Are you looking for a Really Simple SSL review to see whether it’s the right security plugin for your WordPress website?
This popular plugin can add an SSL certificate to your site, and then secure your pages using HTTPS. It also comes with extra features that are designed to harden your WordPress security, including server health checks and vulnerability detection.
In this Really Simple SSL review, we’ll help you decide whether this popular Secure Sockets Layer plugin is right for you.
Really Simple SSL Review: Why Use It in WordPress?
Really Simple SSL is a security-focused plugin that helps you install an SSL certificate on your WordPress website.
Upon activation, this popular plugin will check your site’s settings and then create an SSL certificate using Let’s Encrypt. Depending on your server configuration, Really Simple SSL may even be able to install this SSL certificate for you.
With that done, Really Simple SSL will replace HTTP URLs with HTTPS, and attempt to fix any mixed content errors across your entire WordPress blog or website.
It can also notify you when your WordPress plugins, theme, or version of WordPress core contain known security vulnerabilities. This allows you to take action quickly, to keep your website and visitors safe.
If you’re just getting started or have a limited budget, then you can download a lite version of Really Simple SSL from WordPress.org.
This plugin can install a free SSL certificate on your site, and migrate it to HTTPS with ease. It will also display information about your server’s health, so you can analyze the server configuration and the impact it’s having on your site’s security.
However, if you upgrade to the premium Really Simple SSL plugin, then you’ll get access to more advanced features. This includes a mixed content fixer, and the option to either update or quarantine any insecure software automatically.
Really Simple SSL Review: Is It the Right SSL Plugin for You?
An SSL certificate encrypts the data exchanged between your website and visitors. This makes it more difficult for hackers to steal sensitive information. In fact, you’ll need an SSL certificate before you can accept any payments online, so it’s a must-have for online stores, marketplaces, and business sites.
With that said, let’s see if Really Simple SSL is the right Secure Sockets Layer plugin for you.
1. Easy to Set Up
It’s easy to get started with this popular SSL plugin. To begin, simply install and activate it, just like any other WordPress plugin.
Upon activation, Really Simple SSL will check your site for an active SSL certificate. If it doesn’t find one, then it will generate a certificate and may even install it automatically, depending on your server configuration.
After that, it will update your website to use HTTPs and attempt to fix any mixed content errors.
Although there are some settings and extra features to explore, this is all you need to instantly improve your WordPress security. With that said, this is a great security plugin for beginners.
2. Migrate From HTTP to HTTPS
HTTPS or Secure HTTP is an encryption method that secures the connection between the user’s browser and your server.
This makes it harder for hackers to steal data, so it’s particularly important if you collect sensitive information. For example, HTTPS is a must-have for online stores, digital product marketplaces, and any other site that collects payment information.
Really Simple SSL will update your website to use HTTPs, with a single click. It will also set up redirects from HTTP to HTTPs. By default, it will redirect all incoming requests to HTTPs using a 301 redirect, but you can configure it to use an .htaccess redirect instead.
3. Mixed Content Scanner and Fixer
Even after installing Really Simple SSL, your site may still get flagged as not secure. This often happens due to mixed content, which is caused by incorrect HTTPS/SSL settings.
Mixed content errors can have a big impact on your WordPress SEO, so it’s important to find and fix them. The good news is that Really Simply SSL has a built-in mixed content fixer that detects when files are requested over HTTP.
It will then display these issues, complete with a ‘Fix’ button. With that said, you may be able to remove all fixed content errors from your site, with just a few clicks.
If Really Simple SSL can’t fix an error for you, then it’ll display instructions on how to resolve the mixed content error manually.
4. Server Health Check
Really Simple SSL comes with a built-in health checker that will scan your server and check the deployment of your SSL certificate.
It will then display a score based on your server configuration, security headers, and how your SSL is leveraged. You can use this insight to fine-tune your site, and improve its overall security.
5. Vulnerability Detection
There are a ton of themes and plugins that can extend WordPress core. For example, you can turn WordPress into an eCommerce platform by installing plugins such as WooCommerce.
Themes and plugins are a core part of the WordPress experience, but they can also introduce security vulnerabilities. This is particularly true if you’re using outdated themes and plugins, rather than automatically updating to the latest version.
The good news is that Really Simple SSL will scan your site for known vulnerabilities in themes, plugins, and even WordPress core. It will then notify you about any vulnerabilities it discovers, so you can take action.
Alternatively, you can configure Really Simple SSL to check whether an update is available, and then install the latest release automatically. Typically, developers are quick to patch known vulnerabilities so simply updating to the latest version may be enough to keep your website safe.
If there’s no update available, then Really Simple SSL can deactivate the theme or WordPress plugin automatically.
This feature is optional, as disabling important software can lead to all sorts of WordPress errors and strange behavior that may affect the user experience. With that said, we recommend using this feature with caution.
The good news is that Really Simple SSL lets you set a risk level for each action. With that in mind, you might only quarantine a theme or plugin when the threat is considered critical.
In this way, Really Simple SSL can react differently, depending on the threat level.
6. Add Security Headers with Ease
HTTP security headers can protect your site against common threats such as clickjacking, cross-site-forgery attacks, and malware. They can also make it more difficult for hackers to steal your login information.
Really Simple SSL makes it easy to add a range of security headers to your website. This includes X-XSS Protection, X-Content-Type-Options, and X-Frame-Options.
7. Content Security Policy
In addition to the standard security headers, Really Simple SSL can help you create a custom Content Security Policy (CSP). This will tell the browser what content it’s allowed to load, which can prevent cross site scripting (XSS) and clickjacking attacks.
To make this process even easier, Really Simple SSL has a Learning Mode that will detect the resources your visitors use. You can then approve these resources, and create a CSP that’s perfectly suited to your WordPress blog or website.
8. Permissions Policy Generator
Really Simple SSL comes with a built-in Permissions Policy header generator.
This allows you to choose the browser features that your site can use, including external iFrames. For example, you might prevent your site from accessing the visitor’s microphone, or block it from using the Payment Request API.
With Really Simple SSL, you can apply a Permission Policy to your site with just a few clicks.
You can also mark a permission as allowed, disabled, or self. If you choose ‘self,’ then Really Simple SSL will allow the permission for content coming from your own domain name. However, it will block the feature for all external iFrames.
9. Monitor Admin Accounts
If a hacker manages to get admin privileges, then they’ll have unlimited access to your website and all its data. With that said, Really Simple SSL can check every new admin who gets added to your account, to see how they acquired those admin privileges.
If the person wasn’t assigned the admin user role via the WordPress dashboard, then Really Simple SSL will automatically change that person’s role to Subscriber, and send you an email notification. In this way, you can identify hackers who assign themselves admin privileges by exploiting a vulnerability or security loophole.
10. Custom Login URL
WordPress is the most popular CMS platform and powers over 40% of websites. However, due to its popularity it’s also a common target for hackers. Often, these hackers will try to break into your site using common login URLs such as wp-admin and wp-login.
With Really Simple SSL, you can choose a custom login URL instead. Immediately, this makes it more difficult for hackers to find your login page, and then target you using brute force attacks.
11. Hide Your WordPress Version
Hackers may target known security vulnerabilities in specific versions of WordPress. With that said, it’s a good idea to hide your WordPress version number, so hackers can’t immediately see which version you’re using.
The good news is that Really Simple SSL can make lots of small changes to your website’s files, so hackers cannot easily see your WordPress version number.
12. Custom Database Prefix
Really Simple SSL can help you avoid simple attacks by changing your database prefix from ‘wp_’ to a random value.
This will make it more difficult for hackers to find your database prefix and exploit vulnerabilities in your website. Just be aware that they can still find your database prefix programmatically, so this is unlikely to stop more sophisticated attacks.
13. Protect the Debug.log File
Your site’s debug.log file may contain sensitive information such as usernames, server paths, and even passwords. By default, all WordPress websites use the same path for their debug.log, which makes it easy for hackers to find and download it.
To improve your WordPress security, Really Simple SSL can add the debug.log to a folder with a randomized name, and change the path. This simple change adds another layer of security to your site.
For more on this topic, please see our guide on how to find and access WordPress error logs.
14. Disable Application Passwords
Sometimes, you may have a reason to use application passwords on your website rather than regular user passwords.
However, some hackers use application passwords to get around two factor authentication. With that said, if you don’t need to use application passwords, then you can disable them using Really Simple SSL.
15. Disable File Editors
WordPress comes with a built-in editor that allows you to edit your theme and plugin files directly in the WordPress dashboard. Although these editors are useful, hackers might use them to add malicious code to your website, or steal your data.
With that said, you can disable these editors in the Really Simple SSL settings.
16. Prevent Code Execution
By default, WordPress prevents users from uploading .php files to your site’s ‘uploads’ folder. However, if someone does manage to get around this restriction, then Really Simple SSL will prevent that PHP code from being executed.
Just be aware that this feature only works on Apache and Lightspeed servers.
17. Disable Directory Browsing
Directory browsing can put your site at risk by revealing important information to third-parties. If you’ve ever visited a site and seen a list of files and folders rather than a webpage, then you’ve seen directory browsing in action.
This allows hackers to see all the files that make up your website, including all your WordPress themes and plugins.
If any of these items have known vulnerabilities, then hackers might use this knowledge to take control of your site, steal your data, or perform other malicious actions.
Really Simple SSL can disable directory browsing by creating an index.html file in all your folders. With that done, hackers cannot use the directory to learn more about your website.
18. Rename ‘Admin’ Accounts
When you install WordPress, it typically creates an account with the name ‘admin.’ Since so many WordPress sites have an ‘admin’ account, hackers often use this as a starting point for their brute force attacks.
If someone is using the ‘admin’ username on your site, then it’s best practice to change it. The good news is that Really Simple SSL can find every account that has an ‘admin’ username, and replace it with another name of your choice.
Really Simple SSL will then notify this person via email.
With that done, you can configure the plugin to stop new people from registering with the username ‘admin.’
19. Disable User Enumeration
By default, people can look up the usernames of anyone who has published a WordPress page or post on your website. This information can help hackers launch successful brute force attacks, since they only need the password to access a person’s account.
Really Simple SSL has a ‘Disable user enumeration’ setting that prevents people and bots from compiling a list of valid usernames on your website.
For extra security, Really Simple SSL can also prevent people from creating an account where the display name and username are the same. Once again, this makes it more difficult for hackers to find valid usernames on your WordPress website.
20. Disable XML-RPC
XML-RPC is a core WordPress API that allows developers to interact with your website using XML and HTTPS protocols. For example, you might want to manage your site using a mobile app or connect to automation services such as Uncanny Automator.
However, some WordPress security experts recommend disabling XML-RPC if you’re not actively using it. For more on this topic, please see our guide on how to disable XML-RPC in WordPress.
With that said, Really Simple SSL has a unique Learning Mode that will detect how your site is using XML-RPC, and then selectively enable it for specific uses.
21. Disable HTTP Methods
Most WordPress websites don’t need to use methods such as PUT, DELETE and TRACE. With that said, Really Simple SSL can block these methods, which will prevent hackers from using them in their attacks.
22. WordPress Multisite Compatible
Do you run a WordPress multisite network? Really Simply SSL is compatible with multisite and even has a dedicated network settings page.
23. Community and Professional Support
Really Simple SSL is designed with ease of use in mind. Its various settings are divided into tabs, and you’ll find links to the plugin’s documentation throughout the user interface.
However, WordPress security is a huge topic, so at some point you may need extra help.
If you prefer to find answers yourself, then Really Simple SSL has a knowledge base that you can access 24/7.
If you upgrade to the premium plugin, then you’ll also get access to professional support. Just submit a ticket and a member of the Really Simple SSL team will get back to you.
Really Simple SSL Review: Pricing and Plans
If you’re just getting started or have a limited budget, then you can download Really Simple SSL for free from WordPress.org. This plugin can add an SSL certificate to your site, migrate your content to HTTPS, and scan your site for vulnerabilities.
However, if you want access to additional WordPress hardening features, then you’ll need to buy a premium license.
The premium plans all include the same advanced features and tools to help protect your site. That said, the right plan for you will vary depending on the number of sites you own, or manage:
- Personal. For $49 per year, you can use Really Simple SSL on a single website, blog, or online marketplace.
- Professional. Priced at $99, this plan allows you to use Really Simple SSL on up to 5 websites. With that said, Professional is a great choice if you own a few different sites, such as multiple blogs in an affiliate marketing network.
- Agency. For $199 per year, you can use Really Simple SSL on up to 25 websites. This makes the plan ideal for WordPress development agencies, WordPress developers, and anyone else who manages a portfolio of client sites. It also adds support for WordPress multisite, so we recommend this plan to anyone who runs a multisite network.
Really Simple SSL Review: Is It the Right SSL Plugin for You?
After looking at the features, support options, and pricing, we’re confident that Really Simple SSL is a great SSL plugin.
It uses Let’s Encrypt to create an SSL certificate, and ensure private communication between your website and visitors. It also fixes common SSL issues by redirecting all incoming requests to HTTPS and fixing any mixed content errors on your WordPress website.
Beyond that, Really Simple SSL has additional features that can fix miscellaneous vulnerabilities and security loopholes. For example, it can disable directory browsing, XML-RPC, and unnecessary HTTP methods. This makes it more difficult for people to hack your site, and potentially steal sensitive customer information.
The right plan for you, will vary depending on the number of sites where you want to use Really Simple SSL.
The Personal plan allows you to install Really Simple SSL on a single WordPress website. Meanwhile, Professional raises this limit to 5, and Agency allows you to use Really Simple SSL on up to 25 websites.
We hope this Really Simple SSL review helped you decide whether it’s the right SSL and security plugin for you. You can also check out our guide on how to install Google Analytics in WordPress, or see our expert pick of the best contact form plugins.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Syed Balkhi says
Hey WPBeginner readers,
Did you know you can win exciting prizes by commenting on WPBeginner?
Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
You can get more details about the contest from here.
Start sharing your thoughts below to stand a chance to win!