So I’ve loaded this site for the first time, and it’s running! That’s great!
However, I think it would be a good idea to enable SSL (and by extent HTTPS), mainly to ensure that everyone sees what the site intends to show (remember when certain ISPs were found injecting ads into webpages1, 2?), and to help secure user information (like when someone enters something sensitive, like their password).
I know that DDoS protection is on the roadmap, and that Cloudflare (one such service) does have a number of options3 regarding securing communications without this site having to setting up their own certificates. But I think it’s a good idea to set up HTTPS on the server end now so we don’t have to worry about a bad person stealing the admin password… or anyone else’s.
Some additional reading material if you’d like
1: https://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/ - Comcast injecting ads into their Xfinity WiFi service
2: https://news.ycombinator.com/item?id=13510619 - Comcast is still injecting ads
3: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-Off-Flexible-SSL-Full-SSL-Full-SSL-Strict-mean- - A rundown of what Cloudflare can offer in terms of securing a site
4: https://wiki.mozilla.org/Security/Server_Side_TLS - A wiki page detailing the many, many ciphers that a server can use to secure communication with our web browsers, useful to know if you’re dealing with visitors still using IE6
5: https://letsencrypt.org/ - A service that lets you sign your certificates so the browsers can assure your visitors that they’re seeing the site they asked for
