Going Secure with your Website

March 23, 2018 at 7:47 pm | Posted in uncategorized | 2 Comments
Tags: , , , , , , , , , , , , ,

Once upon a time on the Internet, you only needed to secure your website if you were selling on-line. Often you linked to another website to do this for you. Yet browsing any unsecured website, especially on public WiFi, can easily be snooped. To make your activity more secure, web browsers are increasing their warnings about ANY site that doesn’t have a security certificate. The little “i” beside the web address is soon to go red and add warnings on many, many websites.

As this initiative is being driven partly by Google, having a certificate also helps search engine rankings. If you have a free blog like this one on WordPress.com or on Blogger or similar, you’ll see they’ve gone to https already.

But if you host your own website, you may want to consider securing your site with an SSL certificate so this issue will not chase away viewers.

This Webnames article talks about the changes and what the browser warnings will look like.

This article talks about the kinds of certificates that are available. If you have a simple informational site, you’ll just need a basic domain validation type. But if you use sub-domains or have multiple sites, other options are available.

You can get a free certificate, but they have to be renewed often and have no support or insurance. If you have forms of any kind, including subscription or contact, paid will be more reliable. A basic paid certificate is a similar price to a domain name which makes it worth the small cost.

While you can install any certificate on your site, it’s easier to go with the options your hosting provider offers. This way, you also get their support and they’ll describe the steps on their servers. The process is fussy so that’s valuable. Give yourself time to sort out the bugs.

Here is a typical process. It will vary by host, server OS, and security vendor.

Step 1: Ordering the certificate you need. For example, I went to the SSL section of my host’s website and ordered there.

Step 2: Certificate Signing Request key: Typically, you’ll generate a CSR, then enter it into a form with your organizational info. This may be in 2 places on your host’s site.

Step 3: Often, there is then steps to set the certificate up in your website Control Panel under SSL or Security.

Step 4: Verify with the certificate provider. For example, they’ll email you a code to paste into a form to verify yourself. The certificate will then be Issued and emailed to you. Your site back end will be updated as well.

Step 5: Install the certificate. You then need to upload the certificate you received, usually into the form in step 3. Then you can select the certificate for your domain in your hosting control panel. Thus your site is certified secure.

Step 6: Site seal. You can then place a logo on your site to show your certification. This requires Header code, so I installed the “Insert Headers and Footers” plugin. (This can also be used for Google Analytics, Facebook pixel and so forth.)

You’re now officially secured. Run an SSL checker like this one, this one or this certificate detailed one to make sure everything is correct. Each reports a little differently.

But…
Odds are good that your site is full of old http addresses like images and back links. Thus, you’ll get a “mixed content” error and still won’t get the green lock or similar in a web browser – even if the SSL checks out perfectly.

This article lists some of the fixes needed (you can ignore the Cloudflare section if you’re not using them – skip to Enforcing SSL).

The temporary fix here was:
a) installing “SSL Insecure context fixer” plugin.
(Run the test first. It’s in the Dashboard, Tools menu. That tells you how to set it.)

b) In my case, the Custom HTML widgets needed to be updated to https links too.

If you’re still having issues, this tool identifies specific link errors.

As the above article mentions, you also want to update your website address on Dashboard, Settings, General to https. Also update your website links on social media sites.

Later, I’ll run a ‘search and replace‘ on the database to update all those image and internal links from http://domain.ca to https://domain.ca. Then I won’t need the plugin.

You can also use the “Broken Links Checker” plugin to check for redirected links, but I wouldn’t leave this plugin activated as it pumps the database too much and will slow your site.

Safe Surfing!
David

UPDATE:
When I migrated another site to a new domain a few years ago, I logged into the database, installed a special program, and ran a search and replace to update the domain for all the internal links. I then removed the program for security reasons.

This time, I took a newer, easier route and installed Better Search Replace plugin inside WordPress. After exporting the database as a backup, I ran a test. It found over 12,000 links to update (from http://domain.com to https://domain.com). I then ran the update and in a couple of minutes all was done.

I then deactivated the SSL Insecure Context Fixer plugin and ran a few SSL checking tools (all mentioned above) to confirm all was fixed.

I then activated Broken Links Checker to do a once over and fix random errors, like incorrect URLs entered into comment forms. I’ll deactivate this afterwards as it tends to bog a site down.

Had I known about the search and replace plug-ins sooner, I would have skipped the “temporary fix” above and done this directly. However, if there is an issue with the results, the SSL Fixer plugin can still be a great help to keep your lock green.

Blog at WordPress.com.
Entries and comments feeds.