How to set up HTTPS for WordPress

HTTPS for WordPress

If you are serious about the security of your site and the data of your visitors, then you should switch to secure HTTPS. In this article, we will take a detailed look at the process of creating and signing an SSL certificate and connecting it to a WordPress site.

What is HTTPS

HTTPS is a secure protocol for communication between your site and its visitors. It allows you to encrypt all traffic between your web server and your client’s browser. This prevents hackers and ISPs from spoofing or viewing data such as passwords, credit card numbers, and email addresses.

For many websites, the HTTPS protocol has long become the standard (including WordPress.org and WordPress.com sites ), and for online stores, payment systems, online banking systems, and other resources related to financing and the processing of personal data, HTTPS has become an integral and in some cases a mandatory part.

In August 2014, search giant Google announced that the presence of HTTPS protocol support is already one of the factors in the ranking of search results. But it is worth noting that by connecting HTTPS your site will not “take off” in the search results, since the presence of HTTPS is not the only and far from the most significant ranking factor, but with the same other indicators, Google will give preference to a secure site.

It should also be noted that HTTPS (over SSL/TLS) is slightly slower than regular HTTP because the server and client have to spend some time establishing a secure connection and encrypting data, but in most cases, the difference is not noticeable at all.

SSL certificates

To set up HTTPS on your site, you will first need to purchase an SSL certificate. We recommend that you only consider large and trusted SSL certificate providers such as Comodo, Thawte, VeriSign, GeoTrust, and GoDaddy. Most often, certificates from these providers can be purchased from your hosting provider or domain name registrar.

There are different types of certificates, for example, with the ability to use on one domain or on several, with the ability to use on subdomains, with different types of data encryption, and so on. Prices for certificates on average start at $9 per year (for the simplest certificates) and go up to $400 per year and more.

The acquisition process varies by certificate type and provider. We’ll take a look at Comodo’s PositiveSSL certificate, which can be purchased for $9/year from the NameCheap registrar. Such a certificate confirms ownership of the domain and is issued within a few hours. Some of the more expensive certificates require the presence of a legal entity and the execution of relevant legal documents.

Creating and signing an SSL certificate

Before you can sign a certificate with a provider, you need to create it. This can be done using the utility OpenSSL, which is present by default in OS X and in most Linux distributions. If you’re on Windows and don’t have SSH access to any Linux server, then you may want to consider OpenSSL for Windows or Cygwin.

To create a new SSL certificate and request for its signing, use the following command:

openssl req -nodes -newkey rsa:2048 -keyout wpnerd.net.key -out wpnerd.net.csr

After starting, OpenSSL will ask you to fill in some data about the new certificate. When prompted for a Common Name (FDQN), enter your domain, without HTTP:// and without www (even if the domain with www is your main one). After filling in all the other data, you will have two new files. For example, we will use “wpnerd.net“:

  • wpnerd.net.key – private key to your new certificate
  • wpnerd.net.csr – request to sign a new certificate

The private key must always be kept secret. Never share it, email it, or lose it. The file with the extension .csrmust be sent to the SSL certificate provider for signing.

In the case of PositiveSSL purchased through NameCheap, go to the SSL Certificates section in your control panel and click “Activate Now” next to your new certificate. Please note that at NameCheap you can sign a certificate for your domain in the .ru zone, regardless of where you purchased the domain itself.

On the next page, you need to select the type of web server you are using and paste the contents of your file .csrinto the text box:

After verifying the request, NameCheap will prompt you to go through the process of verifying your domain. The easiest way is to verify by email within your domain, for example, admin@yourdomain.org.

After verifying the domain and filling in additional data on NameCheap, your certificate will be sent to Comodo for signing and after a few hours, the signed certificate will be sent to your email address. Typically, this is a zip archive containing several.crt files.

To work with Nginx or Apache web servers, these files must be “glued” into one .crt file in a certain order. The names of the files in your case may differ, but the main thing is that your certificate (in our example it is wpnerd.net.crt) comes first, and the certificate with “Root” in the name comes last.

This can be done in any text editor or using a utility caton OS X and Linux-like systems:

cat wpnerd.net.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > wpnerd.net-bundle.crt

Thus, your SSL certificate (along with others) will be located in the new wpnerd.net-bundle.crt file and the key to the certificate will be wpnerd.net.key, which you generated earlier. These two files are required to set up HTTPS on your server.

Setting up an SSL certificate on the server

Many hosting providers allow you to install a new SSL certificate through the account control panel. If this feature is available from your ISP, we recommend using it. If you are administering your server yourself, you will need to manually connect the new certificate to your web server.

Connecting an SSL certificate to Nginx

In the Nginx web server configuration for your domain, you must enable SSL support (port 443) and specify the path to your certificate files:

server {
listen 80;
listen 443 ssl;
server_name wpnerd.net;
ssl_certificate /path/to/wpnerd.net-bundle.crt;
ssl_certificate_key /path/to/wpnerd.net.key;
...
}

Make sure the nginx user (or www-data) has permission to read the certificate files. We remind you that the file .keyis a secret key, and you should not place it in a public place (for example, in the htdocs, www or public_html directory).

After changing the configuration file, restart the nginx service.

Attaching an SSL Certificate to Apache

We always recommend nginx web server for working with WordPress, but if for some reason you are still using Apache, then you can connect the SSL certificate with the following directives inside the section VirtualHostor in the general section, depending on your configuration:

SSLCertificateFile /path/to/wpnerd.net-bundle.crt
SSLCertificateKeyFile /path/to/wpnerd.net.key

If you are using the directive VirtualHost, make sure that it applies to port 443 and not just port 80. After making changes to the configuration, restart the Apache service.

Setting up HTTPS in WordPress

After making changes to the webserver configuration, your WordPress site should automatically become available over HTTPS, but this is not the end of the job. All links on the site and in the admin panel will continue to use the HTTP protocol.

You can change the site’s primary protocol from HTTP to HTTPS under SettingsGeneral in the WordPress admin panel.

Also See: Nested meta queries with WP_Meta_Query

The same settings can be specified in the configuration file wp-config.PHP using the constants WP_HOMEand WP_SITEURL. This can be useful if you make a mistake while writing the domain and the site suddenly becomes unavailable.

After making changes to the site address, all links will use the HTTPS protocol by default. Unfortunately, this does not apply to those links that you have placed manually, for example, in WordPress articles or pages.

Replacing HTTP with HTTPS in WordPress articles and pages

If you have a small number of articles and pages on the site, you can manually edit them and change the protocol in the links. For existing sites with a large amount of content, this method will be too labor-intensive, so we propose to consider two alternatives.

If you are using WP-CLI, then you can quickly perform a search and replace it with the command search-replace:

wp search-replace ' https :// wpnerd.net' ' https :// wpnerd.net '

The second alternative is the Search Replace DB PHP script, which also performs a search and replaces but provides a GUI.

We do not recommend using search with replacement directly in the MySQL database (including on export files), since WordPress stores some data in serialized arrays, and such data gets corrupted when the string length changes (HTTPS is longer than HTTP).

In any case, before any manipulations with the database, we advise you to make a backup copy. After searching with replacement, go to your site and make sure all old links start with HTTPS://.

Redirect from HTTP to HTTPS

The final step in setting up HTTPS is to shut down your HTTP site and redirect all traffic to the new encrypted protocol. The safest way to do this is at the webserver level.

In nginx, you need to split the directive server into two blocks. The first one will listen on port 80 and redirect traffic to HTTPS, and the second (main) block will make requests on port 443 (do not forget to remove the 80th from the main block).

server {
listen 80;
server_name wpnerd.net;
rewrite ^(.*) https ://$ host $ 1 permanent;
}

server {
listen 443 ssl;
server_name wpnerd.net;
...
}

In Apache, inside a directive VirtualHost, in a general section, or in an include file .htaccess, you can add the following condition to redirect to HTTPS:

Rewrite Engine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https ://%{ HTTP _ HOST }%{ REQUEST _ URI }

After making changes to the configuration, don’t forget to restart the webserver.

Verifying that HTTPS is configured correctly

The most common problem when setting up HTTPS in WordPress is links and resources loaded over HTTP. For example, if you have inserted an image or a JavaScript file over HTTP, then by default it will not be executed. In this case, the safest bet is to upload this file to your own site, and embed it using the HTTPS protocol or using the protocol-independent .//example.org/path/to/file.js

Special icons will appear in the address bar of Google Chrome and Firefox browsers if the integrity of the HTTPS connection is violated by any link to an HTTP file, so when working with your site, pay attention to the green padlock to the left of the site address. This castle should always remain green.

Also, to check if the HTTPS protocol is configured correctly on your server, we recommend that you try the SSL Server Test utility from Qualys. By entering your site address, you can get a detailed report on how HTTPS is configured on your site: the validity of your certificate, the correctness of the redirect from HTTP to HTTPS, available encryption methods, and much more.

Conclusion

If you run a website that allows visitors to enter an email address (for example, by leaving a comment), a phone number (by filling out a contact form), and especially if you work with actual addresses, credit card numbers, and other sensitive information, we recommend that you immediately switch to secure HTTPS protocol.

Be aware that the WordPress login form is also open to scammers if it is not secured with HTTPS, especially if you frequently visit your admin area from Internet cafes, restaurants, and other public places. The same goes for working with your WordPress site through the mobile app.

If you have any questions about setting up HTTPS in WordPress, leave a comment and we will answer you.

 

Leave a comment

Your email address will not be published. Required fields are marked *