This post follows the post Heroku & WordPress Website Deployment which details how to create and publish a website using WordPress and Heroku. This post details how to secure the connections between the website administrator, the website database, and the website application.
Securing Your Login Domain
Each application also has a free SSL endpoint for the applicationanme.herokuapp.com domain.The code below will protect your login credentials by setting the SSL domain in the configuration variables for all logged in sessions.
$ heroku config:set SSL_DOMAIN="<em>applicationanme</em>.herokuapp.com"
We can also update the “WordPress Address (URL)” setting which is the address where your WordPress core files reside. We will update it to include the https Herkou domain name. This can be updated in the WordPress settings page as shown below.
Alternatively, this can be set int he wp-config.php file by adding the following line of command and then pushing the updated file to Heroku. This also works if you accidentally set the variable to the wrong domain name through the WordPress settings page and got locked out of the dashboard.
Securing Your Database Connection
Additionally, WordPress connects to the database with the content over an unencrypted channel. This is an issue for cloud based installs like ours where the database and application servers could communicate via unsecure means. It is recommended to download the SSL keys and certificates for ClearDB and install them to secure the database connection.
- Go to your Heroku Dashboard and click on your heroku-wp app.
- Click on the “ClearDB MySQL Database” add-on.
- Scroll to the bottom of the page and download the “ClearDB CA Certificate”, “Client Certificate”, and “Client Private Key” in the “PEM Format”.
- Generate Heroku compatible RSA keys from the key file downloaded:
12$ openssl rsa -in cleardb_id-key.pem -out cleardb_id-key.rsa.pem
- Add the keys to the config vars of your app:
1234$ heroku config:set \CLEARDB_SSL_CA="$(cat /path/to/cleardb-ca.pem)" \CLEARDB_SSL_CERT="$(cat /path/to/cleardb_id-cert.pem)" \CLEARDB_SSL_KEY="$(cat /path/to/cleardb_id-key.rsa.pem)"
See the following posts for more information about securing and customizing your website: