How to secure your website in Kiravo

The Security tab on your website covers two things: the SSL/TLS certificate that enables HTTPS (and the padlock visitors see in their browser), and the ModSecurity web application firewall that blocks known attack patterns at the server level. Both are non-negotiable for a public-facing site in 2026.

This guide covers the full lifecycle: issuing a free trusted certificate from Let’s Encrypt, installing a custom certificate if you bought one from a commercial provider, forcing HTTPS, and turning on the firewall.

To open the Security tab, go to your website’s dashboard and click Security in the top menu bar.

Issue a free Let’s Encrypt SSL certificate

By default a new site uses a self-signed certificate, which encrypts traffic but isn’t trusted by browsers (visitors get a security warning). Let’s Encrypt provides a free, browser-trusted certificate that’s also auto-renewed for you.

1. Make sure your domain points at Kiravo

Let’s Encrypt verifies that you own the domain by reaching the server it points at. If your domain’s DNS isn’t yet pointed at Kiravo, the certificate request will fail.

Check the DNS status column on your website’s Domains tab:

• Green tick — DNS is correctly configured. Continue.
• Warning triangle — DNS isn’t ready yet. See Point your domain to Kiravo, then come back here.

2. Request the certificate

In the Security tab, click SSL certificates in the sidebar. You’ll see a table of every domain on the site. On the row of the domain you want to secure:

1. Click the ⋮ menu at the end of the row.
2. Choose Request Let’s Encrypt certificate.

The panel kicks off the issuance process. Within a minute or two, the Certificate column changes from Self signed to Let’s Encrypt, and the Expiry date updates to about 90 days from now. Renewal happens automatically before expiry — you don’t need to do anything to keep it active.

Mail SSL

To get a Let’s Encrypt certificate for your mail services too:

1. On the same domain row, click the ⋮ menu.
2. Choose Request Let’s Encrypt certificate for mail.

Once issued, your mail server uses the trusted certificate. External email clients connecting via IMAP / SMTP (see Manage emails) will see a valid certificate and connect without warnings.

Note

Let’s Encrypt certificates are valid for ~90 days and Kiravo automatically renews them. If a renewal fails — typically because the domain’s DNS stopped pointing at the server — you’ll see a notification in the panel. As long as your DNS is correct, you should never have to think about renewals.

Install a custom SSL certificate

Most sites should use Let’s Encrypt. Install a custom certificate only when there’s a specific reason: a corporate-issued certificate from your IT team, an extended-validation (EV) certificate you bought commercially, or a wildcard certificate that covers multiple subdomains in one go.

What you’ll need

Two pieces of text in PEM format:

• The certificate (CRT) — the signed certificate, plus any chain / intermediate certificates the issuer provided. A typical commercial certificate purchase gives you a .crt file and a separate bundle.crt (intermediate) — combine them, with the leaf certificate first and the chain after.
• The private key — the matching private key that the certificate was generated with. It is sensitive — it must never be shared, posted publicly, or sent through chat tools.

Both should be in PEM format — text files that look like -----BEGIN CERTIFICATE----- (or -----BEGIN PRIVATE KEY-----) followed by base64 content.

Caution

Your private key is critical security material. Anyone who has both the certificate and the private key can impersonate your site. Only paste or upload it into the Kiravo panel’s own custom-SSL form — never into a generic chat, email, or shared document. If your key has ever been exposed, generate a new key and re-issue the certificate.

Install the certificate

1. In the Security tab, click SSL certificates in the sidebar.
2. Click Install custom SSL at the top right.
3. In Domain, pick which domain this certificate applies to.
4. In Certificate (CRT), either paste the certificate text (including the chain, if any) or click Upload file to pick a .crt (or .pem) file.
5. In Private key, paste or upload the matching key file (.key).
6. Click Upload.

The panel verifies that the certificate is well-formed, that the private key matches it, and that it covers the chosen domain. If any check fails, the panel shows an error. Common causes: certificate / private-key mismatch, domain mismatch, or a missing chain bundle (browsers will still flag the certificate as untrusted).

Renewal

Custom certificates don’t auto-renew. The certificate authority sends you a renewal notice; you go through their renewal flow; they issue a new certificate; you come back to this form and upload it the same way.

Note

Date the certificate’s expiry in your calendar. The panel shows when the certificate expires, but renewing on time is your responsibility. A two-week-before reminder gives you buffer for any issuance hiccups.

Force HTTPS

Once a trusted certificate is installed (Let’s Encrypt or custom), switch on the Force HTTPS toggle for the domain in the SSL list. This 301-redirects every visitor from http://yourdomain.com to https://yourdomain.com automatically, so nobody accidentally browses your site insecurely.

Force HTTPS is also where you’d ensure search engines index the secure version — leaving it off means Google can see both http and https versions of every page, which splits ranking signals.

ModSecurity web application firewall

ModSecurity inspects every incoming HTTP request and blocks known attack patterns — SQL injection attempts, malicious bot scans, common WordPress exploit signatures, and so on. For most sites the right answer is “on for every domain.”

What ModSecurity catches

• SQL injection (' OR 1=1 -- and friends).
• XSS payloads in URL parameters.
• Path traversal (../../etc/passwd).
• Known scanner User-Agents.
• Suspicious request rates from a single IP.
• WordPress-specific attack patterns (probing for outdated plugin vulnerabilities, xmlrpc.php abuse, etc.).

When a request matches a rule, ModSecurity blocks it before it ever reaches PHP — your application never sees the attack.

Enable ModSecurity

1. In the Security tab, click ModSecurity in the sidebar.
2. The page shows a table of every domain on the site, with a toggle next to each.
3. Flip the toggle on for the domains you want protected.

There’s nothing to install or configure — Kiravo manages the rule set on your behalf and updates it as new threats emerge.

When to disable it (temporarily)

Sometimes ModSecurity blocks legitimate actions:

• A WordPress plugin’s admin form gets blocked because its POST body matches an attack signature.
• A specific tool you use (a security scanner, a backup plugin, a deployment script) hits the WAF.
• Your own development workflow involves an unusual request that gets blocked.

If you’re sure the blocked action is legitimate, toggle ModSecurity off for that domain while you complete the action, then turn it back on.

Caution

Leave ModSecurity on by default. Turning it off should always be a temporary, deliberate choice for a specific reason. If you find yourself disabling it permanently because it blocks something often, the right fix is to investigate the request — either tune the application to not look like an attack, or contact Kiravo support to look at whitelisting the specific rule that’s misfiring.

Security is layered

ModSecurity catches the generic attacks that hit every public-facing site. It’s not a substitute for:

• Keeping WordPress, plugins, and themes up to date. See Manage WordPress with the Toolkit.
• Strong, unique passwords on every account (admin, FTP, SSH, mailboxes).
• HTTPS forced everywhere — covered above.
• Regular backups. See Manage backups.

Each layer covers a different class of risk. Together they reduce the attack surface meaningfully.