Published by on August 21, 2019 • 0 Comments • Lire en Français

Your connection is “not secure.” A little stunned, I rub my eyes to check the message I'm reading.

Well, no doubt about it. Still the same thing posted on my browser.

A little further down, I am even told that some information could be stolen by hackers.

A scary pirate face
And not funny pirates, real bad guys….

Come on, get out, it's already a lot for this site: I'm closing its window right now.

Why such an alarming message, a real repulse to Internet users?

Simply because the WordPress site I'm currently browsing doesn't use HTTPS, which makes it possible to secure a website connection.

On WPMarmite, I started to use HTTPS in May 2016. And frankly, I don't regret it at all.

If you are not yet part of the HTTPS family, I invite you to take a serious look at this issue.

Why switch to HTTPS? How to achieve this, and with which tools? What does this mean in practice?

This is what we will see in this new post.

Fasten your seat belts, here is the table of contents:

What is HTTPS?

HTTPS (HyperText Transfer Protocol Secure), is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet.”

You may not know it, but when you visit a site that does not have HTTPS (Hypertext Transport Protocol Secure), the data you exchange is clear, meaning that anyone can read, analyze and transmit it.

Well, I'm direct. We agree that it is not the local grandfather who will track you (although;)).

Let's restrict this “anyone” to people (or organizations) with good technical skills, some software and the intention to spy on you.

Even if the risk is quite low, it is not zero. And frankly, who likes to be spied on?

But I have nothing to blame myself for!

I don't doubt it for a second, but admit that we don't behave the same way when someone monitors all our actions.

This happens, for example, at work, when your supervisor looks at what you do. We can also experience similar situations at school, when the teacher passes behind you.

We can say that some kind of psychological pressure applies to you (even if the person passing by does not intend to) and will change your behaviour.

As a result, your freedom is affected.

On the Internet, there is not necessarily someone lurking behind you. This is much more subtle.

If someone intends to spy on you, they can record what you have done on this or that site. But most importantly, we can recover your personal information (emails, passwords, name, address, travel, bank details and so on).

Now it's getting less funny, isn't it?

It is to combat all this that the HTTPS protocol has been set up. Thanks to it, the data you exchange with a site will be encrypted.

Even better, you will be sure to view the original site and not a version modified by someone who intercepted the connection. Yes, many things are possible in IT!

However, HTTPS will not make you anonymous. It is always possible to know who you are (via your IP address) and which websites you have visited.

To summarize, we can only know that you visited a particular website in HTTPS, but not what you did there.

How does HTTPS work?

To illustrate how the HTTPS protocol works, let's take a quick look at its big brother, the HTTP protocol.

Here it's quite simple, you have two actors: the web browser (you) and the server where the site to be displayed is hosted.

Schéma d'une requête HTTP

As soon as you enter a URL in your browser, it sends an HTTP request to the page. The server sends it back and the browser displays it. Pretty easy, isn't it?

What do SSL and TLS really mean?

To set up HTTPS on a website, you will need an SSL/TLS certificate, which will allow you to establish a secure connection by encrypting it, and to verify the website identity.

Schéma simplifié d'une requête HTTPS
All this is happening very quickly

The SSL certificate I'm talking about is issued by what's called a certificate authority.

There are dozens of them, and the best known are Comodo and Symantec.

To see more clearly, and in a more visual way: we can say that SSL and TLS are a kind of overlay that will secure a traditional HTTP connection. Kind of like the sheath protects an electrical cable:

Rôle du SSL/TLS dans le HTTPS

We often find the name SSL on the web, but it is an intemperate comment.

In fact, SSL (Secure Socket Layer) is the first version of this security protocol. TLS (Transport Layer Security) is an option which provides more security.

If you are interested, you will find the complete story on Wikipedia.

How do you know if the connection is secure?

As you may have guessed, the first distinctive sign of a secure website is obviously the beginning of its URL (its protocol to be more precise) which has switched from http://to https://.

However, browsers enhance HTTPS-enable sites more with a small padlock (sometimes it is green) symbol placed just before the URL.

Here is the example of WPMarmite with Google Chrome :

The HTTPS padlock on WPMarmite

Sometimes, it happens that some resources (images, CSS or JS files) of an HTTPS page are loaded in HTTP, i.e. in an unsecured way.

In this case, the padlock symbol will not be displayed. The webmaster will have to correct this so that the site uses SSL encryption (we will see how to do this a little further down in the article).

Why do you need to switch WordPress to HTTPS?

HTTPS and SEO: a really significant impact?

In 2014, Google announced that it uses HTTPS as a ranking signal (among nearly 200 other ranking factors).

Can this really improve your SEO? Difficult to say, especially since opinions differ….

On my side, I can't really tell you that WPMarmite's rankings have improved a lot thanks to this.

This is also the observation made by SEO expert Brian Dean. In 2016, he analyzed 1 Million Google Search Results and found that HTTPS is Moderately Correlated with Higher Rankings.

As you can see, the impact of HTTPS on SEO is not yet clear-cut.

One thing is certain, this does not prevent Internet users from rushing to HTTPS. Judge for yourself: in 2016, “only” 12.8% of the 10,000 sites receiving the most traffic had an SSL certificate.

Pourcentage des sites en HTTPS

Right now, this figure represents more than 92%, according to BuildWith!

SSL trends

How can this revival and underlying trend be explained? Answer in the next section.

Switch to HTTPS to strengthen security and user experience

Since the impact on SEO has yet to be demonstrated, it has become essential to have an HTTPS website mainly for two reasons:

  • Security
  • User experience

Here is what Google states regarding the first point

Users expect a secure and private online experience when using a website. We encourage you to adopt HTTPS in order to protect your users' connections to your website, regardless of the content on the site.”

Generally, Google's objective is to move toward a more secure web.

And since July 2018, the Mountain View-based company has taken a further step in this direction.

Its Google Chrome browser mark all HTTP sites as “not secure” (beginning in Chrome 68 version).

Screenshot from Google

Knowing that Chrome is used by nearly 50% of Internet users in the USA (July 2019 figures), switching to HTTPS remains essential.

To enhance user experience and give confidence to your visitors, you suspect that a simple little  padlock becomes hyper-important.

When you see it, you are immediately reassured (even unconsciously).

To drive the nail in, do I need to remind you that HTTPS is essential for online shops?

Yes, it is necessary to encrypt the customers' credit card number (as well as their login details and other personal data)!

In addition, most payment gateways (such as Stripe, PayPal) will require you to have an HTTPS connection so that your visitors can make payments.

You can see it: just for the security of your site and the confidence of your visitors, it seems essential to me to implement HTTPS on WordPress.

To be safe, I recommend that you switch to it as soon as you create a new website (at least you won't have to do it later).

If your site is already online for some time, the migration will be more difficult, so be careful if you decide to start later.

Google considers this as a site move with URL changes. This can temporarily affect some of your traffic numbers.”

Now, let's see….

How to obtain an SSL/TLS certificate?

Previously, it was quite complicated to set up HTTPS on your website (whether it was WordPress or not). You had to buy an SSL/TLS certificate through your web host, or directly through a certificate authority if you have a dedicated server.

When you've never done it before, I must admit that it could take a little while. It was necessary to prove your identity to show that you were the owner of your website.

Well, it was tedious, but you had to go through it.

Today, it is still possible to do so (it is even recommended in some cases) but a new actor has appeared….

Let's Encrypt, towards a 100% secure web

Let's Encrypt is a certificate authority that provides SSL/TLS certificates for free. Their mission is “to create a more secure and privacy-respecting Web.”

Many actors support and finance this initiative. Examples include Facebook, Automattic and Google.

Since their launch in December 2015, the number of certificates they are issueing is exploding:

Lets Encrypt growth

This has been made possible thanks to hosting providers and platforms such as WordPress.com, which have integrated Let's Encrypt for their users.

Great! How do I install one of their certificates on my website?!

Not so fast, my dear friend. Before I show you how to do it, I need to talk to you again about the first method. You know, the one where you have to open your wallet.

Other types of SSL/TLS certificates

Although it is possible to secure your site for free with Let's Encrypt, you should know that there is a major disadvantage: the guarantee.

Indeed, if ever a problem arises at the HTTPS level and one of your customers has personal data stolen, you will not be covered.

One might think that this almost never happens, but occasionally security breaches are discovered and exploited. This was the case in 2014 with the HeartBleed Bug, for example.

If you own a large website and you manage tens of thousands of orders, this can quickly become a problem. So you have to cover your back.

This is why it is possible to obtain certificates with different warranty levels.

Sites like Symantec offer certificates worth more than $1,000 with a $1.75 million warranty.

Finally, I assure you once again, only very large companies need this kind of SSL/TLS certificate.

If you want to benefit from a guarantee by buying a certificate, there are three types:

  • Domain Validated (DV) SSL Certificate: In this case, the certification authority will check until you are the owner of the domain name to grant you the small green padlock (the verification is done automatically online);
  • Organization Validated (OV) SSL Certificate: To obtain this type of certificate, you must prove that you are the legal entity holding the domain to be secured and provide business documents;
  • Extended Validated (EV) SSL Certificate: Here, there is no more laughing. To obtain this type of certificate, you will have to establish your credentials. The information you provide about your organization will be verified (legal existence, physical existence, phone number, address, activity, etc.) and audited annually.

These help to strengthen visitor confidence. As a reminder, here is the type of rendering that can be obtained with EV certificates (for Extended Validation):

Comodo EV SSL certificate

As I told you, the process will be more tedious. That being said, if you are an important entity, I think it should be done.

Important: Remember to renew your certificate in advance if this is not done automatically. Count one month to be broad in the process. Otherwise you will trade your beautiful green padlock for a red padlock or even a browser warning. And that's not good at all!

Which SSL/TLS certificate to choose?

To answer the question quickly, in most cases a free Let's Encrypt certificate will do the trick.

If you want to get a paid SSL/TLS certificate for your website (and benefit from a warranty in case of a problem), the first thing to do is to see what your hosting provider offers. If you are not on a dedicated server, you will not be able to do otherwise.

On the other hand, if you have access to your server configuration, the choice is quite wide. You can turn to certificate authorities such as Comodo or NameCheap.

In the rest of this post, we will see….

How to activate a free WordPress SSL on Bluehost?

Today, more and more web hosting providers are offering their customers free SSL certificates generated by Let's Encrypt.

This is the case of Bluehost, the host I've chosen for WPMarmite.

So I suggest you see how to install HTTPS if you are one of their customers (if not, go see what they do (aff), it's worth it!).

Once you have an account with them and you have one or more linked domain names, go to your Bluehost control panel and follow the steps listed in this post.

There you go, it's over!

9 things to absolutely do when your WordPress site is running over HTTPS

All right, the certificate is active on your domain name. However, the configuration is not yet complete.

The task list differs slightly if you are starting from a blank site, or if it is a migration from HTTP to HTTPS. But you should always start with….

1. Redirect your website to HTTPS

Well yes, now that you have a secure website, you might as well share it with your visitors.

For the moment, your site is accessible in both versions: HTTP and HTTPS. Everything must be sent back to the HTTPS version, or you will have duplicate content problems.

Some hosting providers offer to fix the problem on their admin console but you can also do this in the .htaccess file.

I have already shown you how to proceed in this post, but here is the snippet to add (adapting it to your domain name of course):

HTTPS redirect .htaccess

If your site uses www, you will need to use the following code to redirect it:

HTTPS redirect www

Once you feel like everything is working, enter your domain name in this tool to check that the redirects are well configured (everything must be green).

It's very practical because in the case of WPMarmite, it made me realize that the redirects were not that direct. In fact:

  • https://www.wpmarmite.com redirected to:
  • http://wpmarmite.com which redirected to:
  • https://wpmarmite.com

and that:

  • http://www.wpmarmite.com redirected to:
  • http://wpmarmite.com which redirected to:
  • https://wpmarmite.com

While each address must redirect directly to https://wpmarmite.com, too many redirects can hit your rankings in search engines.

2. Update all URLs from HTTP to HTTPS

If you do not create a new site, you will need to update all URLs from HTTP to HTTPS.

Don't worry, we're not going to do it by hand, but with a script named Search and Replace DB.

I remind you briefly how to proceed (make a backup beforehand, just in case):

  • Download the script and unzip it on your computer;
  • Place it at the root of your website by renaming its folder (for example “kjhdqiuyrezeaz”);
  • Enter your website address WITHOUT HTTPS in the replace field: http://monsite.com (and without / at the end !);
  • Indicate the address of your website WITH HTTPS in the with field : https://monsite.com (and still no / at the end);
  • Click on dry run to see if it works well;
  • Click on live run to replace everything in your database;
  • Click on delete me to delete the script from your server.

Once the script is finished, all links inserted in your posts, pages, menus and site settings will now be in HTTPS.

To see for yourself, log into your website and go to Settings > General. You should see that the URLs have been updated.

Is your website still alive? So let's keep going!

3. Check the resources loaded by the theme

Well, here, I must admit that things are getting a little tricky. Sometimes, it happens that the theme will load all of the files (CSS, JS or other) in HTTP instead of HTTPS. This is called mixed content.

One might be tempted to think that it is not very serious but in fact it is, because the page will not be completely secure.

As a result, the precious padlock symbol may no longer be displayed by your browser (and will expose your visitor to attacks).

Whose fault is it?

The theme's author one (or yours if you tampered with it in any way).

To fix this, it will be necessary to get your hands in the code and fix the resources loaded in HTTP. You can use your browser's code inspector to track mixed content (via the console tab).

Trouver le contenu mixte sur une page HTTPS

As you can see on the screenshot above, mixed content is not loaded by the browser (in this case an iframe).

To learn more about this problem and how to detect it, take a look at this article from Google Web fundamentals which is very well done.

Also, go to the end of this post to discover plugins to fix this problem almost automatically.

4. Forcing HTTPS into WordPress admin

Just because we provide a version of the site in HTTPS to visitors doesn't mean we have to do without it in the WordPress admin, does it?

Usually, this should already be the case thanks to the redirects that you previously set up, but you can insert this code snippet in the wp-config.php file to force it:

Force HTTPS admin

At least, you will be sure that WordPress loads well in HTTPS.

5. Update your robots.txt file

Let's continue with editing files with robots.txt. This file is usually located at the root of your website allows you to tell search engines robots what they can do on your website.

Here, there is not much to do except update the sitemap address of your website. All you have to do is add an “s”.

6. Update your website in Google Search Console

The Google Search Console (GSC) is an essential tool for all webmasters. It allows you to better manage your site and track your SEO by providing a lot of information (errors, search analysis, links etc.).

If you use it, you'll have to notify Google about your HTTPS switch adding the HTTPS version of your site as a new property because the Search Console “treats HTTP and HTTPS separately.”

To do so, click on Add a property and copy and paste your homepage URL into the field.

Then choose one of the methods proposed by Google to verify your site, and you're good to go.

7. Update Google Analytics

That's right, don't forget that one! It almost happened to me with WPMarmite….

Google Analytics is a statistical tool that gives you access to a lot of information about your site's traffic.

Like the GSC, it is very useful and free, so don't deprive yourself of it.

To tell Google Analytics that your site now uses HTTPS, go to Admin > Property (of your site) > Property settings and select https:// for the default URL field:

HTTPS dans Google Analytics

8. Beware of social share counts

Inevitably, if you use the official sharing buttons on Facebook, Twitter or other, the counters will be reset.

Indeed, the URLs are no longer the same, for social networks it is no longer the same social shares!

Vous allez perdre tous vos partages sociaux
You will lose all your social share counts….

It's silly, but there's nothing you can do about it if you use the official buttons. All you have to do is get new social shares for your content (hence the interest to switch to HTTPS as soon as possible).

However, you should know that you still have a chance to get them back.

The Social Warfare premium plugin will give you the possibility to display the right number of shares for your content (HTTP + HTTPS).

9. Test your SSL/TLS certificate

Finally, whatever certificate you have chosen, you can test it on this site. This takes a little time but at the end you will have a table with the important statistics and an overall score.

You can see that WPMarmite is doing quite well :).

Tester son certificat SSL

This test will allow you to ensure that you are not susceptible to certain SSL vulnerabilities.

I presented you 9 general and essential checkpoints but, in general, remember to inform all the tools you use that your site is now accessible in HTTPS. Most of the time, this will be possible through their settings.

It is true that there are quite a few extensions to optimize HTTPS sites on the official directory.

Some of them offer interesting features, but others are totally useless. Let's take a closer look:

Really Simple SSL

Really Simple SSL is simply the most popular plugin on our topic of the day (a pro version is also available with more features).

It has more than 3 million active installations (more than Elementor, which has 2 million!) and gets a stunning 5-star rating.

Among its assets: its ease of use. It configures quickly (in fact, I didn't have to do anything) and it is very lightweight.

So, no need to touch files or anything else: I recommend it if you don't want to get your hands dirty, and especially if you are a beginner.

Really Simple SSL “automatically detects your settings and configures your website to run over https.”

And even more interesting, it will also take care of mixed content errors. You remember mixed content: it refers to the elements that are not loaded in HTTPS on the pages, and that prevent the appearance of the green padlock.

Well, this plugin dynamically replaces the resource addresses so that they are loaded correctly.

The only case where this could not work would be if the resource to be displayed is placed on another server that did not have an SSL certificate. You would then have to remove this resource from your site and update its address.

See this plugin on the official directory

SSL Insecure Content Fixer

If you have decided to manage redirects at the .htaccess file level, all you have to do is manage any mixed content problems.

That's good, a plugin has been developed exclusively for this purpose: SSL Insecure Content Fixer (more than 300 000 active installations).

Once you have installed it, you can define the level of correction to be used on your site:

Corriger le contenu mixte dans WordPress

You will be able to choose between:

  • Off: Too insure content will be fixed (so you will not have a green padlock);
  • Simple: To fix most problems;
  • Content: To correct your page content and text widgets;
  • Widgets: To correct the resources of any widget;
  • Capture: To correct an entire page (scripts, stylesheets and other resources), excluding AJAX requests.
  • Capture all: This is the barbaric mode. This will analyze the content and resources of all your pages and correct them (but it could cause compatibility problems).

Personally, I advise you to select Content. If you still have problems, try with the following levels.

If the problem still persists, you will have no choice but to adjust it manually. Open the Code Inspector, go to the Consoletab, locate where the problem is coming from, and fix it in your theme or content.

See this plugin on the official directory

WordPress HTTPS (SSL)

WordPress HTTPS plugin

Let's end this plugin roundup with WordPress HTTPS. With more than 100,000 active installations, it is one of the most widely used plugins on the subject.

Its main concern, and it is significant: it hasn’t been tested with the latest 3 major releases of WordPress, which is quite annoying.

As a reminder, updates are especially important to continue to ensure the security of your website.

If WordPress HTTPS triggered an error when I installed it, it then seemed to work correctly.

Specifically, it allows you to:

  • Redirect pages loaded in HTTP to their HTTPS version (except in our case because we managed this previously in the .htaccessfile);
  • Do not load unavailable elements with HTTPS;
  • Upload external resources via their secure servers (e. g. Gravatar);
  • Use HTTPS on some pages or articles.

This last feature can be interesting if you do not want to lose your sharing counters. You can keep your popular pages and articles in HTTP and send everything else to HTTPS.

However, I am sceptical about using this plugin since the author does not seem determined to update it.

So I don't recommend it to you.

See this plugin on the official directory

Conclusion: Stay on your toes

That's it, you now have a secure site with an SSL/TLS certificate. Your visitors can therefore access your WordPress site in HTTPS.

As you have seen, the impact on SEO has yet to be proven.

On the other hand, the influence on user experience and security is no longer a question.

However, HTTPS does not do everything!

For example, in the case of an online store, if your customers use faulty passwords, we can always try to access their account in order to place orders on their behalf.

To fight against this, you also need to secure your website.

Now, it's your turn. Are you planning to switch to HTTPS soon? And if you have already done so, which certificate did you choose? Do you use an additional plugin?

Tell me everything in the comments below.