$30 off During Our Annual Pro Sale. View Details »

HTTPS Migration: You Can Do It and This Is Why

Amy Kvistad
December 19, 2016

HTTPS Migration: You Can Do It and This Is Why

Presentation given at the Boston WordPress Meetup December 19, 2016.

Amy Kvistad

December 19, 2016
Tweet

More Decks by Amy Kvistad

Other Decks in Technology

Transcript

  1. HTTPS Migration: You Can Do
    It and This Is Why
    Amy Kvistad
    Website: amykvistad.com
    Follow me on twitter: @amykvistad

    View Slide

  2. Amy Kvistad
    Independent Web Designer, Developer
    and overall Graphic Designer
    7 years of WordPress experience
    16 years of design experience
    Just got a puppy
    Love sailboat racing
    Website: amykvistad.com
    Follow me on twitter: @amykvistad

    View Slide

  3. HTTPS Migration: You Can Do It and This Is Why
    • Very quickly – What is HTTPS
    • Why migrate to HTTPS
    • Dispelling myths
    • Walk through – how to migrate your website

    View Slide

  4. What is HTTPS
    • HTTPS is HTTP over a secure connection
    • The added layer of security is called SSL (secure socket layer)
    • SSL encrypts communication between your browser and a website
    • SSL also provides authentication. It proves your identity.
    • Prevents man-in-the-middle attacks
    • Prevents cookie and password exposure

    View Slide

  5. Remaining Vulnerabilities
    • Doesn’t stop attackers from hacking your website, server, or network
    • Software vulnerabilities
    • Brute force attacks

    View Slide

  6. Why migrate to HTTPS

    View Slide

  7. HTTPS is the internet’s next phase
    The internet’s standards bodies, web browsers, and major tech companies have come to understand
    that HTTPS should be the baseline for all web traffic.

    View Slide

  8. Pervasive Monitoring
    Is an Attack
    The Internet Engineering Task Force (IETF);
    https://tools.ietf.org/html/rfc7258

    View Slide

  9. HTTPS for
    Everything
    White House Office
    of Management and
    Budget memorandum
    https://https.cio.gov/

    View Slide

  10. 1. The web should actively prefer
    secure communication
    2. Barriers to adoption should be
    removed
    3. TLS encryption must not be
    compromised
    W3C’s Technical Architecture Group,
    “Securing the Web”
    https://www.w3.org/2001/tag/doc/web-https

    View Slide

  11. Today we are announcing our
    intent to phase out non-secure
    HTTP.
    There’s pretty broad
    agreement that HTTPS is the
    way forward for the web.
    Depreciating Non-Secure HTTP, Mozilla Security Blog,
    April 30, 2015
    https://blog.mozilla.org/security/2015/04/30/deprec
    ating-non-secure-http/

    View Slide

  12. Beginning in January 2017 (Chrome 56)
    will mark HTTP pages that collect
    passwords or credit cards as non-secure,
    as part of a long-term plan to mark all
    HTTP sites as non-secure.
    “Moving towards a more secure web” September 8, 2016
    https://security.googleblog.com/2016/09/
    moving-towards-more-secure-web.html

    View Slide

  13. “We’re at a turning point: 2017 is going to be
    the year that we’re going to see features in
    WordPress which require hosts to have HTTPS
    available.”
    “Modern browsers, and the incredible success
    of projects like Let’s Encrypt have made getting
    a certificate to secure your site fast, free, and
    something we think every host should support
    by default...”
    WordPress Co-Founder Matt Mullenweg “Moving
    Toward SSL” WordPress News. December 01, 2016.

    View Slide

  14. “HTTPS is one of the most important topics for a web developer today.”
    “HTTPS is now necessary for achieving the best the web can offer
    and HTTP is underperforming.”
    “Mythbusting HTTPS,” Emily Schechter, product manager on Chrome security team, Progressive Web App Summit 2016

    View Slide

  15. HTTPS will be required for PWA (Progressive Web Apps)
    and AMP (Accelerated Mobile Pages)
    “A View from Google: The Latest in Search and Mobile” Maile Ohye, Developer Programs Tech Lead
    at Google, WordCamp US, December 3, 2016

    View Slide

  16. Dispelling Myths
    about HTTPS
    It’s expensive
    It will be slower
    It’s difficult
    to set up
    Will it hurt
    SEO?
    But I just have
    a blog

    View Slide

  17. HTTPS is
    expensive
    Free SSL from Let’s Encrypt

    View Slide

  18. • Many hosts will install Let’s Encrypt for
    you
    • 1-click set up when you buy an SSL
    Certificate from your web host
    HTTPS is difficult to
    set up

    View Slide

  19. •The opposite is true. HTTPS is required
    for HTTP/2
    •Websites optimized for and delivered
    over HTTP/2 will perform 50-70%
    better than sites over HTTP/1.1
    HTTPS will be
    slower

    View Slide

  20. • Referral data
    • Passed through from HTTP to HTTPS
    • HTTPS to HTTP referral data is stripped
    • Google will rank HTTPS websites higher
    HTTPS and SEO

    View Slide

  21. Facts about HTTPS
    Free
    Faster
    Easy to set up
    Referral data
    Higher ranking
    Internet
    standard

    View Slide

  22. Walk through – how to
    migrate your website

    View Slide

  23. Obtain an SSL Certificate
    • Get a free SSL Certificate from Let’s Encrypt
    • My experience with A2 Hosting
    • By default, Let's Encrypt is not enabled for cPanel accounts. If you would like
    to use Let's Encrypt SSL certificates on your account, please open a ticket with
    the A2 Hosting Guru Crew
    • When Let's Encrypt is enabled for your account, you do not have to do
    anything else. The entire process of generating, installing, and renewing SSL
    certificates is done automatically.

    View Slide

  24. Comparing SSL Certificates
    Let’s Encrypt
    • Free
    • Valid for 90 days, renewable
    • No warranty
    • Basic domain-based vetting
    • No wildcard certificates
    Traditional SSL Certificates
    • Cost money
    • Valid for at least a year,
    renewable
    • Warranty
    • Additional customer vetting
    • Offers wildcard certificates

    View Slide

  25. Install the SSL Certificate
    • Your web host will often install
    an SSL Certificate whether you
    buy it from them or from Let’s
    Encrypt
    • If you have Shell Access, Let’s
    Encrypt recommends using
    Certbot ACME to automate
    certificate issuance and
    installation

    View Slide

  26. Do I need a Dedicated IP address?
    • A Dedicated IP address is usually recommended for SSL Certificates
    • Necessary for compatibility with older web browsers
    • Monthly fee
    • Server Name Indication (SNI) allows multiple sites with SSL certificates to
    operate from a single IP address
    • SNI is compatible with most modern browsers
    • Not compatible with these out of-date browsers:
    • Any Internet Explorer browser on Windows XP
    • Chrome 5 and older on Windows XP
    • Blackberry web browser
    • Windows Mobile phones up to version 6.5
    • Android mobile phone default browser on Android OS 2.x

    View Slide

  27. Implementing HTTPS

    View Slide

  28. Update your site URL to HTTPS
    • go to “Settings > General” and change both the “WordPress Address”
    and “Site Address” URLs to use “https://” instead of “http://”

    View Slide

  29. Update your site URL via phpMyAdmin
    • Go to wp_options table
    • locate siteurl and edit the URL directly
    • Locate home and edit the URL directly

    View Slide

  30. Force HTTPS
    • Force HTTPS throughout the site – make sure that ALL of your traffic is
    loaded via HTTPS with the WordPress Force HTTPS plugin
    • Force HTTPS via .htaccess file
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

    View Slide

  31. Force SSL Admin
    • Set FORCE_SSL_ADMIN to
    true in the wp-config.php
    file
    define('FORCE_SSL_ADMIN', true);

    View Slide

  32. Fixing mixed content or
    insecure content

    View Slide

  33. Resolve insecure
    elements
    • Use the Better Search Replace
    plugin to update “http” to
    “https” in your database

    View Slide

  34. Better Search Replace code
    Install and Activate Better Search Replace
    Go to “Tool > Better Search Replace”
    In the “Search/Replace” tab, do the following:
    Search for = http://yourdomain.com
    Replace with = https://yourdomain.com
    In the “Select tables” area, select both wp_postmeta and wp_posts. Press “CTRL” or “CMD” to select multiples.
    Unselect “Run as Dry Run”
    Hit “Run Search/Replace”

    View Slide

  35. Identifying insecure assets causing warnings
    • WhyNoPadlock -
    https://www.whynopadlock.com
    • Free testing site that provides
    you with a report of all the
    insecurely-loaded items

    View Slide

  36. Identifying Insecure Assets with Google
    Chrome Inspector Console

    View Slide

  37. Don’t forget to Install SSL on your CDN
    • Many CDNs have Let’s Encrypt integration
    • Many CDNs also have a shared SSL option
    • Updated the URL from HTTP to HTTPS
    • Enable HTTP/2 support on your CDN

    View Slide

  38. Update Google Search Console
    • Update Google Search Console –
    let Google know that your pages
    should be indexed using https
    • Add the property
    https://yoursite.com
    • Re-submit your sitemap in Google
    Search Console
    • Fetch and crawl your new https
    site

    View Slide

  39. Update Google Analytics
    • Go to Admin – Property Settings
    and switch from HTTP to HTTPS

    View Slide

  40. Client
    Project

    View Slide

  41. Payment page mixed content warnings
    • Mixed Content: The page at 'https://shedchildrenscampus.org/make-
    a-payment/' was loaded over HTTPS, but requested an insecure
    stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans'. This
    request has been blocked; the content must be served over HTTPS.
    • Mixed Content: The page at 'https://shedchildrenscampus.org/make-
    a-payment/' was loaded over HTTPS, but requested an insecure
    image 'http://shed.theclientroom.com/wp-
    content/uploads/SHED_logo_static.png'. This content should also be
    served over HTTPS.jquery.js?ver=1.11.3:4
    Problem: Plugin had hard-coded http:// Solution: Plugin author fixed it after contacting them

    View Slide

  42. View Slide

  43. Thank you
    Amy Kvistad
    amykvistad.com
    Twitter: @amykvistad
    https://speakerdeck.com/amykvistad
    Than

    View Slide

  44. Resources
    • How to use SSL and HTTPS for your WordPress Website
    • https://givewp.com/documentation/resources/how-to-use-ssl-and-https-for-
    your-wordpress-website/
    • Complete Guide – How to Migrate from HTTP to HTTPS
    • https://www.keycdn.com/blog/http-to-https/
    • In-Depth HTTP to HTTPS Migration Guide for WordPress
    • https://kinsta.com/blog/http-to-https/

    View Slide