Title: SSL Security Last modified: September 21, 2016 --- # SSL Security * [JxsDotNL](https://wordpress.org/support/users/jxsdotnl/) * (@jxsdotnl) * [9 years, 8 months ago](https://wordpress.org/support/topic/ssl-security/) * You are using both _curl\_setopt($ch, CURLOPT\_SSL\_VERIFYPEER, false);_ for curl and _‘sslverify’ => false_ for WP_Http. Both allow for man-in-the-middle attacks. * On correctly configured web servers, the peer should verify without problems. But since not all webservers are okay, please consider using CURLOPT_CAINFO instead. This allows you to connect to communicate without breaking verification. Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Author [smashballoon](https://wordpress.org/support/users/smashballoon/) * (@smashballoon) * [9 years, 8 months ago](https://wordpress.org/support/topic/ssl-security/#post-8207388) * Hi JxsDotNL, * Thanks so much for your feedback, I really appreciate it. We have had to deal with a lot of server issues over the past 3 years with users on all sorts of different servers with different configurations, and adding these settings were the only way that we were able to reliably resolve the issues for everyone. I’d definitely like to make the plugin as secure as possible though but need to make sure I don’t break the plugin for a lot of users. As my knowledge of cURL is not very deep I’d like to ask you a couple of questions if that’s OK? * When using CURLOPT_CAINFO would each user need to set the path to their own SSL certificate on their server in the cURL setting like so?: * `curl_setopt($ch,CURLOPT_CAINFO,'http://site.com/path/ca-bundle.crt');` * Or would I need to include a certificate within our plugin? I’ve read that there’s often issues with older certificates becoming invalid and so needing to update them regularly. In which case, I could potentially link to an external certificate such as [this one](https://curl.haxx.se/ca/cacert.pem)? * `curl_setopt($ch,CURLOPT_CAINFO,'https://curl.haxx.se/ca/cacert.pem');` * I’m guessing that could cause connection issues if that resource every changed or went down. * Do you have any suggestions or insight into this at all? * Many thanks again for your feedback! * John * Thread Starter [JxsDotNL](https://wordpress.org/support/users/jxsdotnl/) * (@jxsdotnl) * [9 years, 8 months ago](https://wordpress.org/support/topic/ssl-security/#post-8213305) * Hi John, * You include the cacert.pem or ca-bundle.crt file with your plugin. Next, you let cURL look for this file locally: `curl_setopt($ch, CURLOPT_CAINFO, dirname( __FILE__).'/cacert.pem');` Or you can use the one that is included in WPs distribution:` curl_setopt($ch, CURLOPT_CAINFO, ABSPATH.'/wp-includes/certificates/ca-bundle. crt');` Please be aware that older versions of WP may lack this file. You could use WPs bundle by default and use your own as a plan B. * Good luck! * JxsDotNL * Plugin Author [smashballoon](https://wordpress.org/support/users/smashballoon/) * (@smashballoon) * [9 years, 8 months ago](https://wordpress.org/support/topic/ssl-security/#post-8215182) * Hey JxsDotNL, * Thanks so much for this information, it’s really helpful! I’ll do some testing and hopefully I can include this within the next update or two. * Thanks again! * John Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘SSL Security’ is closed to new replies. * ![](https://ps.w.org/custom-facebook-feed/assets/icon-256x256.png?rev=2700775) * [Smash Balloon Social Post Feed - Simple Social Feeds for WordPress](https://wordpress.org/plugins/custom-facebook-feed/) * [Frequently Asked Questions](https://wordpress.org/plugins/custom-facebook-feed/#faq) * [Support Threads](https://wordpress.org/support/plugin/custom-facebook-feed/) * [Active Topics](https://wordpress.org/support/plugin/custom-facebook-feed/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/custom-facebook-feed/unresolved/) * [Reviews](https://wordpress.org/support/plugin/custom-facebook-feed/reviews/) * 3 replies * 2 participants * Last reply from: [smashballoon](https://wordpress.org/support/users/smashballoon/) * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/ssl-security/#post-8215182) * Status: not resolved