VIP Go platform specific
This document is for sites running on VIP Go.
A VIP Go site must have an SSL certificate installed in order to be active. Because every site uses a custom domain for both the front-end and admin area, and because we want each site to have a secure admin area and login process at minimum, SSL is a requirement.
Note that our SSL implementation is SNI based, which means some legacy browsers will not be fully supported in their access to pages served over SSL.
Setup Process #
By default, the VIP team will handle the procurement, installation and renewal of SSL certificates for all VIP Go sites, beginning with the initial site setup process. We procure and install certificates from Lets Encrypt, which provides efficient and automated methods to do so.
If you would like to provide your own SSL certificate, please note this during the initial site planning conversations, and open a support ticket noting this during the site setup process. The steps from there include:
- The VIP team will provide you with a CSR to use in obtaining a certificate.
- You can obtain the certificate from a certificate authority of your choosing. The certificate needs to include both “www” and the root version of a hostname, so a SAN or wildcard certificate is probably best.
- Deliver the certificate to us via support ticket. If you want to also provide a private key, please contact us for notes on how to do this securely; please do not attach a private key to a support ticket or regular email message.
- The VIP team will install the SSL certificate and confirm that it is working as expected.
Options for redirection from HTTP to HTTPS (and vice versa) #
We offer several modes for securing your site on VIP Go by redirection:
- “HTTPS Everywhere” – Redirect all traffic to HTTPS; all front-end and all admin traffic which requests the site over an insecure HTTP protocol will be redirected to HTTPS. This is our recommended option for all sites.
- “HTTPS Admin/Dual Frontend” – Redirect all admin area traffic to HTTPS, but allow HTTP or HTTPS traffic for the front end. If you require certain URLs within your site to be HTTPS only, for example a checkout or donations page, then you can apply the appropriate redirections in WordPress theme or plugin code.
- “HTTPS Admin/HTTP Frontend” – Redirect all admin area to HTTPS, and redirect all front end traffic to HTTP.
HTTP Strict Transport Security #
VIP Go supports HTTP Strict Transport Security (HSTS) headers, which will force modern web browsers to only initiate a request over HTTPS, converting it from HTTP if necessary. Please be aware that if you configure HSTS headers for your site and then revert the site back to responding over HTTP only, any previous visitors will effectively be blocked from accessing your site as their browser will not allow HTTP requests to be made; this is not a bug, this is how HSTS is designed to work.
HSTS headers are an important security measure as they prevent person-in-the-middle attacks, protocol downgrade attacks and cookie hijacking. We strongly recommend their use.
If you would like your site to be configured for HSTS, please let us know.
Non-production sites on VIP Go #
Non-production sites on VIP Go can use a subdomain of the
go-vip.co domain, which is covered by a wildcard SSL certificate. All sites using a
go-vip.co subdomain are set to the “whole site” option described above, with all HTTP traffic being redirected to HTTPS, this cannot be changed.
Please note that sub-subdomains of the
go-vip.co domain are not currently supported.