Advertisement
Check these out next
Why Your Website Should Use HTTPS and How
Mar. 18, 2016•0 likes•1,588 views
3 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Internet
HTTPS WordPress Seattle Meetup Presenation on Why & How Your Website should use HTTPS (SSL/TLS). Increase Security, Speed, SEO, Branding, Trust, & Customer Experience
Joe FletcherFollow
WordPress Website Design, Development, & OptimizationAdvertisement
Advertisement
Advertisement
Recommended
The Student's Guide to LinkedInLinkedIn
Different Roles in Machine Learning CareerIntellipaat
Defining a Tech Project Vision in Eight Quick Steps pdfTechSoup
The Hero's Journey (For movie fans, Lego fans, and presenters!)Dan Roam
10 Inspirational Quotes for GraduationGuy Kawasaki
The Health Benefits of DogsThe Presentation Designer
Why Your Website Should Use HTTPS and How
- HTTPS Why Your Website Should Use HTTPS and How Seattle WordPress Meetup March 15, 2016 Speaker Joe Fletcher @merchantguru
- HTTPS: // Overview HTTPS vs HTTP Why and Why Now? Implementation Overview Resources
- HTTPS vs HTTP What’s the diff? Not easily manipulated Encrypted (SSL/TLS) Verifies ownership Plain text and easily read Easily manipulated History tracked and profiled HTTP Secure from Bad GuysEasily Read & Manipulated HTTPS
- HTTPS: // 2 Main Types Extended Validation (EV)Domain Validation (DV)
- HTTPS: // Examples IE 11 Edge Safari Firefox Chrome Domain Validation Extended Validation Padlock Name… and more green
- SEO Speed Trust & Branding Browser Warnings HTML5 (geolocation, etc.) ISP/Carrier Manipulation Credit Card Processing Security & Privacy Peace of Mind HTTPS: // Why? BTW, WordPress logins & dashboards are not secure without https! — And browsers are stepping up their warnings
- Google Ranks HTTPS Higher — Improve your SEO HTTP/2 Speed Increase 50%+ — Requires HTTPS Free, Automated Certificates — Let’s Encrypt — Symantec (soon) HTTPS Everywhere — Green/padlock becoming the standard — Surveillance concerns — U.S. Federal website requirement HTTPS: // Why Now?
- Implementation Overview UPDATE TEST BUY INSTALL
- Major SSL Certificate Brands UPDATE TESTBUY INSTALL
- SSL Certificate Sources Free Services & DNS CloudFlare AWS Certificate Manager Do It Yourself ($7-$1000+) thesslstore.com ssls.com gogetssl.com GoDaddy Comodo CertSimple (EV) Free Do It Yourself Comodo (90 days) Let’s Encrypt (90 days) Symantec (coming soon via web hosts) Managed WP Hosting WP Engine: $49/yr, installed + https configured Liquid Web: free, installed for you SiteGround: free, install via cPanel DreamHost: free, install via control panel UPDATE TESTBUY INSTALL
- Installing an SSL Certificate Follow Instructions from Your SSL Vendor & Web Host UPDATE TESTBUY INSTALL Generate CSRBuy SSL SSL Vendor Your Host Verification Install SSL CSR SSL
- Update Old HTTP References For example: jQuery, Google Fonts, CDN Assets Protocol Relative URLs no longer recommended UPDATE TESTBUY INSTALL Do: <script src="https://www.everyasset.com/myasset.js"></script> Don’t: <script src="http://www.everyasset.com/myasset.js"></script> Don’t: <script src="//www.everyasset.com/myasset.js"></script> URLs should use only: https:// Use CDNs with HTTPs option SEO: Best to use subdomain: https://cdn.yourdomain.com/ - KeyCDN & AWS Certificate Manager free & easy options
- Update WordPress References Images CSS JS Iframes Forms Settings Plugin Options Content Editor May need to override Contact plugin developer Search & Replace plugin WP Migrate DB plugin WP CLI UPDATE TESTBUY INSTALL WordPress Database: Settings & Content WordPress Theme Files WordPress Plugins BEST TO USE
- Force HTTPS Everywhere Redirect HTTP to HTTPS .htaccess or nginx redirect rules (301 redirect) plugins: Really Simple SSL plugin + WP Force SSL plugin UPDATE TESTBUY INSTALL Google Search Console (add a new profile https://support.google.com/webmasters/answer/6033049) Google Analytics Sitemap Robots.txt Canonical tags Social media Ads Directory listings Email templates Forms (MailChimp, etc) Use HTTPS Everywhere From Now On:
- Test Especially for Mixed Content UPDATE TESTBUY INSTALL Mixed Content May “Break Your Site”, Cause Warnings, or Prevent the Green / Padlock should be
- Test Tools www.whynopadlock.com UPDATE TESTBUY INSTALL Chrome Dev Tools
- Recommended Reading A few practical, real-world examples why HTTPS is important https://certsimple.com/blog/ssl-why-do-i-need-it Great how-to resources https://www.keycdn.com/blog/http-to-https/ https://developers.google.com/web/fundamentals/security/ https://support.google.com/webmasters/answer/6073543 https://https.cio.gov/ … especially … https://https.cio.gov/mixed-content/ Use a custom domain with AWS CloudFront https://deliciousbrains.com/custom-domain-https-cloudfront/ TLS performance checklist for server admins http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#_performance_checklist_2 What developers should know about SSL but probably don’t https://certsimple.com/blog/obsolete-cipher-suite-and-things-web-developers-should-know-about-ssl Deep dive videos Part I: https://youtu.be/d2GmcPYWm5k & Part II: https://youtu.be/rnM2qAfEG-M
- Thank You! Seattle WordPress Meetup March 15, 2016 Speaker Joe Fletcher @merchantguru merchantguru.com/https
- Appendix
- Advanced Force HTTPS Across Your Site <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] </IfModule> server { listen 80; server_name yoursite.com; return 301 https://$server_name$request_uri; } Really Simple SSL plugin + WP Force SSL plugin nginx .htaccess plugins 2 recommended plugins, but didn’t work on my test nginx hosted site: Easy HTTPS Redirection SSL Insecure Content Fixer
- HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. Strict-Transport-Security When a browser knows that a domain has enabled HSTS, it does two things: Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. Removes the ability for users to click through warnings about invalid certificates.
- Advanced Strict Transport Security Header <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains; preload” </IfModule> add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload”; Really Simple SSL plugin nginx .htaccess plugins
- Misc Chrome Mobile DV looks same as EV No More Warning
- Misc IE6 no longer supported (TLS 1.0+) IE6-8 on Windows XP, and Android 2.3 browser unless dedicated IP address is used (SNI)
- Installing an SSL Certificate Buy an SSL Certificate 1. Generate a “Certificate Signing Request” (CSR) on your server 2. Give CSR to SSL certificate vendor 3. Vendor verifies you own the domain 4. Vendor provides SSL certificate Install Certificate (options) * Upload/paste it via SSL Certificates area of your control panel * Open support ticket with your web host Generally, follow the instructions from your SSL certificate vendor UPDATE TESTBUY INSTALL
- CDNs with Free Custom SSL Certificates For subdomains, i.e., https://cdn.yoursite.com KeyCDN* CDN77* CloudFlare AWS CloudFront * Capitalize on HTTP/2 for increased speed
- Referral Links KeyCDN https://www.keycdn.com/?a=8580 https://www.merchantguru.com/go/wpengine/WP Engine
Advertisement