HTTPS migration – you can do it and this is why
This is the subject of a talk I recently gave at the Boston WordPress Meetup. It really is a bandwagon that we need to jump on! Every site I develop going forward will be HTTPS and I am converting many older sites as well.
What is HTTPS
- HTTPS is HTTP over a secure connection
- The added layer of security is called SSL (secure socket layer)
- SSL encrypts communication between your browser and a website
- SSL also provides authentication. It proves your identity
- Prevents man-in-the-middle attacks
- Prevents cookie and password exposure
There are remaining vulnerabilities
- Doesn’t stop attackers from hacking your website, server, or network
- Software vulnerabilities
- Brute force attacks
Why migrate to HTTPS?
Well, HTTPS is the internet’s next phase!
The internet’s standards bodies, web browsers, and major tech companies have come to understand that HTTPS should be the baseline for all web traffic.
Pervasive Monitoring is an Attack – The Internet Engineering Task Force (IETF)
HTTPS for Everything – White House Office of Management and Budget memorandum
The web should actively prefer secure communication.
Barriers to adoption should be removed.
TLS encryption must not be compromised.
W3C’s Technical Architecture Group, “Securing the Web”
Today we are announcing our intent to phase out non-secure HTTP. There’s pretty broad agreement that HTTPS is the way forward for the web.
Depreciating Non-Secure HTTP, Mozilla Security Blog, April 30, 2015
Beginning in January 2017 (Chrome 56) will mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
“Moving towards a more secure web” September 8, 2016
“HTTPS is now necessary for achieving the best the web can offer and HTTP is underperforming.” – Mythbusting HTTPS, Emily Schechter, product manager on Chrome security team, Progressive Web App Summit 2016
Dispelling myths about HTTPS
- HTTPS is expensive – Free SSL is now available from Let’s Encrypt
- HTTPS is difficult to set up – Many hosts will install Let’s Encrypt for you and if you buy an SSL certificate from them will install it instantly
- HTTPS will be slower – The opposite is true. HTTPS is required for HTTP/2. Websites optimized for and delivered over HTTP/2 will perform 50-70% better than sites over HTTP/1.1.
- HTTPS and SEO – Referral data passes through from HTTP to HTTPS whereas, HTTPS to HTTP referral data is stripped. Google will rank HTTPS websites higher!
Facts about HTTPS
- Free
- Internet standard
- Easy to set up
- Faster
- Retains referral data for higher SEO ranking
Now lets walk through how to migrate your website from HTTP to HTTPS
- Obtain an SSL certificate from your website host – either a free Let’s Encrypt or traditional SSL certificate. The biggest difference between the two is that Let’s Encrypt doesn’t offer a warranty.
- Install the SSL certificate – your website host will often install the SSL certificate for you
- Do I need a dedicated IP address? Not always, multiple SSL certificates can operate from a single IP address for most modern browsers
Implementing HTTPS
- Update your site URL to HTTPS – You can do this in the Settings > General section of the WordPress dashboard
- Force HTTPS – you can use the WordPress Force HTTPS plugin or add the following code to the .htaccess file
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]
Fixing mixed or insecure content
- Resolve insecure elements with the Better Search Replace plugin – you can search and replace “HTTP” with “HTTPS”
- Identify insecure assets causing warnings – visit WhyNoPadlock and run a scan of your website to find the insecure items
- Identifying Insecure Assets with Google Chrome Inspector Console – see even more information on passive mixed content through the inspector
Don’t forget to install SSL on your CDN
- Many CDNs have Let’s Encrypt integration or a shared SSL option
- Updated the URL from HTTP to HTTPS
- Enable HTTP/2 support on your CDN
Update Google Search Console
- Let Google know that your pages should be indexed using HTTPS
- Add the property https://yoursite.com
- Re-submit your sitemap in Google Search Console
- Fetch and crawl your new HTTPS site
Update Google Analytics
- Go to Admin – Property Settings and switch from HTTP to HTTPS