More Related Content


Why Your Website Should Use HTTPS and How

  1. HTTPS Why Your Website Should Use HTTPS and How Seattle WordPress Meetup March 15, 2016 Speaker Joe Fletcher @merchantguru
  2. HTTPS: // Overview HTTPS vs HTTP Why and Why Now? Implementation Overview Resources
  3. HTTPS vs HTTP What’s the diff? Not easily manipulated Encrypted (SSL/TLS) Verifies ownership Plain text and easily read Easily manipulated History tracked and profiled HTTP Secure from Bad GuysEasily Read & Manipulated HTTPS
  4. HTTPS: // 2 Main Types Extended Validation (EV)Domain Validation (DV)
  5. HTTPS: // Examples IE 11 Edge Safari Firefox Chrome Domain Validation Extended Validation Padlock Name… and more green
  6. SEO Speed Trust & Branding Browser Warnings HTML5 (geolocation, etc.) ISP/Carrier Manipulation Credit Card Processing Security & Privacy Peace of Mind HTTPS: // Why? BTW, WordPress logins & dashboards are not secure without https! — And browsers are stepping up their warnings
  7. Google Ranks HTTPS Higher — Improve your SEO HTTP/2 Speed Increase 50%+ — Requires HTTPS Free, Automated Certificates — Let’s Encrypt — Symantec (soon) HTTPS Everywhere — Green/padlock becoming the standard — Surveillance concerns
 — U.S. Federal website requirement HTTPS: // Why Now?
  8. Implementation Overview UPDATE TEST BUY INSTALL
  9. Major SSL Certificate Brands UPDATE TESTBUY INSTALL
  10. SSL Certificate Sources Free Services & DNS CloudFlare AWS Certificate Manager Do It Yourself ($7-$1000+) GoDaddy Comodo CertSimple (EV) Free Do It Yourself Comodo (90 days) Let’s Encrypt (90 days) Symantec (coming soon via web hosts) Managed WP Hosting WP Engine: $49/yr, installed + https configured Liquid Web: free, installed for you SiteGround: free, install via cPanel DreamHost: free, install via control panel UPDATE TESTBUY INSTALL
  11. Installing an SSL Certificate Follow Instructions from Your SSL Vendor & Web Host UPDATE TESTBUY INSTALL Generate CSRBuy SSL SSL Vendor Your Host Verification Install SSL CSR SSL
  12. Update Old HTTP References For example: jQuery, Google Fonts, CDN Assets Protocol Relative URLs no longer recommended UPDATE TESTBUY INSTALL Do: <script src=""></script> Don’t: <script src=""></script> Don’t: <script src="//"></script> URLs should use only: https:// Use CDNs with HTTPs option SEO: Best to use subdomain: - KeyCDN & AWS Certificate Manager free & easy options
  13. Update WordPress References Images CSS JS Iframes Forms Settings Plugin Options Content Editor May need to override Contact plugin developer Search & Replace plugin WP Migrate DB plugin WP CLI UPDATE TESTBUY INSTALL WordPress Database: Settings & Content WordPress Theme Files WordPress Plugins BEST TO USE
  14. Force HTTPS Everywhere Redirect HTTP to HTTPS .htaccess or nginx redirect rules (301 redirect) plugins: Really Simple SSL plugin + WP Force SSL plugin UPDATE TESTBUY INSTALL Google Search Console 
 (add a new profile Google Analytics Sitemap Robots.txt Canonical tags Social media Ads Directory listings Email templates Forms (MailChimp, etc) Use HTTPS Everywhere From Now On:
  15. Test Especially for Mixed Content UPDATE TESTBUY INSTALL Mixed Content May “Break Your Site”, Cause Warnings, or Prevent the Green / Padlock should be
  16. Test Tools UPDATE TESTBUY INSTALL Chrome Dev Tools
  17. Recommended Reading A few practical, real-world examples why HTTPS is important Great how-to resources … especially … Use a custom domain with AWS CloudFront TLS performance checklist for server admins What developers should know about SSL but probably don’t Deep dive videos Part I: & Part II:
  18. Thank You! Seattle WordPress Meetup March 15, 2016 Speaker Joe Fletcher @merchantguru
  19. Appendix
  20. Advanced Force HTTPS Across Your Site <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] </IfModule> server { listen 80; server_name; return 301 https://$server_name$request_uri; } Really Simple SSL plugin + WP Force SSL plugin nginx .htaccess plugins 2 recommended plugins, but didn’t work on my test nginx hosted site: Easy HTTPS Redirection SSL Insecure Content Fixer
  21. HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. Strict-Transport-Security When a browser knows that a domain has enabled HSTS, it does two things: Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. Removes the ability for users to click through warnings about invalid certificates.
  22. Advanced Strict Transport Security Header <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains; preload” </IfModule> add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload”; Really Simple SSL plugin nginx .htaccess plugins
  23. Misc Chrome Mobile DV looks same as EV No More Warning
  24. Misc IE6 no longer supported (TLS 1.0+) IE6-8 on Windows XP, and Android 2.3 browser unless dedicated IP address is used (SNI)
  25. Installing an SSL Certificate Buy an SSL Certificate 1. Generate a “Certificate Signing Request” (CSR) on your server 2. Give CSR to SSL certificate vendor 3. Vendor verifies you own the domain 4. Vendor provides SSL certificate Install Certificate (options) * Upload/paste it via SSL Certificates area of your control panel * Open support ticket with your web host Generally, follow the instructions from your SSL certificate vendor UPDATE TESTBUY INSTALL
  26. CDNs with Free Custom SSL Certificates For subdomains, i.e., KeyCDN* CDN77* CloudFlare AWS CloudFront * Capitalize on HTTP/2 for increased speed
  27. Referral Links KeyCDN Engine