HTTPS WordPress Seattle Meetup Presenation on Why & How Your Website should use HTTPS (SSL/TLS). Increase Security, Speed, SEO, Branding, Trust, & Customer Experience

1. HTTPS
Why Your Website Should Use HTTPS and How
Seattle WordPress Meetup
March 15, 2016
Speaker
Joe Fletcher
@merchantguru

2. HTTPS: // Overview
HTTPS vs HTTP
Why and Why Now?
Implementation Overview
Resources

3. HTTPS vs HTTP
What’s the diff?
Not easily manipulated
Encrypted (SSL/TLS)
Verifies ownership
Plain text and easily read
Easily manipulated
History tracked and profiled
HTTP
Secure from Bad GuysEasily Read & Manipulated
HTTPS

4. HTTPS: // 2 Main Types
Extended Validation (EV)Domain Validation (DV)

5. HTTPS: // Examples
IE 11
Edge
Safari
Firefox
Chrome
Domain Validation Extended Validation
Padlock Name… and more green

6. SEO
Speed
Trust & Branding
Browser Warnings
HTML5 (geolocation, etc.)
ISP/Carrier Manipulation
Credit Card Processing
Security & Privacy
Peace of Mind
HTTPS: // Why?
BTW, WordPress logins & dashboards are not secure without https!
— And browsers are stepping up their warnings

7. Google Ranks HTTPS Higher
— Improve your SEO
HTTP/2 Speed Increase 50%+
— Requires HTTPS
Free, Automated Certificates
— Let’s Encrypt
— Symantec (soon)
HTTPS Everywhere
— Green/padlock becoming the standard
— Surveillance concerns
— U.S. Federal website requirement
HTTPS: // Why Now?

8. Implementation Overview
UPDATE
TEST
BUY
INSTALL

9. Major SSL Certificate Brands
UPDATE TESTBUY INSTALL

10. SSL Certificate Sources
Free Services & DNS
CloudFlare
AWS Certificate Manager
Do It Yourself ($7-$1000+)
thesslstore.com
ssls.com
gogetssl.com
GoDaddy
Comodo
CertSimple (EV)
Free Do It Yourself
Comodo (90 days)
Let’s Encrypt (90 days)
Symantec (coming soon via web hosts)
Managed WP Hosting
WP Engine: $49/yr, installed + https configured
Liquid Web: free, installed for you
SiteGround: free, install via cPanel
DreamHost: free, install via control panel
UPDATE TESTBUY INSTALL

11. Installing an SSL Certificate
Follow Instructions from Your SSL Vendor & Web Host
UPDATE TESTBUY INSTALL
Generate CSRBuy SSL
SSL Vendor Your Host
Verification Install SSL
CSR
SSL

12. Update Old HTTP References
For example: jQuery, Google Fonts, CDN Assets
Protocol Relative URLs no longer recommended
UPDATE TESTBUY INSTALL
Do: <script src="https://www.everyasset.com/myasset.js"></script>
Don’t: <script src="http://www.everyasset.com/myasset.js"></script>
Don’t: <script src="//www.everyasset.com/myasset.js"></script>
URLs should use only: https://
Use CDNs with HTTPs option
SEO: Best to use subdomain: https://cdn.yourdomain.com/
- KeyCDN & AWS Certificate Manager free & easy options

13. Update WordPress References
Images
CSS
JS
Iframes
Forms
Settings
Plugin Options
Content Editor
May need to override
Contact plugin developer
Search & Replace plugin
WP Migrate DB plugin
WP CLI
UPDATE TESTBUY INSTALL
WordPress Database: Settings & Content
WordPress Theme Files WordPress Plugins
BEST TO USE

14. Force HTTPS Everywhere
Redirect HTTP to HTTPS
.htaccess or nginx redirect rules (301 redirect)
plugins: Really Simple SSL plugin + WP Force SSL plugin
UPDATE TESTBUY INSTALL
Google Search Console
(add a new profile
https://support.google.com/webmasters/answer/6033049)
Google Analytics
Sitemap
Robots.txt
Canonical tags
Social media
Ads
Directory listings
Email templates
Forms (MailChimp, etc)
Use HTTPS Everywhere From Now On:

15. Test
Especially for Mixed Content UPDATE TESTBUY INSTALL
Mixed Content May “Break Your Site”, Cause Warnings,
or Prevent the Green / Padlock
should be

16. Test Tools
www.whynopadlock.com
UPDATE TESTBUY INSTALL
Chrome Dev Tools

17. Recommended Reading
A few practical, real-world examples why HTTPS is important
https://certsimple.com/blog/ssl-why-do-i-need-it
Great how-to resources
https://www.keycdn.com/blog/http-to-https/
https://developers.google.com/web/fundamentals/security/
https://support.google.com/webmasters/answer/6073543
https://https.cio.gov/ … especially … https://https.cio.gov/mixed-content/
Use a custom domain with AWS CloudFront
https://deliciousbrains.com/custom-domain-https-cloudfront/
TLS performance checklist for server admins
http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#_performance_checklist_2
What developers should know about SSL but probably don’t
https://certsimple.com/blog/obsolete-cipher-suite-and-things-web-developers-should-know-about-ssl
Deep dive videos
Part I: https://youtu.be/d2GmcPYWm5k & Part II: https://youtu.be/rnM2qAfEG-M

18. Thank You!
Seattle WordPress Meetup
March 15, 2016
Speaker
Joe Fletcher
@merchantguru
merchantguru.com/https

19. Appendix

20. Advanced
Force HTTPS Across Your Site
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
server {
listen 80;
server_name yoursite.com;
return 301 https://$server_name$request_uri;
}
Really Simple SSL plugin
+
WP Force SSL plugin
nginx
.htaccess
plugins 2 recommended plugins, but didn’t
work on my test nginx hosted site:
Easy HTTPS Redirection
SSL Insecure Content Fixer

21. HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to
protect visitors by ensuring that their browsers always connect to a website over HTTPS.
HSTS exists to remove the need for the common, insecure practice of redirecting users from
http:// to https:// URLs. Strict-Transport-Security
When a browser knows that a domain has enabled HSTS, it does two things:
Always uses an https:// connection, even when clicking on an http:// link or after typing a
domain into the location bar without specifying a protocol.
Removes the ability for users to click through warnings about invalid certificates.

22. Advanced
Strict Transport Security Header
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains; preload”
</IfModule>
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload”;
Really Simple SSL plugin
nginx
.htaccess
plugins

23. Misc
Chrome Mobile
DV looks same as EV
No More Warning

24. Misc
IE6 no longer supported (TLS 1.0+)
IE6-8 on Windows XP, and Android 2.3 browser unless dedicated IP address is used (SNI)

25. Installing an SSL Certificate
Buy an SSL Certificate
1. Generate a “Certificate Signing Request” (CSR) on your server
2. Give CSR to SSL certificate vendor
3. Vendor verifies you own the domain
4. Vendor provides SSL certificate
Install Certificate (options)
* Upload/paste it via SSL Certificates area of your control panel
* Open support ticket with your web host
Generally, follow the instructions
from your SSL certificate vendor
UPDATE TESTBUY INSTALL

26. CDNs with Free Custom SSL Certificates
For subdomains, i.e., https://cdn.yoursite.com
KeyCDN*
CDN77*
CloudFlare
AWS CloudFront
* Capitalize on HTTP/2 for increased speed

27. Referral Links
KeyCDN https://www.keycdn.com/?a=8580
https://www.merchantguru.com/go/wpengine/WP Engine