How to get an A+ Grade on ssllabs with WordOps

This tutorial describe how to get the best SSL grade on ssllabs.com. To get an A+, it require to enable HSTS (HTTP Strict Transport Security). HSTS allows web servers to declare that web browsers should only interact with it using HTTPS connections and never via the insecure HTTP protocol.

Warning

Make sure your site/domain and subdomains will never need to use HTTP again, because after accessing a single time to your site with HSTS enabled, your web browser will not allow you to access it over http if you remove the SSL certificate for example.

Issue an ssl certificate with WordOps and enable HSTS

For a new site

For a domain or a subdomain

wo site create site.tld --wp -le --hsts

For a multisite

wo site create site.tld --wpsubdom -le=wildcard --hsts

For an existant site without SSL

For a domain or a subdomain

wo site update site.tld -le --hsts

For a multisite

wo site update site.tld -le=wildcard --hsts

For an existant site already secured with Let's Encrypt

For a domain or a subdomain

wo site update site.tld --hsts

For a multisite

wo site update site.tld --hsts

Congratulations, you can now check your grade on https://www.ssllabs.com/ssltest/

Switching HSTS off

It's not recommended to disable HSTS because web browser will store the HSTS directive for a long time (6 months) and will not allow access over HTTP even after disabling HSTS on the server. However, if you absolutely need to disable HSTS, you can use the following command:

wo site update site.tld --hsts=off

Hardening HSTS

You can increase even more your site security by enabling HSTS preloading on your domain. It's the same than HSTS, but this time your domain will be directly added into the hstspreload.org list and web browsers will enable HSTS even without accessing to your site.

This can be done on https://hstspreload.org