$30 off During Our Annual Pro Sale. View Details »

Migrate WordPress from HTTP to HTTPS

Migrate WordPress from HTTP to HTTPS

Slides from presentation at WordPress Orlando Meetup on how to migrate WordPress site from HTTP to HTTPS.

As more sites transition to HTTPS and Google giving preferred ranking to secure sites, it became important to properly install a TLS/SSL Certificate.
The process of moving to HTTPS can be intimidating starting from obtaining certificate to migrating all content to HTTPS.
Recently, Let’s Encrypt started offering Free TSL/SSL Certificates. CloudFlare offers Free TLS/SSL with HTTP/2 protocol support.

We discussed how you can obtain a Free TLS/SSL Certificate, make your content HTTPS friendly, and how to migrate existing content to HTTPS.
We also went over the benefits of serving your pages over secure connection, common problems with transition, and how you can test your certificate configuration.

Irina Blumenfeld

April 19, 2016
Tweet

More Decks by Irina Blumenfeld

Other Decks in Programming

Transcript

  1. MIGRATE WORDPRESS
    TO HTTPS
    IRINA BLUMENFELD
    @irinablumenfeld #wporl
    https://www.netmagik.com/migrate-wordpress-to-https
    WORDPRESS ORLANDO MEETUP
    APRIL 2016

    View Slide

  2. WHAT IS HTTPS
    ▸ SSL first created in 1996
    ▸ SSL to TLS in 1999
    ▸ Public and Private Keys
    @irinablumenfeld #wporl

    View Slide

  3. ▸ Authentication - am I talking to who they claim to be?
    ▸ Data Integrity - has anyone tampered with the data?
    ▸ Encryption - no more eavesdropping
    ▸ Better Ranking - Google gives preferred ranking
    ▸ HTTP/2 protocol support - (if host supports HTTP/2)
    BENEFITS OF HTTPS
    @irinablumenfeld #wporl

    View Slide

  4. HTTP1/1.1 - HTTP/2
    HTTP1/1.1 HTTP/2
    @irinablumenfeld #wporl

    View Slide

  5. HTTP/1.1 AND HTTP/2 COMPARISON
    Demo from Cloudflare
    Load Time: 1.95 s Load Time: 0.33 s
    @irinablumenfeld #wporl

    View Slide

  6. SHA-2
    Google, Microsoft and Mozilla will flag
    SHA-1 Certificates as Insecure
    on January 1, 2017
    d029f87e3d80f8fd9b1be67c7426b4cc1ff47b4a9d0a8461c826a59d8c5eb6cd
    0f01ed56a1e32a05e5ef96e4d779f34784af9a96
    SHA-1
    SHA-2
    @irinablumenfeld #wporl

    View Slide

  7. EXTENDED (EV) SSL
    @irinablumenfeld #wporl

    View Slide

  8. HTTPS as a ranking signal in
    https://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
    @irinablumenfeld #wporl

    View Slide

  9. HTTP sites will be marked
    unsafe in Google Chrome
    https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
    @irinablumenfeld #wporl

    View Slide

  10. https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
    experiment in Chrome URL:

    chrome://flags
    @irinablumenfeld #wporl

    View Slide

  11. HTTPS ADOPTION
    Source: http://httparchive.org/
    @irinablumenfeld #wporl

    View Slide

  12. AREN’T THE CERTIFICATES
    EXPENSIVE?
    @irinablumenfeld #wporl

    View Slide

  13. FREE SSL
    OPTION # 1
    @irinablumenfeld #wporl

    View Slide

  14. LET’S ENCRYPT
    letsencrypt.org
    @irinablumenfeld #wporl

    View Slide

  15. LET’S ENCRYPT ADOPTION
    @irinablumenfeld #wporl

    View Slide

  16. LET’S ENCRYPT TLS/SSL
    In cPanel - Security widget
    @irinablumenfeld #wporl

    View Slide

  17. SNI - SERVER NAME INDICATION
    No Need for Dedicated IP Address
    @irinablumenfeld #wporl

    View Slide

  18. 1. Migrate Existing Content to HTTPS
    2. Redirect all pages to HTTPS
    AFTER YOU INSTALL SSL
    @irinablumenfeld #wporl

    View Slide

  19. MAKE A BACKUP
    @irinablumenfeld #wporl

    View Slide

  20. LET’S ENCRYPT TLS/SSL
    ▸ Install SSL on the server
    ▸ Install Really Simple SSL plugin - Activate it

    View Slide

  21. REALLY SIMPLE SSL PLUGIN
    @irinablumenfeld #wporl

    View Slide

  22. REALLY SIMPLE SSL PLUGIN
    @irinablumenfeld #wporl

    View Slide

  23. REALLY SIMPLE SSL PLUGIN
    @irinablumenfeld #wporl

    View Slide

  24. ▸ Images
    ▸ Javascript and CSS files
    ▸ Links
    ▸ Widgets
    ▸ Third Parties - Ads, Analytics
    ▸ CDN
    MIXED CONTENT
    @irinablumenfeld #wporl

    View Slide

  25. MIXED CONTENT PROBLEMS
    @irinablumenfeld #wporl

    View Slide

  26. MIXED CONTENT PROBLEMS
    @irinablumenfeld #wporl

    View Slide

  27. FIXING MIXED CONTENT

    BAD

    GOOD
    @irinablumenfeld #wporl

    View Slide



  28. Don't link to insecure pages!!!
    BAD
    GOOD
    FIXING MIXED CONTENT
    @irinablumenfeld #wporl

    View Slide

  29. HTTP/HTTPS ICONS
    @irinablumenfeld #wporl

    View Slide

  30. REDIRECT LOOP
    bit.ly/redirect-loop
    @irinablumenfeld #wporl

    View Slide

  31. FREE SSL
    OPTION # 2
    @irinablumenfeld #wporl

    View Slide

  32. CLOUDFLARE
    FREE FLEXIBLE SSL
    cloudflare.com/ssl
    @irinablumenfeld #wporl

    View Slide

  33. ▸ CDN
    ▸ Optimization
    ▸ Security
    ▸ DDoS Protection
    WHAT IS CLOUDFLARE???
    @irinablumenfeld #wporl

    View Slide

  34. CLOUDFLARE FREE FLEXIBLE SSL
    @irinablumenfeld #wporl

    View Slide

  35. ▸ Create an account on CloudFlare.com
    ▸ Change Nameservers in Domain Registrar (in DNS Settings)

    Example: bob.ns.cloudflare.com, lola.ns.cloudflare.com

    CLOUDFLARE FREE FLEXIBLE SSL
    @irinablumenfeld #wporl

    View Slide

  36. ▸ Choose Flexible SSL option
    CLOUDFLARE FREE FLEXIBLE SSL
    @irinablumenfeld #wporl

    View Slide

  37. ▸ In 24 hrs check if SSL has been issued (Free account)
    CLOUDFLARE FREE FLEXIBLE SSL
    @irinablumenfeld #wporl

    View Slide

  38. Before SSL is issued:
    CLOUDFLARE FREE FLEXIBLE SSL
    @irinablumenfeld #wporl

    View Slide

  39. ▸ Install CloudFlare Flexible SSL Plugin - Activate it
    In http://yoursite.com/wp-admin:
    CLOUDFLARE FREE FLEXIBLE SSL
    @irinablumenfeld #wporl

    View Slide

  40. ▸ Install SSL Insecure Content Fixer Plugin - Activate it
    In http://yoursite.com/wp-admin:
    CLOUDFLARE FREE FLEXIBLE SSL

    View Slide

  41. SSL INSECURE CONTENT FIXER

    View Slide

  42. Browse to https://yoursite.com
    CLOUDFLARE FREE FLEXIBLE SSL
    @irinablumenfeld #wporl

    View Slide

  43. TEST TOOLS - WHY NO PADLOCK?
    @irinablumenfeld #wporl

    View Slide

  44. TEST TOOLS - CHROME DEV TOOLS
    @irinablumenfeld #wporl

    View Slide

  45. TEST TOOLS - CHROME DEV TOOLS
    @irinablumenfeld #wporl

    View Slide

  46. CLOUDFLARE FREE FLEXIBLE SSL
    In Page Rules section - new rule: *your-domain.com*
    @irinablumenfeld #wporl

    View Slide

  47. CLOUDFLARE STRICT SSL
    @irinablumenfeld #wporl

    View Slide

  48. VIEW SSL

    View Slide

  49. VIEW SSL

    View Slide

  50. UPDATE GOOGLE ANALYTICS
    https://support.google.com/webmasters/answer/6033049

    View Slide

  51. HSTS
    HTTP Strict Transport Security (HSTS)
    @irinablumenfeld #wporl

    View Slide

  52. HSTS

    Header set Strict-Transport-Security
    "max-age=63072000; includeSubDomains; preload”

    in .htaccess file
    HTTP Strict Transport Security (HSTS)
    http://bit.ly/enable-hsts
    @irinablumenfeld #wporl

    View Slide

  53. HSTS
    HTTP Strict Transport Security (HSTS)
    https://hstspreload.appspot.com
    Request Preload -
    Only if you support HTTPS for the long term
    @irinablumenfeld #wporl

    View Slide

  54. HSTS
    HTTP Strict Transport Security (HSTS)
    @irinablumenfeld #wporl

    View Slide

  55. TEST SSL
    https://www.ssllabs.com/ssltest
    @irinablumenfeld #wporl

    View Slide

  56. THANK YOU
    QUESTIONS?
    IRINA BLUMENFELD
    @irinablumenfeld #wporl
    https://www.netmagik.com/migrate-wordpress-to-https

    View Slide