Amy Kvistad Independent Web Designer, Developer and overall Graphic Designer 7 years of WordPress experience 16 years of design experience Just got a puppy Love sailboat racing Website: amykvistad.com Follow me on twitter: @amykvistad
HTTPS Migration: You Can Do It and This Is Why • Very quickly – What is HTTPS • Why migrate to HTTPS • Dispelling myths • Walk through – how to migrate your website
What is HTTPS • HTTPS is HTTP over a secure connection • The added layer of security is called SSL (secure socket layer) • SSL encrypts communication between your browser and a website • SSL also provides authentication. It proves your identity. • Prevents man-in-the-middle attacks • Prevents cookie and password exposure
HTTPS is the internet’s next phase The internet’s standards bodies, web browsers, and major tech companies have come to understand that HTTPS should be the baseline for all web traffic.
1. The web should actively prefer secure communication 2. Barriers to adoption should be removed 3. TLS encryption must not be compromised W3C’s Technical Architecture Group, “Securing the Web” https://www.w3.org/2001/tag/doc/web-https
Today we are announcing our intent to phase out non-secure HTTP. There’s pretty broad agreement that HTTPS is the way forward for the web. Depreciating Non-Secure HTTP, Mozilla Security Blog, April 30, 2015 https://blog.mozilla.org/security/2015/04/30/deprec ating-non-secure-http/
Beginning in January 2017 (Chrome 56) will mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure. “Moving towards a more secure web” September 8, 2016 https://security.googleblog.com/2016/09/ moving-towards-more-secure-web.html
“We’re at a turning point: 2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available.” “Modern browsers, and the incredible success of projects like Let’s Encrypt have made getting a certificate to secure your site fast, free, and something we think every host should support by default...” WordPress Co-Founder Matt Mullenweg “Moving Toward SSL” WordPress News. December 01, 2016.
“HTTPS is one of the most important topics for a web developer today.” “HTTPS is now necessary for achieving the best the web can offer and HTTP is underperforming.” “Mythbusting HTTPS,” Emily Schechter, product manager on Chrome security team, Progressive Web App Summit 2016
HTTPS will be required for PWA (Progressive Web Apps) and AMP (Accelerated Mobile Pages) “A View from Google: The Latest in Search and Mobile” Maile Ohye, Developer Programs Tech Lead at Google, WordCamp US, December 3, 2016
•The opposite is true. HTTPS is required for HTTP/2 •Websites optimized for and delivered over HTTP/2 will perform 50-70% better than sites over HTTP/1.1 HTTPS will be slower
Obtain an SSL Certificate • Get a free SSL Certificate from Let’s Encrypt • My experience with A2 Hosting • By default, Let's Encrypt is not enabled for cPanel accounts. If you would like to use Let's Encrypt SSL certificates on your account, please open a ticket with the A2 Hosting Guru Crew • When Let's Encrypt is enabled for your account, you do not have to do anything else. The entire process of generating, installing, and renewing SSL certificates is done automatically.
Install the SSL Certificate • Your web host will often install an SSL Certificate whether you buy it from them or from Let’s Encrypt • If you have Shell Access, Let’s Encrypt recommends using Certbot ACME to automate certificate issuance and installation
Do I need a Dedicated IP address? • A Dedicated IP address is usually recommended for SSL Certificates • Necessary for compatibility with older web browsers • Monthly fee • Server Name Indication (SNI) allows multiple sites with SSL certificates to operate from a single IP address • SNI is compatible with most modern browsers • Not compatible with these out of-date browsers: • Any Internet Explorer browser on Windows XP • Chrome 5 and older on Windows XP • Blackberry web browser • Windows Mobile phones up to version 6.5 • Android mobile phone default browser on Android OS 2.x
Update your site URL to HTTPS • go to “Settings > General” and change both the “WordPress Address” and “Site Address” URLs to use “https://” instead of “http://”
Force HTTPS • Force HTTPS throughout the site – make sure that ALL of your traffic is loaded via HTTPS with the WordPress Force HTTPS plugin • Force HTTPS via .htaccess file RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]
Better Search Replace code Install and Activate Better Search Replace Go to “Tool > Better Search Replace” In the “Search/Replace” tab, do the following: Search for = http://yourdomain.com Replace with = https://yourdomain.com In the “Select tables” area, select both wp_postmeta and wp_posts. Press “CTRL” or “CMD” to select multiples. Unselect “Run as Dry Run” Hit “Run Search/Replace”
Identifying insecure assets causing warnings • WhyNoPadlock - https://www.whynopadlock.com • Free testing site that provides you with a report of all the insecurely-loaded items
Don’t forget to Install SSL on your CDN • Many CDNs have Let’s Encrypt integration • Many CDNs also have a shared SSL option • Updated the URL from HTTP to HTTPS • Enable HTTP/2 support on your CDN
Update Google Search Console • Update Google Search Console – let Google know that your pages should be indexed using https • Add the property https://yoursite.com • Re-submit your sitemap in Google Search Console • Fetch and crawl your new https site
Payment page mixed content warnings • Mixed Content: The page at 'https://shedchildrenscampus.org/make- a-payment/' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans'. This request has been blocked; the content must be served over HTTPS. • Mixed Content: The page at 'https://shedchildrenscampus.org/make- a-payment/' was loaded over HTTPS, but requested an insecure image 'http://shed.theclientroom.com/wp- content/uploads/SHED_logo_static.png'. This content should also be served over HTTPS.jquery.js?ver=1.11.3:4 Problem: Plugin had hard-coded http:// Solution: Plugin author fixed it after contacting them
Resources • How to use SSL and HTTPS for your WordPress Website • https://givewp.com/documentation/resources/how-to-use-ssl-and-https-for- your-wordpress-website/ • Complete Guide – How to Migrate from HTTP to HTTPS • https://www.keycdn.com/blog/http-to-https/ • In-Depth HTTP to HTTPS Migration Guide for WordPress • https://kinsta.com/blog/http-to-https/