security

Working with SSL Certificates and HTTPS

When accessing a website that uses HTTPS (connection security), the website’s server uses a certificate to prove the website’s identity to browsers, like Chrome. Anyone can create a certificate claiming to be whatever website they want, but Chrome and other browsers require websites to use certificates from trusted organizations. SSL not only delivers a sense of security, but also contributes to search rankings in Google.

Steps to request and install an SSL Certificate (Host Gator):

  1. In WHM, use the Request SSL Certificate link, then copy and save the generated code once completed.
  2. Go to a trusted organization to purchase the certificate. I personally used Comodo via Namecheaps and bought a 3-year individual certificate. Follow their instructions to request the certificate. They will need the Certificate Request code you saved in step 1. Your trusted source may require you to validate your request via email link or uploading a file to the root of your website. I found I needed to do the email validation because somehow they were unable to access the file I uploaded to my server.
  3. You will be notified when the request is complete and the certificate is issued. I received mine via email. You may also receive a badge to place on your website.
  4. At the same time, request a dedicated IP address from your hosting support (required by Host Gator). Expect an added cost for a dedicated IP. Host gator charges $4 per month.
  5. Once the dedicated IP is issued, support will need to install the certificate on the site and will require the RSA key that you saved in step 1.
  6. Supply the SSL certificate to support via email, then see step 7 to upload the RSA key into the home directory for the site in question (so support can quote you the correct fee for installation – yes, there is a charge to install!). All domains hosted in your cPanel may experience DNS propagation for 4-8 hours.
  7. Provide support with the matching RSA key code. RSA key must be enclosed between “—–BEGIN PRIVATE KEY—–” and “—–END PRIVATE KEY—–“. Please note that for security reasons, support can no longer accept the SSL’s RSA key in plain text via an email or ticket response. Instead, save the RSA key in a TXT file and upload that file to your hosting account’s HOME directory (one folder below the public_html folder). Provide the name of the text file to support so they can retrieve it.
  8. Support will confirm installation. The SSL site seal logos for your website can be found at the following: http://www.positivessl.com/siteseals.html. Credit Cards may be accepted in an online store with TransFirst. Secure, PCI Compliant and Next-day funding available. Request more information here: http://www.transfirst.com/lp/hostgator/ssl/

Once everything is set up and installed, it will be necessary to direct your site to HTTPS. If you’re adding SSL to your existing site and using WordPress, then you need to setup WordPress SSL redirect from HTTP to HTTPS. You can do this by changing the WordPress Address (URL) and Site Address (URL) in Settings > General from HTTP to HTTPS.

Another way to do this is by adding the following code in your .htaccess file:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]

(Be sure to replace yoursite.com with your site URL)

A word of caution: adding the redirect via .htaccess could cause access issues to subdirectories running their own programs, such as Infinite WP and forums. This can be remedied by modifying the config files within these directories, or by removing the .htaccess code and using an alternate method.

Directing your traffic to HTTPS can also be accomplished by setting up a redirect via cPanel in order to go to the https version. Here is an article and video tutorial for this: http://support.hostgator.com/articles/articles/cpanel/url-redirect-how-to-create

Also: http://www.wpbeginner.com/wp-tutorials/how-to-add-ssl-and-https-in-wordpress/

When a webpage is secured using HTTPS, the connections to it are encrypted by SSL and are identified to be secure. This is the goal, however, initially your page may also include content loaded through an HTTP connection instead of HTTPS which will negate the secure status. That said, go to your website using https://yourwebsite.com to see how it looks. If all is well, you will see the green secure padlock on your address bar. Chances are, however, you will see the mixed content warning which means some images and links will need to be corrected to point to HTTPS rather than HTTP. It is important to correct this as quickly as possible as visitors may begin receiving warning messages from web browsers saying there is mixed content or insecure content loaded. In order to make your images work, you have to remove the mixed content. In general, this is about finding the HTTP links in your website code and updating them to HTTPS.

Here are a few ways to find and remedy the insecure content:

  1. If running WordPress, install the SSL Insecure Content Fixer plugin or WordPress HTTPS (SSL) plugin. This will find the insecure links for you and correct most, if not all.
  2. There is another WordPress plugin called Protocol Relative Theme Assets that may work in many cases for css and script calls. Basically, it will trick the visiting browser into not reporting your bad mixed-content to everyone who visits your site by replacing the ”http://…” with simply “//…”. Note: the plugin does not transform any image paths and has not been updated by the developer in a while.
  3. Check all pages’ source code manually for HTTP links and change to HTTPS (the hard way, but sometimes the only way!).
  4. Use an online checker, such as Why No Padlock It’s a simple tool that will tell you about any insecure items on your SSL page. Simply type in the full https secure URL into the box below and get a report about:
    – Insecure calls to images,css, and javascript
    – Images called insecurely from linked css and js files
    – Expired cert, invalid or missing intermediate certificate (including 3rd party SSL certs.)
    – SHA-1 algorithm test, POODLE test, insecure form calls for Chrome
  5. Check your theme – the theme may be using absolute URLs instead of relative URLs in the theme files. For example, it might be hard-coded to load an image file from http://domain.com/wp-content/themes/theme-name/images/background.png.
  6. Check your plugins. This was my issue. After several attempts to remedy my insecure issues, I resorted to deactivating all my plugins, then one by one, reactivated them until I found the plugin that was causing the issue.

Comments are closed.