Protocols are basically rulesets that tell certain types of traffic to behave in certain ways.
Rather than just hoping for the best, as developers, we must consider who needs to connect to where, why, and given those facts, what protocol to use in each situation.
|regular visitor||website||shopping/client||HTTP + SSL = HTTPS|
|Editor||Dashboard||post content||HTTP + SSL = HTTPS|
|Administrator||Dashboard||maintenance||HTTP + SSL = HTTPS|
|administrator||control panel||maintenance||HTTP + SSL = HTTPS|
|administrator||server directory||file management||SFTP|
|administrator||database||maintenance||SSH or HTTPS|
Of course, the reality is that these ideal protocols tend not to be the ones we use.
A guide to web protocols
Secure Sockets Layer (SSL) is a means of verifying identity and encrypting data. When your device first requests to use SSL, the remote machine sends a certificate, an assurance that the service is genuine and not some spoof. Embedded within the certificate is a private key that must correlate to the server's public key in order for your device to decrypt the data, negating the risk of a man-in-the-middle attack. This secure tunnel does not hide data, but if intercepted, the mix would take many years to decipher.
Heard of Transport Layer Security (or TLS)? It's very similar. Actually it's better, but that's not to denigrate SSL. This is a bit like comparing a Ferrari with a Lamborghini. Both protocols are top class, but SSL is more widely rolled out.
Secure Shell (SSH) is built on SSL and gives us an encrypted or tunneled connection between machines. We use it mainly for server administration and database work. You may have heard of Telnet, another way to access remote machines. Well, SSH is to Telnet what SFTP is to FTP: a distinctly more secure technology. Talking of which …
File Transfer Protocol (FTP), to be clear, is all too clear, because logon and transfer is done in plaintext. FTP is dangerous and unnecessary. Don't use it.
SSH File Transfer Protocol (SFTP, sometimes referred to as Secure FTP) is a means to transfer and maintain files using a file management utility effectively similar to FTP except that logon and transfer is encrypted. Just the ticket! Use it.
With our heads-up on the dull stuff, we'll spend the rest of the Cop's Lock Down WP Connections guides implementing best use of these protocols, and where we can, bolster them with Apache's mod_access and mod_auth security modules.