[Important] Updates to Your Wordpress Installation

wordpress

#1

Due to upcoming PCI DSS requirement changes, and in order to meet GDPR compliance, we have to retire support for TLSv1.0 or TLSv1.1 protocols on May 1st, 2018. We will only support the TLSv1.2 protocol moving forward after May 1st.


Okay, so what does this mean?

If you’ve received an email or an in-app message from us within the last month notifying you about these changes it means that one or more of the domains currently being used within your Unbounce account is on an outdated version of TLS. If the server your Wordpress instance is hosted on is using outdated TLS protocols it will need to be updated to support TLS 1.2. If your protocols are not updated, traffic to your Unbounce landing pages won’t be properly secured over HTTPS, or could even fail to access your pages. Further, if you offer e-commerce functionality on your Unbounce landing pages, you will not be able to process credit card or PayPal payments.

How do I update my Wordpress Installation to support TLSv1.2?

If you’re managing the server Wordpress is hosted on, you will need to:

  • Upgrade OpenSSL library to version 1.0.1+
  • Upgrade cURL library to version 7.34.0+
  • If possible, upgrade to PHP 5.6+

If you are using a hosted service, you will need talk to the support team so that they can:

  • Upgrade openSSL to version 1.0.1+
  • Upgrade cURL to version 7.34.0+
  • If possible, upgrade to PHP 5.6+

If you’re unsure how to make these changes, we recommend the best place for further assistance would be to contact your hosting provider, IT team, or site administrator.

Why is Unbounce retiring support for Wordpress’ older TLS protocols?

In order to stay aligned with industry standards, we must ensure that all Unbounce customers are using TLSv1.2 or higher for their Wordpress installations by May 2018. This is because industry data protection standard PCI DSS will stop supporting earlier TLS protocols, and the General Data Protection Regulation (GDPR), which comes into force May 25, 2018, only supports TLSv1.2 or higher. Here’s some more information on PCI DSS, the GDPR and Unbounce’s efforts to become GDPR compliant.

We know this is not an easy update!

We understand this may not be an easy update, unfortunately we are only available to provide limited guidance. Due to the nature of the updates required, the process will vary depending on your hosting provider. Again, we recommend the best place to reach out for assistance would be to contact your hosting provider, IT team, or site administrator.

Where can I get more information?

Third party plugin, TLS 1.2 Compatibility Test, has been designed to check Wordpress installations’ compatibility with TLSv1.2, and may help you to determine whether you need to make any updates. Please keep in mind that this tool was not developed by Unbounce, therefore we do not have any means to support it nor guarantee its full accuracy.

You may also want to take a browse through these blog posts for further context on the TLSv1.2 update:


#2

Is this only for pages built in Wordpress? All of our pages are built using Unbounce templates.


#3

Hi @craig.ma ,
Any page that is being loaded on the Wordpress domain could potentially be impacted regardless of whether it was created in Unbounce or Wordpress. The version of TLS being used is determined on the server Wordpress is hosted on and not the page itself. Where the content was created won’t make a difference since that server will handle the request for both pages created in Unbounce as well as pages created in Wordpress.

if you’ve received a message from us that one of your domains is on an outdated version of TLS you will need to make the necessary updates on the server Wordpress is hosted on.

Hope that helps clarify things a bit for you!


#5

To clarify, are we needing to be on a server that ONLY supports TLS 1.2 ? Or would cause a conflict if our server supports 1.0, 1.1, and 1.2 ?


#6

Hi @jeremyp

As long as the requests for the pages are made over TLS 1.2 everything will continue to work as normal. So it’s ok to support other versions of TLS on your server as long as requests for your Unbounce pages are made over TLS 1.2.


#7

Hi Rob,

I received several emails regarding updates wwon Unbounce.

All our websites are on Drupal but of them is on Wordpress.

Could you please tell me if we are concerned by those updates?

Sorry for my mistakes, I am a French speaker.

Best regards,

Marguerite


#8

Hi @Magloly

If you received an email about these updates from Unbounce it means that you have a domain in Unbounce that has received traffic over one of the deprecated versions of TLS (1.0 or 1.1). You will need to ensure the server that site is hosted on is updated to support TLS 1.2 moving forward.

The specific domain that is impacted would have been listed in the email that went out to you. You will probably see an in-app message in your Unbounce account the next time you login as well. Just to clarify, the updates will need to be made on the server Wordpress is hosted on, and not within Unbounce.

Your English is quite good! I’ve included a French translation (via Google Translate) below for you as well. Sorry for MY mistakes :slight_smile:


Si vous avez reçu un courrier électronique à propos de ces mises à jour d’Unbounce, cela signifie que vous avez un domaine dans Unbounce qui a reçu du trafic sur l’une des versions obsolètes de TLS (1.0 ou 1.1). Vous devrez vous assurer que le serveur sur lequel le site est hébergé est mis à jour pour prendre en charge TLS 1.2.

Le domaine spécifique concerné a été répertorié dans l’e-mail qui vous a été envoyé. Vous verrez probablement un message intégré à votre compte Unbounce la prochaine fois que vous vous connecterez. Juste pour clarifier, les mises à jour devront être faites sur le serveur Wordpress est hébergé sur, et non dans Unbounce.

Ton anglais est plutôt bon! J’ai inclus une traduction française (via Google Translate) ci-dessous pour vous aussi. Désolé pour mes erreurs


#9

Hi Rob,

Many thanks for your feedbacks.

I will forward your email to our web team.

Best regards,

Marguerite


#10

According to this post - this email should have the domain names that are affected by this (have outdated TLS): https://community.unbounce.com/t/important-updates-to-your-wordpress-installation/10847/7

Can you please tell me which of my sites are affected? Thank you!


#11

Hi @samarah happy to have a look for you! Could you let me know the email associated with your Unbounce account (feel free to DM me)? I’ll need to cross reference the domains in your account with the list of domains that are still receiving traffic over TLS 1.0/1.1


#12

In case anyone was wondering whether or not this update affects sites that are still using HTTP, I reached out to Unbounce support for some clarification.

From Unbounce support:
“If you aren’t using or planning to use HTTPS on the domain, updating to TLS 1.2 isn’t 100% necessary and traffic over HTTP will still work.”


#13

Great point @mike22rtn thanks for pointing that out! This is correct, if the request for a page is not made over https these changes to our TLS support won’t have an impact.

That being said, Google is starting to actively encourage people us SSL to secure web traffic. Starting in July all traffic over http will be marked as “not secure” in Chrome https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

While serving content over http is certainly still acceptable there are a lot of benefits to encrypting pages with SSL. Every use case is different of course, but as a general practice serving pages over https is a good thing to be doing.

This is still an important clarification you’re making here though and it is much appreciated. Thanks again :slight_smile: