Security

NameCheap hosting will promise you "Free SSL" when you sign up for hosting, but it's a trap. What you get is actually the first year free, for a certificate that will cost you $9/year, plus all the frustration and developer time to manage renewals of that SSL certificate.

Let’sEncrypt, on the other hand, provides always-free SSL certificates. Many modern web hosting providers include SSL certificates from Let’sEncrypt, by default, with your new hosting plans.

Until NameCheap decides to get with the program, we'll need to manually configure our hosting accounts there to use Let’sEncrypt certificates, which can be a but of a pain. Here's how I did it for one of my sites recently.

Get access to the server

In order to install the certificate on the server, you will either need ssh access, or to run the "Terminal" application from within cPanel. You can find it in the "Advanced" section.

Drupal's HTML filtering is an important security feature - we wouldn't want any blogger to be able to post JavaScript tags because that's how XSS attacks - or worse - are launched. In Drupal, unlike other blog systems like WordPress, you can't assume that the people who are allowed to create content are trusted. On many Drupal sites anyone can sign up for an account and start blogging. If those sites allowed JavaScript tags or even form tags to get through the filters it would quickly become ripe with bots and bad people doing naughty things.