core SSL functionality in the plugin and we also expanded on the plugin’s original feature set by including features that allow users to easily enable recommended (and up-to-date) Security Headers with secure settings, which was a logical next step as the HSTS header is a must-have for any solid SSL configuration. From there we further expanded to offering all of the relevant security headers, as we experienced that there was no easy way to implement these headers and to use the full security potential for WordPress websites.
While operating and securing our own WordPress websites, over the years we must have used every major Security plugin that is currently available for WordPress. We switched from time to time as we experienced that these plugins:
- Tend to have a noticeable impact on performance
- Are often packed with difficult to understand settings
- Regularly trigger false-positives that require you to manually ignore them
- Contain features that should ideally not be delivered within a WordPress plugin (e.g., resource-intensive scanning or WAF functionality which is preferably handled through network-level protection)
As the Security Headers (our first step outside of SSL-only features) were positively received by millions of WordPress and Really Simple SSL users, we figured that we are in the unique position to further expand upon the Really Simple SSL plugin by bringing essential security features to WordPress.
With the above-mentioned experiences in mind, we felt that there was room for an alternative solution that offers a more performant, lean and user-friendly solution. Though we very well understood that this wouldn’t be an easy task. That is when we invited Peter Tak to join our team. Peter is a security researcher with over 20 years experience in the field of enterprise-grade security.
We started a two-year development process to deliver a lean & powerful, yet simple to use WordPress Security plugin.
Features
WordPress Hardening (Basic)
- Disable 'Anyone can register'
- Disable the built-in file editors
- Prevent code execution in the uploads folder
- Hide WordPress version
- Prevent login feedback
- Disable directory browsing
- Disable user enumeration
- Block the username 'admin'
- Disable XML-RPC
- Prevent identical login and display names
- Disable HTTP methods
- Rename and randomize database prefix
- Change debug.log file location
- Disable application passwords
- Restrict creation of administrator roles
- XML-RPC Policy Generator
- File Permissions check
- Custom Login URL
- Two-Factor Authentication
- E-mail verification
- Authenticator apps (TOTP)
- Enforce 2FA and enable methods per User Role
- Seamless integration with standard WordPress Login flow
- Passkey Login
- User-friendly passwordless login
- Resistance against phishing
- Integrates with modern browsers/devices, i.c.w. biometrics like fingerprint and FaceID
- Password Security
- Enforce strong passwords
- Enforce frequent password change
- Compromised password check via HaveIBeenPwned
- Limit Login Attempts
- Temporarily block IP addresses and usernames
- Restrict login attempts by geographic region
- Allow legitimate users to unblock themselves with a CAPTCHA
- Dedicated Event Log to track Login Attempts
- Recurring Vulnerability Scan
- E-mail and WordPress Dashboard warnings
- Plugins, Themes and WordPress Core
- Force-update or quarantine vulnerable components
- Region Restrictions
- IP or Username Blocking
- 404 Blocking
- User-Agent Blocking
- HSTS & HSTS Preload
- Frame Ancestors (X-Frame-Options)
- X-Content-Type-Options
- Content Security Policy
- Referrer Policy
- Permissions Policy
- Cross-Origin Isolation
- Enforce SSL
- SSL server health check
- Best-practice 301 redirect to HTTPS
- Automated Mixed Content Fixer
- Let's Encrypt SSL certificate generation
What’s on the horizon?
- Further simplification of the onboarding and configuration process.
- Passkey login
- Extended Firewall capabilities and presets
- Extending the plugin’s Learning Mode capabilities (as currently available for features such as Content Security Policy and XML-RPC) to other areas of the plugin
Feedback and suggestions
We recognize that transitioning Really Simple SSL from a single-purpose SSL configuration plugin to a full-featured WordPress Security tool represents a significant shift in the product’s scope and functionality. If you have any suggestions, questions or remarks about the transition to Really Simple Security, please reach out to our Support Team. Our plugins are co-created by the WordPress community, user feedback is very important for us!
