HTTPS Migration: You Can Do It and This Is Why

Transcript

1. HTTPS Migration: You Can Do It and This Is Why

   Amy Kvistad Website: amykvistad.com Follow me on twitter: @amykvistad

2. Amy Kvistad Independent Web Designer, Developer and overall Graphic Designer

   7 years of WordPress experience 16 years of design experience Just got a puppy Love sailboat racing Website: amykvistad.com Follow me on twitter: @amykvistad

3. HTTPS Migration: You Can Do It and This Is Why

   • Very quickly – What is HTTPS • Why migrate to HTTPS • Dispelling myths • Walk through – how to migrate your website

4. What is HTTPS • HTTPS is HTTP over a secure

   connection • The added layer of security is called SSL (secure socket layer) • SSL encrypts communication between your browser and a website • SSL also provides authentication. It proves your identity. • Prevents man-in-the-middle attacks • Prevents cookie and password exposure

5. Remaining Vulnerabilities • Doesn’t stop attackers from hacking your website,

   server, or network • Software vulnerabilities • Brute force attacks

6. Why migrate to HTTPS

7. HTTPS is the internet’s next phase The internet’s standards bodies,

   web browsers, and major tech companies have come to understand that HTTPS should be the baseline for all web traffic.

8. Pervasive Monitoring Is an Attack The Internet Engineering Task Force

   (IETF); https://tools.ietf.org/html/rfc7258

9. HTTPS for Everything White House Office of Management and Budget

   memorandum https://https.cio.gov/

10. 1. The web should actively prefer secure communication 2. Barriers

    to adoption should be removed 3. TLS encryption must not be compromised W3C’s Technical Architecture Group, “Securing the Web” https://www.w3.org/2001/tag/doc/web-https

11. Today we are announcing our intent to phase out non-secure

    HTTP. There’s pretty broad agreement that HTTPS is the way forward for the web. Depreciating Non-Secure HTTP, Mozilla Security Blog, April 30, 2015 https://blog.mozilla.org/security/2015/04/30/deprec ating-non-secure-http/

12. Beginning in January 2017 (Chrome 56) will mark HTTP pages

    that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure. “Moving towards a more secure web” September 8, 2016 https://security.googleblog.com/2016/09/ moving-towards-more-secure-web.html

13. “We’re at a turning point: 2017 is going to be

    the year that we’re going to see features in WordPress which require hosts to have HTTPS available.” “Modern browsers, and the incredible success of projects like Let’s Encrypt have made getting a certificate to secure your site fast, free, and something we think every host should support by default...” WordPress Co-Founder Matt Mullenweg “Moving Toward SSL” WordPress News. December 01, 2016.

14. “HTTPS is one of the most important topics for a

    web developer today.” “HTTPS is now necessary for achieving the best the web can offer and HTTP is underperforming.” “Mythbusting HTTPS,” Emily Schechter, product manager on Chrome security team, Progressive Web App Summit 2016

15. HTTPS will be required for PWA (Progressive Web Apps) and

    AMP (Accelerated Mobile Pages) “A View from Google: The Latest in Search and Mobile” Maile Ohye, Developer Programs Tech Lead at Google, WordCamp US, December 3, 2016

16. Dispelling Myths about HTTPS It’s expensive It will be slower

    It’s difficult to set up Will it hurt SEO? But I just have a blog

17. HTTPS is expensive Free SSL from Let’s Encrypt

18. • Many hosts will install Let’s Encrypt for you •

    1-click set up when you buy an SSL Certificate from your web host HTTPS is difficult to set up

19. •The opposite is true. HTTPS is required for HTTP/2 •Websites

    optimized for and delivered over HTTP/2 will perform 50-70% better than sites over HTTP/1.1 HTTPS will be slower

20. • Referral data • Passed through from HTTP to HTTPS

    • HTTPS to HTTP referral data is stripped • Google will rank HTTPS websites higher HTTPS and SEO

21. Facts about HTTPS Free Faster Easy to set up Referral

    data Higher ranking Internet standard

22. Walk through – how to migrate your website

23. Obtain an SSL Certificate • Get a free SSL Certificate

    from Let’s Encrypt • My experience with A2 Hosting • By default, Let's Encrypt is not enabled for cPanel accounts. If you would like to use Let's Encrypt SSL certificates on your account, please open a ticket with the A2 Hosting Guru Crew • When Let's Encrypt is enabled for your account, you do not have to do anything else. The entire process of generating, installing, and renewing SSL certificates is done automatically.

24. Comparing SSL Certificates Let’s Encrypt • Free • Valid for

    90 days, renewable • No warranty • Basic domain-based vetting • No wildcard certificates Traditional SSL Certificates • Cost money • Valid for at least a year, renewable • Warranty • Additional customer vetting • Offers wildcard certificates

25. Install the SSL Certificate • Your web host will often

    install an SSL Certificate whether you buy it from them or from Let’s Encrypt • If you have Shell Access, Let’s Encrypt recommends using Certbot ACME to automate certificate issuance and installation

26. Do I need a Dedicated IP address? • A Dedicated

    IP address is usually recommended for SSL Certificates • Necessary for compatibility with older web browsers • Monthly fee • Server Name Indication (SNI) allows multiple sites with SSL certificates to operate from a single IP address • SNI is compatible with most modern browsers • Not compatible with these out of-date browsers: • Any Internet Explorer browser on Windows XP • Chrome 5 and older on Windows XP • Blackberry web browser • Windows Mobile phones up to version 6.5 • Android mobile phone default browser on Android OS 2.x

27. Implementing HTTPS

28. Update your site URL to HTTPS • go to “Settings

    > General” and change both the “WordPress Address” and “Site Address” URLs to use “https://” instead of “http://”

29. Update your site URL via phpMyAdmin • Go to wp_options

    table • locate siteurl and edit the URL directly • Locate home and edit the URL directly

30. Force HTTPS • Force HTTPS throughout the site – make

    sure that ALL of your traffic is loaded via HTTPS with the WordPress Force HTTPS plugin • Force HTTPS via .htaccess file RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

31. Force SSL Admin • Set FORCE_SSL_ADMIN to true in the

    wp-config.php file define('FORCE_SSL_ADMIN', true);

32. Fixing mixed content or insecure content

33. Resolve insecure elements • Use the Better Search Replace plugin

    to update “http” to “https” in your database

34. Better Search Replace code Install and Activate Better Search Replace

    Go to “Tool > Better Search Replace” In the “Search/Replace” tab, do the following: Search for = http://yourdomain.com Replace with = https://yourdomain.com In the “Select tables” area, select both wp_postmeta and wp_posts. Press “CTRL” or “CMD” to select multiples. Unselect “Run as Dry Run” Hit “Run Search/Replace”

35. Identifying insecure assets causing warnings • WhyNoPadlock - https://www.whynopadlock.com •

    Free testing site that provides you with a report of all the insecurely-loaded items

36. Identifying Insecure Assets with Google Chrome Inspector Console

37. Don’t forget to Install SSL on your CDN • Many

    CDNs have Let’s Encrypt integration • Many CDNs also have a shared SSL option • Updated the URL from HTTP to HTTPS • Enable HTTP/2 support on your CDN

38. Update Google Search Console • Update Google Search Console –

    let Google know that your pages should be indexed using https • Add the property https://yoursite.com • Re-submit your sitemap in Google Search Console • Fetch and crawl your new https site

39. Update Google Analytics • Go to Admin – Property Settings

    and switch from HTTP to HTTPS

40. Client Project

41. Payment page mixed content warnings • Mixed Content: The page

    at 'https://shedchildrenscampus.org/make- a-payment/' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans'. This request has been blocked; the content must be served over HTTPS. • Mixed Content: The page at 'https://shedchildrenscampus.org/make- a-payment/' was loaded over HTTPS, but requested an insecure image 'http://shed.theclientroom.com/wp- content/uploads/SHED_logo_static.png'. This content should also be served over HTTPS.jquery.js?ver=1.11.3:4 Problem: Plugin had hard-coded http:// Solution: Plugin author fixed it after contacting them
42. None

43. Thank you Amy Kvistad amykvistad.com Twitter: @amykvistad https://speakerdeck.com/amykvistad Than

44. Resources • How to use SSL and HTTPS for your

    WordPress Website • https://givewp.com/documentation/resources/how-to-use-ssl-and-https-for- your-wordpress-website/ • Complete Guide – How to Migrate from HTTP to HTTPS • https://www.keycdn.com/blog/http-to-https/ • In-Depth HTTP to HTTPS Migration Guide for WordPress • https://kinsta.com/blog/http-to-https/