If you run a self-hosted blog – like WordPress, for instance – now’s the time to enhance your confidence and that of your visitors and community in its security and trust.
While this is mostly about data security, it’s also about search engine optimization and search results ranking by Google.
In its popular deployment on the internet, HTTPS provides authentication of the website and associated web server with which one is communicating, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with or forging the contents of the communication.
Authentication of and confidence in your medium of communication are increasingly important today where the real and virtual landscapes are places littered with fakery and lack of trust on an alarming scale.
This weekend, I converted my blog into a secure place by enabling https across the domain from which the content is delivered.
You’ll notice that in the address bar in your browser, where the website address now starts with ‘https://’. In the Chrome desktop browser, this is preceded by a green padlock and the word ‘Secure’ also in green; Chrome on mobile devices shows the green padlock.
We hardly notice the address bar when we visit most websites. But that will change soon where any site not running https will have that highlighted with the words ‘Not secure’ before the address, perhaps in red depending on how Google gauges severity to make sure it gets your attention.
Google will be rolling out this change first for sites that accept online payments, starting at the end of January. Expect it to reach your site in the coming months.
Enabling https is something I’ve been meaning to do for ages but never quite got around to it. It always seemed a bit complex, requiring getting encryption keys, an SSL certificate and figuring out how to add them my server. And it didn’t seem especially urgent.
This may confuse your site visitors who sign in to your website because they may interpret the message to indicate that your website has been compromised. They could also interpret the message to mean that your site has some underlying security issue other than being non-HTTPS.
That goes to the heart of confidence and trust.
I decided to just do it and do it now.
How to Set Up HTTPS
To enable https on your blog requires a number of things.
First, check that your server configuration (the software it runs on) is able to support https. In my case, I logged in to WHM and CPanel and saw various entries labelled SSL/TLS. Asking my web host for confirmation was all I then needed to do.
The next step is to go through the process of creating the required public/private key pair, and then completing a certificate signing request (CSR) that embeds your public key.
There are many services you will find in a Google search that you can choose from as your source for creating a CSR and submitting it to a Certificate Authority to get the actual SSL certificate you need.
I chose GoDaddy as this is the company I’ve used for more than a decade in buying domains and I felt I can trust them for this service especially as part of the process is verification of domain ownership. GoDaddy has comprehensive guides to the types of SSL certificate (yes, there’s more than one type), each step of the procedure including payment, installing the certificate on your server, and more.
I followed their guides; within a couple of hours of submitting my CSR, I had my shiny new SSL certificate. Installing it on my server was a straightforward procedure via CPanel.
So that was the key part done. Next came a potentially-tricky part – setting up http redirects to https, and dealing with mixed content on my site that prevented the site getting a total all-clear from the security point of view.
Mixed content is where a secure site brings in content from elsewhere over http and not https. It can be scripts, data, video or images on your own site, for example, where the URLs are absolute as http. That was my case.
Manually changing all of this seemed to be a daunting task and I searched for a tech solution. Being WordPress, someone of course had developed a terrific plugin! My thanks go out to Rogier Lankhorst and his Really Simple SSL plugin. Installing and running that took care of the essentials:
What does the plugin actually do
- The plugin handles most issues that WordPress has with ssl, like the much discussed loadbalancer issue, or when there are no server variables set at all.
- The site url and home url are changed to https.
- Your insecure content is fixed by replacing all http:// urls with https://, except hyperlinks to other domains. Dynamically, so no database changes are made (except for the siteurl and homeurl).
Once the plugin had run, I had no more mixed content issues – I got the green padlock and ‘Secure’ text. Plus, anyone coming here via the original ‘http’ protocol would automatically get content via https.
There is a premium version of the plugin that has additional bells and whistles. Luckily, I managed to achieve all I needed to with the free version in the WordPress plugin repository.
- HTTPS is an advantage to you and your visitors – enable it sooner rather than later: don’t wait for the roll-out to suddenly hit you if you haven’t enabled it.
- Check your server setup to be sure it supports HTTPS. And if you use a shared-hosting environment, check with your host to see if SSL is already enabled there. (Note if you run your blog on a blog service like WordPress.com or Blogger, you won’t need to do any of this (indeed, you won’t be able to as you won’t have server access.)
- Use a reputable service like GoDaddy for acquiring your SSL certificate
- If your self-hosted blog runs on WordPress, make life easy for yourself by using the free Really Simple SSL plugin. Buy the premium version if you need the additional features.
Then you’ll be set for enhancing your own and your visitors’ confidence that your secure site is a place to be trusted.