Maybe you are very concerned about the overall security of the internet and want to do your part. Or is it that Google is using site speed as a search ranking? Whatever the reasons, we’ve written this article to make it easier for you to move your site to HTTPS only.
- Get and install certificates and keys.
- Update your URLs in the database
- Setup 301 redirects
- Update all URLs on tracking and analytics sites
Keys and Certificates
For TLS (formerly SSL) to work you need a private key and a public key. After the public key is signed by a certificate authority your public key becomes your certificate. The private key and the certificate need to live on the server that your website is hosted on so the web server software that sends your web pages to your visitors can also create the TLS connection to the browser to secure the link. If you know how, you are free to generate your keys and then SFTP them to your document root on the server. Otherwise, we are happy to generate the key pair and then send you the certificate signing request (CSR) which you will paste into the form on the certificate authority’s website. Here’s what we need to generate your CSR:
- Common Name
- Company Name
The common name is the canonical address of your website. For example, www.example.com.
Here’s a short list of places you can get your CSR signed:
If you want your URL bar to go green (fancy!) then you will need to purchase an extended verification certificate.
Some Configuration Required
To ensure that you are sending your users to secure versions of your web pages you need to update all URLs containing your domain so they point to https not http. This is something we can do for you or if you are a do-it-yourselfer then the best tool for getting this done is the search-replace script provided by interconnect/it. We’ve written about how to use this tool in another article that you can find here. Scroll about half way down to get to the part about using the script.
Secure Access to wp-admin Screens
Set FORCE_SSL_LOGIN and FORCE_SSL_ADMIN to ‘true’ in your wp-config.php. Or, hover over your the link in the top left of your wp-admin screens and click on the “Admin Over SSL” link and then click on the “SSL for Logins and Admin” button.
Let us know when you are ready and we’ll add 301 redirects to our web server configs so any request going to an old HTTP page will be automatically redirected to HTTPS.
Analytics and Tracking
If you use analytics tools like Google Analytics you will want to update the URL that you are tracking from http to https. Make sure you do this both in analytics and Google Webmaster Tools.
There was a recent announcement from Mozilla and the EFF about providing a service to simplify the certification process and also to make it free. All in the name of HTTPS Everywhere! Exciting news, but there have been attempts in the past to do similar things which didn’t pan out to much. But, those involved in this initiative have an unparalleled record of success so that’s one reason to be excited.