Saturday, January 9, 2016

Free SSL For Any WordPress Website

If you have an e-commerce website, then SSL is mandatory for safely processing credit cards. But even if you aren’t processing payments, you should still seriously consider secure HTTP (or HTTPS), especially now that I’m going to show you how to set it up quickly, for free. Let’s get started.

What Is SSL And Why Should I Care?

In short, SSL is the “S” in HTTPS. It adds a layer of encryption to HTTP that ensures that the recipient is actually who they claim to be and that only authorized recipients can decrypt the message to see its contents.
Sensitive information such as credit-card numbers — basically, anything private — should always be served via HTTPS. However, there is an increasing trend towards serving all content via HTTPS, as we’re seeing on news website, blogs, search engines and the websites of most mainstream brands. So, even if your website isn’t processing payments, there are good reasons to consider HTTPS, a few of which are listed here:
  • Credibility
    Even non-technical audiences associate the little green padlock in the browser’s address bar with trust and reliability.
  • Password protection
    Perhaps your website only hosts kitten videos. But if users are logging into your website via Wi-Fi with a password that they also use for online banking, then you are potentially facilitating a serious security breach by broadcasting those credentials publicly.
  • Future-proofing
    Many websites are still served via HTTP, but there is an undeniable trend towards HTTPS, and this will only increase as users become increasingly educated about web security. Be on the right side of history.
  • SEO
    Google officially announced that HTTPS is used as a ranking signal. In other words, Google is rewarding HTTPS websites by boosting their rankings in search results.
A common argument against HTTPS is that it reduces performance. True, the process of encrypting and decrypting does cost additional milliseconds, but in most situations it is negligible, as evidenced by the fact that performance-conscious companies such as Google and Facebook serve all of their content via HTTPS. And, true, HTTPS can exacerbate existing performance problems, like many CSS files being served individually, but this is mitigated by following basic best practices for performance. And with the adoption of HTTP/2, the performance cost of HTTPS is even lower. The bottom line is that the reduction in performance is a meaningful deterrent only if your website is either hyperoptimized or so underperforming that every millisecond matters.

How To Set Up HTTPS For Free

The first step to setting up HTTPS for free is to sign up for a cloud DNS service. If you have no idea what DNS is, I recommend that you take a minute to learn before proceeding. The delightful How DNS Works does a great job of breaking it down into a quippy cartoon. Otherwise, simply know that DNS is the system whereby domain names like example.com (which humans understand) get linked to IP addresses like 104.28.2.167 (which computers understand). You have many options, but I’m a fan of CloudFlare because it’s really fast to set up, the dashboard is intuitive, and a free plan is available with many powerful features.

Setting Up CloudFlare

After registering for a CloudFlare account, you’ll be walked through an easy wizard to configure your first website, which will conclude with instructions on how to log into your domain registrar and point the nameservers to CloudFlare. The change will take some time to propagate, but when it’s complete, CloudFlare will be hosting your website’s DNS records. Next, turn on CloudFlare’s “flexible SSL” feature.
Choosing the “flexible SSL” setting is important because it doesn’t require you to buy and install your own SSL certificate on your website’s server.

As you can see, CloudFlare is acting as the middleman to secure traffic between your website and the client. If this were a static HTML website, you would now be able to connect to it via HTTPS (https://yourdomain.com). WordPress, however, requires additional configuration in order to work with the modified protocol.

Reconfiguring WordPress From HTTP To HTTPS

You will first need to update the “WordPress Address” and “Site Address” settings in the dashboard, under “Settings” → “General.” When you do this, you will have to log into the dashboard again.

Proceed cautiously. If you update these settings prematurely, you risk locking yourself out. For example, if the website isn’t yet properly configured for HTTPS and the settings are updated, you could cause a redirect loop that breaks the website and prevents you from accessing the dashboard.
At this point, you should be able to visit the home page of the website via HTTPS. However, page links will still point to the HTTP URLs. WordPress stores links to pages and images as absoute URLs, meaning that the full URL, including the protocol, is saved in the database. To ensure that the entire website is consistently served via HTTPS (without spitting up warnings about mixed content), you will need to update your legacy content.

Updating Legacy Content

On a small website with only a few pages, the quickest option might be simply to manually update the URLs by editing existing pages in the admin interface. If the website is large or has a highly active blog, then manual editing likely isn’t practical. If your host provides phpMyAdmin or some other interface to run MySQL queries, you could do this pretty easily with a few MySQL queries in the SQL tab. Alternatively, you could follow The Customize Windows’ instructions to do it from the command line.
At the risk of stating the obvious, replace yourdomain.com in the following queries with your actual domain. Also, if you’ve customized WordPress’ table prefix, replace wp_ with the relevant prefix.
First, update the URLs of the posts and pages.

UPDATE wp_posts SET guid = replace(guid, 'http://yourdomain.com','https://yourdomain.com');
[UPDATE: As discussed in the comments, the guid field should not be edited.]
Update the wp_postmeta table, too.
UPDATE wp_postmeta SET meta_value = replace(meta_value,'http://yourdomain.com','https://yourdomain.com');
Finally, update the actual contents of posts or pages. This will update any backlinks to HTTPS.
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
After running these queries, you will want to refresh your permalinks by going to “Settings” → “Permalinks.” Simply change the setting back to the default, and then set it back to whatever setting you were originally using.
Now, you should be able to click the menus and links throughout the website, and the protocol should remain HTTPS.

Troubleshooting Mixed-Content Warnings

Depending on the theme and plugins in use, you might get a warning in the address bar stating that certain resources are not being served securely. If the errors are associated with assets added by your own custom theme or plugin, make sure to properly enqueue JavaScript and CSS files and not to hardcode URLs that begin with HTTP. Most browsers will let you expand the warning to show the specific requests that are causing the error. You could also try a free plugin such as SSL Insecure Content Fixer, which will attempt to correct third-party plugins that have failed to do this.
By this point, you should see the green padlock in the URL bar when visiting your website. If you aren’t using an e-commerce plugin such as WooCommerce or WP eCommerce, you’re done! If you are, there is an important last step.

Getting Flexible SSL To Work With E-Commerce Plugins

WordPress has a core function named is_SSL() that plugins rely on to determine whether traffic is encrypted with SSL. With the method above alone, this function will return false because the encryption is only between CloudFlare and the client. The traffic that PHP interacts with is unencrypted, so the super global that that function checks (i.e. $_SERVER['HTTPS']) would not be useful. For our purpose, the relevant variable is $_SERVER['HTTP_X_FORWARDED_PROTO'], which, at the time of writing, WordPress does not recognize. The request to change this is long-standing, but it is yet to be resolved.
Fortunately, a free plugin will fix this for you immediately, CloudFlare Flexible SSL. Simply install the plugin and activate it. Remember that this technique does not add any more security. Traffic between CloudFlare and your website’s server is still unencrypted and, therefore, still vulnerable to sniffing.

Flexible SSL Is Not Full SSL

CloudFlare’s “Universal SSL” initiative is an interesting attempt to make the Internet more secure, but it is not without controversy. The primary concern is that flexible SSL does not encrypt the second half of the traffic’s journey (to your server), yet the browser currently still shows the same green padlock that we have come to associate with complete SSL. CloudFlare offers the following justification on its blog:
Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world. Together we can do great things.
For better or worse, flexible SSL is here, and the Internet will have to adapt. In the meantime, the burden is on website owners to be educated and to make responsible decisions.

Redirecting HTTP Requests To HTTPS

Enabling a website to run on HTTPS does not ensure that requests will actually use the protocol. If your website has been around for a while, users might have already bookmarked it with HTTP. You can redirect all HTTP requests to the new protocol by adding the following snippet to the top of the .htaccess file in the root of your website. If the file does not exist, you can safely add it.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule (.*) https://yourdomain.com/$1 [R=301,L]
</IfModule>
If an .htaccess file already exists, be careful not to change anything between the # BEGIN WordPress and # END WordPress lines in that file. Those lines are managed by WordPress, and whenever the permalinks get refreshed, the contents in that section get overwritten.

Congratulations

By upgrading your website to HTTPS, you have improved your website, protected users and participated in the advancement of the Internet. And it didn’t cost you anything!

24 comments:

  1. Wonderful bloggers like yourself who would positively reply encouraged me to be more open and engaging in commenting.So know it's helpful.

    Dotnet Training in Chennai

    ReplyDelete
  2. These provided information was really so nice,thanks for giving that post and the more skills to develop after refer that post. Your articles really impressed for me,because of all information so nice.

    Painless Dental Treatment In Chennai

    ReplyDelete
  3. I am very happy when read this blog post because blog post written in good manner and write on good topic. Thanks for sharing valuable information.
    Web Designing Company in Bangalore, Web Development Company Bangalore

    ReplyDelete
  4. Well, good information you have placed and useful too. Just now I saw your blog and it is nice and good.This information is amazing. I hope it will be very helpful for all. I don't have words to describe this blog. I simply want to say that absolutely very good post.
    Engineering Colleges, ECE Engineering Colleges in Chennai

    ReplyDelete
  5. I absolutely admired every bit of it and i additionally accept you book apparent to analysis out fresh things in your site.
    UI Designing Company in Bangalore, Web Application Development Companies in Bangalore

    ReplyDelete
  6. Good work…unique site and interesting too… keep it up…looking forward for more updates.Good luck to all of you and thanks so much for your hard-work.
    Language Interpretation Services, Voiceover Bangalore

    ReplyDelete
  7. Thank you for posting the great content…I was looking for something like this…I found it quiet interesting.Keep sharing..
    Language Translation Services India ,
    Subtitling Services India

    ReplyDelete
  8. I am very happy when read this blog post because blog post written in good manner and write on
    good topic. Thanks for sharing valuable information.

    School Information Management System,
    Online Fee Payment Integration
    College Management System

    Message

    ReplyDelete
  9. A very well-written post. I read and liked the post and have also bookmarked your blog.
    Web Developer In USA

    ReplyDelete
  10. Such interesting post. I will use your advices.
    Myadmissionsessay review for you.

    ReplyDelete
  11. Thank you for this post. This is very interesting information for me.

    ReplyDelete
  12. Good blog Post....thanks for sharing...
    Book online bus ticket from Redbus

    ReplyDelete
  13. So why choose us when looking for professional assistance on writing successful medical school essays ? The answer is obvious. We are the team that conceals no information from our customers. You are always welcome to browse our reviews section to discover how satisfied our customers are. We are very proud of our good name and reputation and we are happy to see every single positive response and evaluation of our best practices. From the number of positive responses on our website you may see that we excel ourselves to meet the highest standards you require and we are extremely good at that.
    The fact that you are on cosmetic surgery research paper right now means you have found a company of professional essay writers you can trust. A reputable team of highly educated and vastly experienced essayists, we will make sure that the piece of writing you purchase from us is the best one you can imagine. The writers from our agency have the necessary education to give you a very good argumentative essay on health care or an original research paper on health care because health care issues are among the most prioritized directions of our business.

    ReplyDelete
  14. Academic writing is clear, concise, focussed, structured and backed up by evidence. Its purpose is to aid the reader’s understanding. read more is all about academic writing.

    ReplyDelete
  15. Semasing pemain akan diberikan 3 kartu domino qiu qiu pertama-peluang pada disaat kartu di berikan 3 buah semasing dapat sama-sama bertaruh atau sama-sama menaikan taruhan untuk ambil kartu ke-4
    asikqq
    dewaqq
    sumoqq
    interqq
    pionpoker
    bandar ceme terpercaya
    hobiqq
    paito warna oregon
    syair hk
    datahk

    ReplyDelete
  16. There are so many types of essays; it can be hard to know where to start. History papers aren’t just limited to history classes. These tasks can be assigned to examine any important historical event or a person. While they’re more common in history classes, you can find this type of assignment in sociology or political science course syllabus, or just get a history essay task for your scholarship.

    What is a political essay? A political is just as the name suggests an essay based on politics or a political situation. Completing a political essay is impossible without the proper research to fully understand your subject. First, you should study the primary texts, to analyze its contents. You may take advantage of using reliable Internet sources, with available government reports and political parties' news. Scan through reputable newspapers and magazines to compile relevant data for your political essay. Find more political essay at http://writing-a-thesis.net/

    ReplyDelete
  17. Anika Tech SupportJuly 21, 2019 at 8:27 PM

    cloud adoption framework
    WELCOME TO ANIKA TECH SUPPORT
    Anika Tech Support managed by a team of professionals utilising a combined 20+ years of experience in IT support and Managed IT services Focusing on Proactive support, continuity, growth and development. We are a forward thinking IT Company who support public and private sector using the latest tech as a driving force for our client’s Success.

    ReplyDelete
  18. If you feel that you need help when it comes to writing sociology papers then we could help you. Here at Erik Erikson psychosocial theory we have some of the best professional writers that are ready and waiting to make your academic writing very much easier. In fact, we can take all the stress and hard work out of writing, so that you are free to get on with whatever else you choose to do

    You may decide to try and buy a sociology research paper online somewhere but you need to be aware of some things. Those sites will offer sociology papers for sale but they have been sold to hundreds of other people. You have no idea where those papers came from and who wrote them. You do not know the academic level of the writer and chances are you will have to spend time tweeking the paper to your professor’s specifications. For that kind of hassle you might as well just write the paper yourself.

    ReplyDelete
  19. Our accounting homework help is the best homework providing company. We believe that our homework plays an important role in the final grades of students. Due to several reasons, students are unable to write accounting homework. Accounting homework requires Do my accounting homework remarkable knowledge as well as in-depth understanding of the accounting concepts. Students should get our accounting homework help at our company’s website.

    Biology, the study of life, can be fascinating and wondrous. However, certain biology topics can sometimes seem incomprehensible. The best way to get a clear understanding of difficult biology concepts is to study them at home, as well as at school. Students should use quality biology homework help resources when studying. Below are some good resources and information to help you answer some of your obilogy homework questions.

    ReplyDelete
  20. The main purpose of education is to help students gain the knowledge and skills so that they will be able to function in society. Students need to be provided with the necessary skills so that they can learn to become productive citizens. There are many advantages that are associated with receiving an education. Students will be able to contribute to their community and help make it a better place to live. Education basically helps shape society because it helps students learn to become more sociable and helps them develop relationships with their peers. Students will be more qualified for different job positions if they have a good solid education. Education is vital to each student’s life, therefore, by working hard to provide the best instruction possible will help train students to become future leaders and will lead to a better life.
    Education is essential to every student’s life as well as their future. Students can have a prosperous life by receiving a good quality education. My thoughts are that students need to learn from the books along with other various materials just as I did while growing up. The classroom curriculum should be decided by their teacher and the teacher should set clear goals as to what is expected from the students. Students should work hard to achieve their goals because it will certainly be worth it in the end. According to essentialism, ‘Schools should not radically try to reshape society but schools should transmit traditional moral values and intellectual knowledge that students need to become model citizens’. Read about education help at http://www.top-essay-writing-service.com . The school should stress the importance of values because some children are not taught these at home. Teaching children good values helps build their character and helps them become respectable people. In regards to education, I think society is important because this is a place where we all live so we should work to make it a better place.

    ReplyDelete