13 November 2021

Adding a wildcard SSL certificate to your WordPress site

So this one threw me for a little bit of a loop when I was first trying to figure it out, even though it shouldn’t have. I was just overthinking it. There was plenty of documentation out there for adding a certificate to a single site, but there is not much when it comes to adding a wildcard certificate to a multi-site WordPress install. I guess that was where I had gotten confused. For reference, this was the specific KB article that helped me the most.

For folks that don’t know what I’m talking about, a multi-site install is one where you can host different WordPress sites on the same server. Meaning that site1.<yoursite>.com and site2 .<yoursite>.com could both reside on the same server even if they are about completely different content. Thus you would only have to cover the cost to host one server, instead of paying for two, one for each host. Yes, they do share some resources, so there are some possible drawbacks… But for most personal sites it should not really be an issue for a few sites to share the same host.

You will need OpenSSL installed on your machine before we continue. It’ll likely already be installed if you are using LInux. If it’s not installed please use your OS’s package manager to install it.

Generate a new private key:

sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048

Use that key to create a certificate:
***IMPORTANT: Enter the server domain name when the below command asks for the “Common Name”.***

sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr

Send the cert.csr file to your Certificate Authority (CA). After they complete their validation checks, they will issue you your new certificate.

Download your certificates. You should have received two files, one was your new certificate and the other file is the CA’s certificate. Rename them as follows:

  • STAR_YourSite_com.crt –> server.crt
  • STAR_YourSite_com.ca-bundle –> server-ca.crt

Backup your private key after generating a password-protected version in the pem format.

sudo openssl rsa -des3 -in /opt/bitnami/apache2/conf/server.key -out privkey.pem

Note: To regenerate the key and remove the password protection, you can use this command:

sudo openssl rsa -in privkey.pem -out /opt/bitnami/apache2/conf/server.key

We’re almost done. Next you’ll open the Apache configuration file to verify it’s setup to use the certificates you just uploaded. The config file can be found at: /opt/bitnami/apache2/conf/bitnami/

Scroll down until you find “<VirtualHost _default_:443>” and verify that it is pointing to the correct certificate, key, and CA certificate bundle that you uploaded earlier. You should find the below lines, if you don’t, go ahead and add them.

SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
SSLCACertificateFile "/opt/bitnami/apache2/conf/server-ca.crt"

Note: It’s easiest to use these default names and not a custom name for these files. If you use a custom name you might need to update that name in other spots of the Apache config file, and you’ll have to google that on your own. If your cert/key is using another name, I recommend just renaming them to the default names above that Apache uses.

After we have copied our files over and have verified that the Apache config file is correct, we are going to update the file persmissions on our certificate files. We will make them readable by the root user only with the following commands:

sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*

Open port 443 in the server firewall. If you’re using Bitnami you can reference this KB.

Restart your server.

Once it comes up, you should now be able to connect to your site using HTTPS.


  • If you are looking for where to purchase an SSL certificate, check out SSLs.com. I use them for my projects. I’ve shopped around, and they have the best deals that I have found anywhere on the Internet.
23 April 2021

WordPress tweaks

(Updated 12/6/2021) Here are a few tweaks that I have found and use on my WordPress installs to harden them and improve security. This post is mostly for my own benefit – for when I have to stand up a new server and can’t recollect what I did to my current server/site…. That said, I hope it helps you too.


Please note: While these work for me… I can not guarantee they will work for you.
Please make a backup of your site before you make any changes. I’m not responsible for any changes you make.


  1. Follow my post about adding a SSL certificate to your site.

2. The one comes from the ReallySimpleSSL plugin. It’s a great plugin to use to migrate your site to SSL. Anyways, in one of their articles (link) they go over some settings to add to your site’s htaccess file. Please read their article, before adding the following lines so you understand what each is doing. (Just for reference, here is an article describing how the htaccess file works). If you are running bitnami, try look in “/opt/bitnami/apps/wordpress/conf”.

Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"

Another header that now needs to get added to your htaccess file is a “permissions-policy”, more info can be found here.

Header always set Permissions-Policy "geolocation=(); midi=(); notifications=(); push=(); sync-xhr=(); accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=(); usb=(); xr=(); speaker=(self); vibrate=(); fullscreen=(self);"  

After updating your htaccess file, restart your apache service using the command below,

sudo /opt/bitnami/ctlscript.sh restart apache

Then scan your site’s headers using SecurityHeaders.com to verify that you pass with an A+.

3. A backup/restore solution for your site. I use and recommend the plugin called UpdraftPlus.

4. A solution like WPS Hide Login to hide the normal login page. This will help reduce login attempts done by bots.

5. A firewall and malware scanner solution like Wordfence.

6. Run your site’s URL thru the Qualys SSL Server Test, and address any SSL shortcoming the server might have.

That’s it for now. I’ll try to update this post with more tweaks and hardening suggestions as I implement things.

25 March 2020

WordPress – Set Timezone

I had originally thought that by setting the timezone on a Bitnami server that WordPress would then pull and use that time info. Oh, I was so wrong! It wasn’t a bad exercise, as at least I’ll be able to better read my logs in a more “timely” manner. LOL. But it turns out that setting the timezone info for WordPress is much simpler and doesn’t involve any need to console in or SSH to the server. Lets get started…

Log in with an account that has admin privileges to your WordPress dashboard. In the dashboard menu that is on the left side, navigate to “Settings” then click on “General”

The fifth item down from the top of this page is “Timezone”. Use the dropdown menu to select your desired timezone. Then click the “Save Changes” button at the very bottom of the page. I’m choosing “Honolulu” as my desired timezone.

That’s it! Your WordPress posts will now all reflect the local time you chose as your timezone. It couldn’t be any simpler than that!