Securing Your Website with HTTPS

HTTPS migration – you can do it and this is why

This is the subject of a talk I recently gave at the Boston WordPress Meetup. It really is a bandwagon that we need to jump on! Every site I develop going forward will be HTTPS and I am converting many older sites as well.

What is HTTPS

  • HTTPS is HTTP over a secure connection
  • The added layer of security is called SSL (secure socket layer)
  • SSL encrypts communication between your browser and a website
  • SSL also provides authentication. It proves your identity
  • Prevents man-in-the-middle attacks
  • Prevents cookie and password exposure

There are remaining vulnerabilities

  • Doesn’t stop attackers from hacking your website, server, or network
  • Software vulnerabilities
  • Brute force attacks

Why migrate to HTTPS?

Well, HTTPS is the internet’s next phase!

The internet’s standards bodies, web browsers, and major tech companies have come to understand that HTTPS should be the baseline for all web traffic.

Pervasive Monitoring is an Attack – The Internet Engineering Task Force (IETF)

HTTPS for Everything – White House Office of Management and Budget memorandum

The web should actively prefer secure communication.
Barriers to adoption should be removed.
TLS encryption must not be compromised.
W3C’s Technical Architecture Group, “Securing the Web”

Today we are announcing our intent to phase out non-secure HTTP. There’s pretty broad agreement that HTTPS is the way forward for the web.
Depreciating Non-Secure HTTP, Mozilla Security Blog, April 30, 2015

HTTP not secure warningBeginning in January 2017 (Chrome 56) will mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
“Moving towards a more secure web” September 8, 2016

“HTTPS is now necessary for achieving the best the web can offer and HTTP is underperforming.” – Mythbusting HTTPS, Emily Schechter, product manager on Chrome security team, Progressive Web App Summit 2016

Dispelling myths about HTTPS

  • HTTPS is expensive – Free SSL is now available from Let’s Encrypt
  • HTTPS is difficult to set up – Many hosts will install Let’s Encrypt for you and if you buy an SSL certificate from them will install it instantly
  • HTTPS will be slower – The opposite is true. HTTPS is required for HTTP/2. Websites optimized for and delivered over HTTP/2 will perform 50-70% better than sites over HTTP/1.1.
  • HTTPS and SEO – Referral data passes through from HTTP to HTTPS whereas, HTTPS to HTTP referral data is stripped. Google will rank HTTPS websites higher!

Facts about HTTPS

  • Free
  • Internet standard
  • Easy to set up
  • Faster
  • Retains referral data for higher SEO ranking

Now lets walk through how to migrate your website from HTTP to HTTPS

  • Obtain an SSL certificate from your website host – either a free Let’s Encrypt or traditional SSL certificate. The biggest difference between the two is that Let’s Encrypt doesn’t offer a warranty.
  • Install the SSL certificate – your website host will often install the SSL certificate for you
  • Do I need a dedicated IP address? Not always, multiple SSL certificates can operate from a single IP address for most modern browsers

Implementing HTTPS

  • Update your site URL to HTTPS – You can do this in the Settings > General section of the WordPress dashboard
  • Force HTTPS – you can use the WordPress Force HTTPS plugin or add the following code to the .htaccess file

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R=301,L]

Fixing mixed or insecure content

Fixing mixed content HTTPS

  • Resolve insecure elements with the Better Search Replace plugin – you can search and replace “HTTP” with “HTTPS”
  • Identify insecure assets causing warnings – visit WhyNoPadlock and run a scan of your website to find the insecure items
  • Identifying Insecure Assets with Google Chrome Inspector Console – see even more information on passive mixed content through the inspector

Don’t forget to install SSL on your CDN

  • Many CDNs have Let’s Encrypt integration or a shared SSL option
  • Updated the URL from HTTP to HTTPS
  • Enable HTTP/2 support on your CDN

Update Google Search Console

  • Let Google know that your pages should be indexed using HTTPS
  • Add the property
  • Re-submit your sitemap in Google Search Console
  • Fetch and crawl your new HTTPS site

Update Google Analytics

  • Go to Admin – Property Settings and switch from HTTP to HTTPS

View the slides to my talk on Speaker Deck.

About Amy Kvistad

Amy has 20 years of experience as a graphic designer and 10 years of experience as a web designer and developer. She works with clients directly and also partners with small businesses.