Moving your site to HTTPS
Maybe you are very concerned about the overall security of the internet and want to do your part. Or is it that Google is using site speed as a search ranking? Whatever the reasons, we’ve written this article to make it easier for you to move your site to HTTPS only.
Keys and Certificates
For TLS (formerly SSL) to work you need a private key and a public key. After the public key is signed by a certificate authority your public key becomes your certificate. The private key and the certificate need to live on the server that your website is hosted on, so the web server software that sends your web pages to your visitors can also create the TLS connection between your site's web server and the visitor's browser to secure the link.
If you know-how, you are free to generate your keys and then SFTP them to your document root on the server. Otherwise, we are happy to generate the key pair and then send you the certificate signing request (CSR) which you will paste into the form on the certificate authority’s website. Here’s what we need to generate your CSR:
- Common Name
- Company Name
The common name is the canonical address of your website. For example, www.example.com.
You can also generate a TLS certificate for free at Let's Encrypt.
Please see this article for more details on How to generate a Certificate Signing Request (CSR)
Here’s a shortlist of places you can get your CSR signed:
If you want your URL bar to go green (fancy!) then you will need to purchase an extended verification certificate.
Step 2 - Some Configuration Required
To ensure that you are sending your users to secure versions of your web pages you need to update all URLs containing your domain so they point to https not http. This is something we can do for you or if you are a do-it-yourselfer then the best tool for getting this done is the search-replace script provided by interconnect/it. We’ve written about how to use this tool in another article that you can find here. Scroll about half way down to get to the part about using the script.
Secure Access to wp-admin Screens
Set FORCE_SSL_LOGIN and FORCE_SSL_ADMIN to ‘true’ in your wp-config.php. Or, hover over the link in the top left of your wp-admin screens and click on the “Admin Over SSL” link and then click on the “SSL for Logins and Admin” button.
Let us know when you are ready and we’ll add 301 redirects to our web server configs so any request going to an old HTTP page will be automatically redirected to HTTPS.
Analytics and Tracking
If you use analytics tools like Google Analytics you will want to update the URL that you are tracking from http to https. Make sure you do this both in analytics and Google Webmaster Tools.
HTTPS Everywhere is a Firefox, Chrome, Edge and Opera extension that encrypts your communications with many major websites, making your browsing more secure.