Help articles Security

Changes to TLS and cipher suites effective January 2017

As part of our ongoing efforts to improve security on Flywheel, we’ve made some changes to the security and encryption technologies we support on sites that have an SSL certificate enabled. This includes both Simple SSL via Let’s Encrypt™, and BYO (Bring Your Own) SSL certificates purchased from third-party providers.

Details of the Update

Previously, we supported TLS 1.0, 1.1, and 1.2, as well SSL versions 1, 2, and 3. We also supported all the cipher suites included in those standards. This ensured that we didn’t “lock out” users with older browsers.

However, part of our promise to Flywheel users is that we keep sites up-to-date and secure, and eventually, backwards compatibility began conflicting with that promise. Older cipher suites and security versions are vulnerable to security exploits, and no longer meet the requirements of PCI-compatibility scans that many of our eCommerce customers have to perform quarterly. Therefore, we’re now following best practices for the industry and intend to continue doing so going forward.

As of January 2017, sites on Flywheel with SSL enabled will no longer support SSL 1/2/3, or TLS 1.0 and 1.1. Additionally, we no longer support “legacy ciphers” that are now considered insecure.

For those interested in the specifics, the following is a list of ciphers that Flywheel does continue to support:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256

How this change affects you and your sites

Flywheel users don’t need to do anything differently or make any changes; this upgrade is automatic. As long as your site’s visitors are using a fairly modern browser (listed below), the change will be invisible.

That means the vast majority of your site’s visitors (and possibly all of them) will notice no difference whatsoever. Modern browsers account for all but a tiny percentage of all internet traffic. The small number of users who may be affected are likely using extremely outdated browsers, and should upgrade as soon as possible for many other reasons anyway.

All of the following browsers fully support TLS 1.2 and the above cipher suites:

  • Chrome 30+ (supported since 2013)
  • Internet Explorer on Windows 7 or higher (supported since 2013)
  • All versions of MS Edge
  • Firefox 27 or higher (supported since 2013)
  • Safari on both iOS and Mac
  • Android‘s built-in browser and Android Chrome

If you do have a need to keep older protocols and ciphers active on your site, contact [email protected] and we can put an exception in place for you. Just note that this is not as secure, and may cause your site to get a lower score on security tests like PCI compliance.

 


  • Organizations

    Everything you need to know about managing your team with our Organizations feature.

    8 Articles
  • Blueprints

    Learn everything there is to know about what Blueprints are, how to create them and how to make the best use of them.

    5 Articles
  • Simple SSL

    All there is to know about our free, automatically installed and activated SSL certificates.

    8 Articles
  • Staging

    How to get the most out of Staging, which allows you to duplicate a site, make changes, and then push those changes to the live site.

    6 Articles
  • Local by Flywheel

    Everything you need to know about our amazing, free local WordPress development software for Mac and PC.

    5 Articles
  • White Label

    Everything you need to know about our Whitelabel subscriptions for branding and reselling Flywheel.

    4 Articles
  • Getting started

    Everything you need to know to get your first Flywheel site up and running.

    8 Articles
  • Frequently Asked

    The most commonly asked questions, and a few we just think you should know.

    24 Articles
  • General Questions

    Questions that don't fit elsewhere, or those about Flywheel in general.

    56 Articles
  • Billing & Accounts

    Questions relating to payments, billing and managing your account on Flywheel.

    12 Articles
  • Domain Names

    Details about how to manage DNS and point your domain names at Flywheel.

    10 Articles
  • Database

    How to access your WordPress database to make changes and update content.

    3 Articles
  • Security

    Details about everything Flywheel does to makes your site so secure.

    12 Articles
  • Plugins

    Which plugins work best, which plugins work worst, and everything in between.

    7 Articles

Get in touch with us

Standard support hours are M-F 9am-5pm CDT and 24/7 emergency support.

WordPress experts

Try it yourself. It's free & takes less than 60 seconds. Sign up

× How to manage 50+ WordPress Sites

Here's a free ebook!

How to manage 50+ WordPress Sites