SSL encryption on your website
... follow our guide to implement CRM SSL / HTTPS TODAY
You may wonder why would we need to implement WordPress SSL/TLS, or enable WordPress on HTTPS? Let’s just go on a bit of a tangent for a moment. With 3,376 million users using the internet (and growing every day) and 1,025 million websites on the internet we can certainly say that the internet has emerged as our second dwelling place. Facebook has grown to at least 1 Billion monthly active users. We used to speak about “virtual” but the Internet has become as real as real can get, part of our everyday life. These statistics are simply overwhelming!
You may wonder why would we need to implement WordPress SSL/TLS, or enable WordPress on HTTPS?
Introduction
Introduction
Well, this is even more exciting, as out of these more than one billion websites a whopping 74,652,825 are based on WordPress.com or WordPress.org. Which is roughly equivalent to one site for each person in Turkey. WordPress has certainly grown and when we have so many people who are depending on our website, it becomes our duty to provide a highly secure platform which does not compromise their security. With great power comes responsibility! In today’s post, part of our series of informational WordPress tutorials, we’ll guide you below on various ways in which you can implement WordPress SSL/TLS or WordPress HTTPS on your website. Side note: some of the reading and work involved in this article is highly technical and requires developer knowledge. If you’d like to hire a WordPress developer these are the things that you should consider.
1. First things first. Is it SSL or TLS?Or HTTPS?
Really and truly, today it should be TLS (which is an acronym for Transport Layer Security).
Really and truly, today it should be TLS (which is an acronym for Transport Layer Security). This is because TLS is the latest version of secure certificates which should be used. However, originally, the name of the security used was SSL (Secure Sockets Layer). Whilst, in reality, TLS is used in most cases today, most people refer to secure certificates as SSL certificates. Strictly speaking, we should be calling them TLS certificates. HTTPS means HTTP delivered over (S)ecure sockets (which is implemented via TLS certificates)
6. Winning your Customer’s and Visitor’s Trust with security on your website
Winning your Customer’s and Visitor’s Trust with security on your website
As you are probably familiar with already, some websites will show a green bar in the browser. This signifies that the website has implemented secure communication. You can see a very clear example of this on the Paypal website
As you are probably familiar with already, some websites will show a green bar in the browser.
What happens when secure certificates stop working or are not correctly implemented
What happens when secure certificates stop working or are not correctly implemented
Using the above indicators one can know whether their secure certificates are working or not. Likewise, users also get to know whether a website’s traffic is not using encrypted or if the certificate has expired. When the padlock appears red and a red line strikes it is the indication that the website is using a self-signed certificate (which is not trusted, because it is issued by an untrusted entity) or becomes invalid, i.e. it has expired. In this image, you can see the warning before visiting a website when the secure certificate expires. Almost all the modern browsers have the ability to warn you about the invalid certificate before a user proceeds towards an unprotected website. After the expiration of the certificate all you need to do is to renew the certificate from the authorized place (where you originally obtained the certificate from). Moreover, it is suggested that you not let it expire at all, as this will create a bad impression of your website on the visitors. A website is said to be a self-signed certificate if you applied for and issued a secure certificate of your own without going to a Certificate Authority to validate your certificate. This certificate is NOT TRUSTED. Browsers generally trust only SSL certificates that are handed out by trusted Certificate Authorities. For all other cases, they display a warning for websites that are running on self-signed certificate.
How can you check whether your website is protected or not?
How can you check whether your website is protected or not?
To check whether a website is SSL protected or not you can check whether the prefix https:// appears in front of the URL instead of the regular http://.
To check whether a website is SSL protected or not you can check whether the prefix https:// appears in front of the URL instead of the regular http://.
What happens when secure certificates stop working or are not correctly implemented
What happens when secure certificates stop working or are not correctly implemented
To check whether a website is SSL protected or not you can check whether the prefix https:// appears in front of the URL instead of the regular http://. Apart from this, you can also find a padlock that is present in the address field before the website begins. The image shown above indicates a website has an authorized SSL certificate, however, the appearance of padlock varies from browser to browser. Those websites that have purchased an Extended Validation Certificate, will display a completely green address bar, or the name of the company will appear before the URL. Extended Validation Certificates are more expensive to purchase and implement because they require a number of additional physical checks to confirm that the web server actually belongs to the company which is implementing it. For those who are using Safari, they will see that a green font is used to denote that the company is using EV certificate. The following example is an EV certificate used for the Safari browser. Here the address bar does not have a green background like other browsers. Instead, they have chosen to use a green font. Extended Validation Certificate certainly offers extended security which is apparent from its name. This is issued to a company who has cleared all the steps in the validation process. When it comes to the legal formalities they are asked to provide their physical address in order to complete the legal authorization. There are also a few other validations which the company needs to undergo, but this is somewhat beyond the scope of this article. You can read more about Extended Validation Certificates here. By implementing WordPress HTTP(S), a 3rd party company is essentially confirming and verifying that the web server is who it is claiming to be. This agency is called the issuer of the certificate – also called a trusted Certificate Authority.
HTTPMigration Checklist
To HTTPS
1.1. SSL Certification Setting Get, configure and test the TLS certificate using SHA-2 for SSL Server
1.2. Google Search Console Registration Register both domains http & https in Google Search Console, along your www and non-www versions. If you also had registered individual sub-domains or sub-directories in the Google Search Console, replicate that registration & configuration with their https version. Google Search Console
1.3. Rankings Monitoring Start monitoring the site rankings in parallel with the https domain Rank tracking software
1.4. Current top site pages & queries identification Identify the top pages -and related queries- attracting organic search visibility & traffic to be prioritized when validating & monitoring the site performance Google Search Console & Google Analytics
1.5. Current site crawling Crawl the http site to identify and fix any internal broken links & the current Web structure before moving. Stage Environment
1.6. New HTTPS Web setting w/ updated internal links Set the new Web version to make the changes, test & update the links on a stage environment, to point to the URLs (pages & resources such as images, js, pdfs, etc. too) with HTTPS Stage Environment
1.7. New HTTPS Web canonicalization Update the canonical tags to include absolute URLs using https on the stage environment Stage Environment
1.8. New HTTPS Web canonicalization Verify in the stage environment that all of the already existing rewrites & redirects behavior (non-www vs. www; slash vs. non-slash, etc.) are also implemented in the secure Web version as they used to work on the http one Stage Environment
1.9. Redirects preparation Prepare & test the Rewrite Rules that will 301 redirect from all of the identified existing URLs (pages, images, js, etc) on the http domain to the https one Server
1.10. New XML Sitemap Generation Generate a new XML Sitemap with the URLs with security implemented to be uploaded in the HTTPs Google Search Console Profile once the site is moved XML Sitemap Generator
1.11. Robots.txt preparation Prepare the robots.txt to be uploaded on the https domain version when the site is launched replicating the existing directives for http, but by pointing to the https URLs if necessary Robots.txt
1.12. Prepare changes on any ads, emailing or affiliates campaigns to start pointng to the https URLs versions when the migration is done Campaigns Platforms Robots.txt
1.13. Disavow Configuration Verify if there were any disavow requests submitted in the past that will need to be resubmitted again for the secure URLs versions in its own Google Search Console profile Google Search Console
1.14. Geolocation Configuration If you’re migrating a gTLD that you are geotargeting through the Google Search Console (as well as its sub-domains or subdirectories, in case you’re individually geotargeting them), make sure to geotarget them again with the secure domain version Google Search Console
1.15. URLs Parameters Configuration If URLs parameters are handled through the Google Search Console the existing configuration should be replicated in the secure site profile Google Search Console
1.16. CDN Configuration Preparation If a CDN is used verify that they will be able to properly serve the secure domain version of the site and handle SSL when the migration is done CDN Provider
1.17. Ads & 3rd-Party Extension Preparation Verify that any served ads code, 3d party extensions or social plugins used on the site will properly work when this is moved to https Ads & Extensions Platforms
1.18. Web Analytics Configuration Preparation Make sure that the existing Web Analytics configuration will also monitor the traffic of the secure domain Web Analytics Platform
2.1. HTTPS site launch Publish the validated https site version live Production Environment
2.2. New HTTPS version Web structure validation Verify that the URL structure on the secure site version is the same than the one in the HTTP Production Environment
2.3. New secure version internal linking Verify that the site links are pointing effectively to its HTTPS URLs Production Environment
2.4. New HTTPS version canonicalization Verify that the canonical tags on the pages are pointing to its HTTPS URLs Production Environment
2.5. New HTTPS version canonicalization Implement the rewrites and redirects from www vs non-www, slash vs. without slash, etc. in the new secure Web version Production Environment
2.6. HTTP to HTTPS redirect implementation Implement the 301-redirects from every URL of the site from its HTTP to HTTPS version Production Environment
2.7. Web Analytics Configuration Annotate the migration date in your Web Analytics platform & verify that the configuration is set to track the secure Web version Web Analytics Platform
2.8. SSL Server Configuration Validation Verify the SSL configuration of your Web Server. You can use services like https://www.ssllabs.com/ssltest/ Production Environment, SSL Test
2.9. Robots.txt Update Refresh the robots.txt setting in the https domain with the relevant changes Robots.txt
3.1. HTTPS crawling validation Crawl the site to verify that the secure URLs are the ones accessible, linked and served without errors, erroneous noindexations & canonicalizations & redirects Production Environment
3.2. New HTTPS site redirects validation Verify the redirects rules from http vs. https, www vs. non-www & slash vs. non-slash are correctly implemented Production Environment
3.3. XML Sitemap Release & Submission Upload & Verify the generated XML sitemap with the secure URL versions in the https Google Search Console profile Google Search Console
3.4. Official external links update Update official external links pointing to the site to go to the secure version (Social Media profiles partner sites, etc.) Official Presence in External Platforms
3.5. Ads & 3rd-Party Extension Validation Verify that any plugins like social buttons, ads & 3rd party code are correctly working in the secure URLs versions. You can scan your Website tolook for non-secure content with https://www.jitbit.com/sslcheck/ Ads & Extensions Platforms, SSL Check
3.6. Campaigns update Execution Implement the relevant ads, emailing and affiliate campaigns changes to correctly refer to the HTTPS Web version Campaigns Platforms
3.7. Crawling & Indexation Monitoring Monitor the indexation, visibility & errors of both the HTTP & HTTPS site versions Google Search Console
3.8. Rankings & Traffic Monitoring Monitor both HTTP & HTTPS site versions traffic and rankings activity Web Analytics & Rank tracking Platforms
3.9. Robots.txt configuration validation Verify the robots.txt setting in the secure domain to make sure the configuration was properly updated Robots.txt
This HTTP to HTTPS migration checklist was kindly created and shared with the Advanced WP Facebook group. During actual migration to a secure website
2.1. HTTPS site launch Publish the validated https site version live Production Environment
2.2. New HTTPS version Web structure validation Verify that the URL structure on the secure site version is the same than the one in the HTTP Production Environment
2.3. New secure version internal linking Verify that the site links are pointing effectively to its HTTPS URLs Production Environment
2.4. New HTTPS version canonicalization Verify that the canonical tags on the pages are pointing to its HTTPS URLs Production Environment
2.5. New HTTPS version canonicalization Implement the rewrites and redirects from www vs non-www, slash vs. without slash, etc. in the new secure Web version Production Environment
2.6. HTTP to HTTPS redirect implementation Implement the 301-redirects from every URL of the site from its HTTP to HTTPS version Production Environment
2.7. Web Analytics Configuration Annotate the migration date in your Web Analytics platform & verify that the configuration is set to track the secure Web version Web Analytics Platform
2.8. SSL Server Configuration Validation Verify the SSL configuration of your Web Server. You can use services like https://www.ssllabs.com/ssltest/ Production Environment, SSL Test
2.9. Robots.txt Update Refresh the robots.txt setting in the https domain with the relevant changes Robots.txt
7. How can you add security to your WP Website?
Let’s get down to the nitty-gritty and get our hands dirty. There are two ways to setup WordPress SSL:
Setting UP SSL Manually In WP website
Using The WordPress HTTPS Plugin
Using Let’s Encrypt as a Certificate Authority
Back up in this article, we mentioned that secure certificates are issued by what is called a certificate authority. This is, a body which can “certify” that the server where you have installed your certificate is truly who it is claiming to be. This involves some work of course, and typically you’d be charged for this work. Let’s Encrypt is a new certificate authority which wants to make it easier for everybody to acquire a secure certificate, by making the process of an acquiring a certificate free. This is essentially an authority run by a number of companies called the Internet Security Research Group, including such large names as Akamai (CDN), Google Chrome, Cisco, SiteGround, Mozilla, Facebook and plenty of authors which want to making the process of acquiring a security certificate: Free, Automated, Secure, Transparent, Open and Co-operative. Why would these companies want to give you stuff for free? Because a secure and safer internet is a desirable objective for everybody. Although it may be relatively easy, it is still somewhat a technical procedure to get the certificate in place
How to Acquire a Secure Certificate
First of all, you’ll need to somehow acquire an SSL Certificate. There are of course various ways of doing this, but the easiest way to do this is via your hosting server. At InMotion hosting, you can buy the certificate and all that you need with it directly through the Account Management Panel (AMP) console. The good thing is that they’ll support you very nicely if you don’t want to get your hands dirty. Included in the price of $99/year, will be the price of the required dedicated IP. There is a one-time fee of $25 since the certificate needs to be installed on the server which powers your website. If you’ve got a Virtual Private Server, installing the certificate manually is very easy. We’ve documented the steps in our InMotion VPS review, so we won’t be going through that again. If you’re not hosted with InMotion, (why not? Don’t you know their servers are fasterand their support better?) the procedure will be similar. Once the certificate has been bought and installed, you now need to enable WordPress SSL/TLS.
Creating a secure certificate using Let's Encrypt
(You can skip this part if you don’t plan to create your own Let’s Encrypt Certificate and will acquire it through your hosting server) You are going to need direct or shell root access to your server, to be able to run the following procedure.
Step 1: Install Let's Encrypt library on your server
Run the following command to install the Let’s Encrypt library
$ sudo git clone https://github.com/letsencrypt/letsencrypt/opt/letsencrypt
This command will essentially copy the LetsEncrypt repository to your /opt directory.
Step 2: Generate secure certificate
The best way to generate a certificate is to use the standalone method with a key size of 4096 (which is very freaking strong).
$ ./letsencrypt-auto certainly –standalone –rsa-key-size 4096
As soon as you run this command a window will be coming up, asking you for the domain name. It is suggested that you enter both your root domain and other subdomains you plan to use the certificate with. The next step is to read and agree to the terms of services of Let’s Encrypt. Once you agree you’ll be able to see the path of the .pem file. It will be located in /etc/letsencrypt/live/your-domain-name/. If you encounter any errors while creating the certificate you might want to check your firewall configuration because a number of connections will be required to create the certificates. The certificate generated will expires in 90 days. It will have to be renewed every 90 days. This is a bit of a negative and positive point. You can find the reasons why 90-day certificates are used here. To renew the certificate you just need to run the Let’s Encrypt renew script. You might want to write a cron job for automating the process. This is especially important if you tend to forget this. Once your certificate expires, you’ll see the fugly red warning shown above, so you might want to keep this in mind.
Step 3: Generate a strong public key-cryptography security using a Diffie Hellman Group
To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 4096-bit group, use this command:
sudo OpenSSL dhparam -out /etc/ssl/certs/dhparam.pem 4096
This may take a while minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem
Now that you have a certificate, you’ll need to install this on your web server.
8. How to Setup your WordPress to Use SSL (or TLS) and HTTPS (the manual way)
Once you have a secure certificate, you need to perform the next steps is to install it on your website. The very first step that needs to be done is to incorporate HTTPS in your website so as to update the URL of your website. To do this you need to go down to Settings → General and there you can update your WordPress and site URL address field. If you have an existing website and are enabling SSL you also need to set a 301 redirect which forces all HTTP requests to be served securely. This will also make sure that none of your existing links from external websites will be lost, whilst also not lose any link juice. This can be done by adding the code snippet below in your websites .htaccess file, which you can access via your CPanel File Manager
[IfModule mod_rewrite.c]
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.collectiveray.com/$1 [R=301,L]
[/IfModule>
You can see that this is a 301 redirect, which will make sure you don’t lose any link juice. Make sure that you have replaced collectiveray.com with the URL of your website. The above actual forces your server to serve content securely. Just as a point of note, any and all URLs under the main domain will get converted to HTTPS using the above. So any of your old links on let’s say http://www.collectiveray.com/wordpress/ would automatically become https://www.collectiveray.com/wp/ For those who are on nginx servers, you should add the HTTP redirect below to convert it into HTTPS
server {
listen 80;
server_name websitename.com www.websitename.com;
return 301 https://websitename.com$request_uri; }
Configure a Secure Admin
The following steps will help you ensure that all the content of the site will be served securely. You can configure the forcing of a secure WordPress admin (i.e. the administration part of your website or /wp-admin) via your wp-config.php file. If you wish to force security on a WordPress website which has multi-site login pages or in the admin area, all you need is to add the following code snippet to wp-config.php file.
define('FORCE_SSL_ADMIN', true);
That’s mostly it, you should now be able to access your CMS admin securely!
9. Implement HTTPS using WordPress SSL
Implement HTTPS using WordPress SSL
Another easy way to set up SSL on your website is to make use of a WordPress SSL plugin. The plugin of choice for enabling WordPress HTTPS on your site should be Really Simple SSL. It’s a very nicely written plugin by Rogier Lankhorst. The great thing about this plugin is that it removes all of the complexity associated with enabling secure certificates on your site. Really and truly, this is a one-click SSL activation plugin. After you’ve acquired the SSL certificate using one of the methods described above, you just need to install and Activate the Really Simple SSL plugin and it will do the rest of the dirty work for you. It actually does quite a lot of work under the hood to resolve most known issues with activating HTTPS on your website. It takes into consideration the setup of the server and performs all the changes as necessary so that you don’t have to mess with anything yourself. The below is a screenshot of the plugin after activation – it has done some work and detected that there is already a certificate installed on the server. As you can see, you can now just click on the “Activate SSL” and you’re done! Once your website has been converted to SSL, you have a look at the settings, as can be seen in the screenshot here below. This plugin is your one-stop shop to enable SSL.
Another easy way to set up SSL on your website is to make use of a WordPress SSL plugin.
Implement SSL using the WordPress HTTPS plugin
Implement SSL using the WordPress HTTPS plugin
(This plugin seems to no longer be maintained. It hasn’t been updated in over two years, so you may want to take a look at Really Simple SSL above) One such plugin is WordPress HTTPS plugin. The plugin helps you to accomplish two things. First, it allows a site owner to add global SSL settings on their website. It also allows you to do this in a multisite installation. For those who do not want to enable SSL on all their content, you can choose to set the HTTPs on specific posts or pages only. Once you’ve installed this, you’ll find a new HTTPS item in the menu. As a minimum, we’d suggest that you enable “Always use HTTPS while in the admin panel” so that all of your admin traffic passes through SSL. If you click on the “Force SSL exclusively”, you’ll have to choose whether you want to enable security on each page specifically via the following option you’ll see on your pages. Some of the other settings of the plugin can be seen below. Most of the rest of the settings are quite advanced and you might not want to touch them unless you know what you are doing. Of course, the above is not the only plugin which you can use to enable secure certificates. The following are a number of other options which you may want to use. Both of them ultimately achieve the same goal, of enabling HTTPS on your WordPress site.
10. Testing the correct secure certificate setup of your website
Testing the correct secure certificate setup of your website
To make sure your site has been fully set up, we recommend that you test your site using this SSL SEO Checker tool, which checks whether you have the recommended WordPress SSL setup. Also, if you are using Chrome, you can have a look at the icon right next to the URL. The following is an explanation of what each icon means.
To make sure your site has been fully set up, we recommend that you test your site using this SSL SEO Checker tool
11. Don’t forget to renew your Secure Certificate
11. Don’t forget to renew your Secure Certificate
An expired certificate is a death certificate. If a certificate expires, you cannot renew it. You need to get a new one re-issued and re-install it on your site. That’s, of course, more headache than you really need, so just make sure to remember to renew it before it expires. This happened to us on the anniversary of getting our first secure certificate setup. It’s not a pleasant situation to suddenly see ALL your traffic go to zero. People are very wary of advancing beyond an expired certificate so the traffic hit you’ll get will be huge. We suggest setting up a reminder a couple of weeks in advance of the expiry. You have been warmed. Expired certificates are a lot of work, so don’t forget to renew it.
Want to take the easy way out?
Want to take the easy way out?
Of course, although we make it look simple, there are times when things don’t go the way you expect them to, so make sure you have your support numbers at hand just in case it all goes wrong whilst setting up your WordPress SSL functionality. If you want to take the easy way out, just get VanComputer to set it all up for you. You’ll get a faster website, besides it being powered by SSL. You’ll also get a free domain and they will transfer the site for you.
Want to take the easy way out? VanComputer Can help you with.
Conclusion: HTTPS is a must
Conclusion: HTTPS is a must
As you might have seen, although the implementation of HTTPS or SSL is not always straight-forward, it is essential. Even as of today (2019), Google has announced that it will be labeling websites as NOT SECURE if they are not SSL-enabled. So do make sure you get this set up on your website today. One more thing… Did you know that people who share useful stuff like this post look AWESOME too? 😉 Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let’s reap the benefits together. Thank you for sharing and being nice!
Omeed Kamiab
VanComputer Web DeveloperWe offer you the best services in your ..