January 2017 presentation to the Toronto Wordpress group WP Todoers. Explains key steps in choosing an SSL certificate and then implementing it successfully on a Wordpress site. Intended for beginning and intermediate Wordpress users
2. Brief recap of December's presentation
• SSL stands for Secure Sockets Layer.
Source: www.digicert.com
3. Types and installation
Dedicated:
• not free (exception is letsencrypt.org)
• one per domain
• usually includes insurance
• should be used for commercial ventures
Shared:
• free
• host provider uses for multiple domains
• perfectly fine for a blog
Two types
Notes:
Have your host provider install it unless your are technically capable.
Host provider will likely have limitations on what you are permitted to do.
4. How do I know a website is secure?
Look for a website starting with https://
Chrome
Firefox
Secure sites: Not Secure sites:
Chrome
Firefox
Edge
Edge
IE: IE:
5. How do I know a website is secure?
Chrome example: click on the symbol
Then you will see:
6. How do I know a website is secure?
Chrome example: click on “Details” Then you will see:
You will have to click on F5 to
get this going
7. How do I know a website is secure?
Then you will see:
Click on view certificate details
8. Okay, the certificate is installed, now what do I do?
• Six more steps
• Will vary depending on your circumstances
• No PhP or Java to finish this successfully (Yay!)
So here we go.....
10. 2. Update your .htaccess file
What's a 301 redirect?
A 301 redirect is a command used to tell the search engines that a page has permanently moved, and that you want them to
index the new page and drop the old one from their index.
Think of it as a change of address card for the web. As long as everything is done correctly, a 301 redirect will ensure that you keep
the rankings earned by the old page and prevent duplicate content that could arise if the engines were to index both versions of your
site.
Source: www.bruceclay.com
Redirect your users to the new URL for your site by changing your
.htaccess file in front of your wordpress site.
14. Other options for completing a 301 redirect
• Update your 301 redirects in Yoast (premium
version)
• Edit your .htaccess file manually (not
recommended unless you really know what you
are doing)
15. Test of course!
1. Clear your browser cache and purge your site cache if you have one.
2. Browse to your website. Check the symbol.
3. Not secure? Click View details. or test using
www.whynopadlock.com.
4. Test all of the functionality on your site, links, buttons, images.
21. 4. Do you use a CDN?
What's a CDN?
A content delivery network or content distribution network (CDN) is a large distributed system of
servers deployed in multiple data centres across the Internet. The goal of a CDN is to serve
content to end-users with high availability and high performance.
Source: wikipedia
27. 6. Update your privacy policy
Make sure your visitors know SSL was a conscious act on your part and
re-emphasize that you take your user's security seriously...
extract from www.trickswithsticks.ca privacy policy
“Your personal information is contained behind secured networks and is only accessible by a limited number of
persons who have special access rights to such systems, and are required to keep the information confidential. In
addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.”
28. BTW...
I'm Peg Perry, B.Math, MBA, MCPM
pegperry@gmail.com
Avid knitter, proprietor of
www.trickswithsticks.ca,
moving on after a 40 year career in classic IT,
ending with a speciality in CRM systems,
fairly new to Wordpress but finding delight in
all its possibilities.
......yup we're done! /30
THANKS!
Editor's Notes
Welcome to part 2 of SSL My name is Peg Perry and this is a follow-on to Conrad's presentation from December
Conrad looked at types of certificates and the steps needed to install on your host
Today we'll look at the additional steps needed to fully implement SSL on a Wordpress site.
There are pros in the room and they are welcome to chime in if I need some help
This session is intended for beginning to intermediate wordpressors so feel free to stop me with questions as we go if something is not completely clear.
For those who weren't here in December or need a refresher we'll start with a very fast recap of what Conrad covered previously = we need it as an intro for today's material
SSL creates an encrypted pipe between the user's PC and your server.
Aware users do not submit private information to non-secure sites:
So an SSL certificate should be considered mandatory for commercial websites
Google's direction is to move all sites on the web to a secure state.
Will be a significant ranking factor for Google starting in 2017:
so an SSL certificate is also highly recommended for non-commercial sites
In December Conrad described two types of certificates, dedicated and shared
Dedicated SSL gives you a dedicated IP so there must always be one domain per certificate. There are different levels of dedicated at increasing costs providing increased levels of insurance and security
Installing an SSL certificate is not an easy process so it's best to have your provider do the install.
Letsencrypt is a good solution for wordpress.com users. There is support documentation in the wordpresss.com support forums for that.
Conrad explained that any user can check the status of any website and that different browsers have different ways of displaying the information on the status
I've listed examples of what you see in a URL for a secure site and an insecure site here for the Chrome, Firefox Edge and IE browsers
let's go through an example using Chrome - do demo if possible www.nixthetricks.com
Click on the lock or i symbol to open a pop-up window which giving you a summary of the security status
Then you can click on Details to get even more information
This site warns you that it is not secure
demo site is www.nixthetricks.com which is not secure
When you click on on Details you get even more information
on the right of the screen you can see each resource being used by the page
Chrome has identified them with a green or red button, depending on whether they are secure or not
Now let's look at a secure site which has a certificate Then click on view certificate to get the details of the certificate do the demo with tricks
it's all perfectly transparent
This is the same process you will use in your testing of your own certificate
Different browsers do these steps differently so experiment with your favourite browser and figure out how it works
That's pretty much what we covered in December. But whether it's a free or dedicated certificate, there are some additional steps that you need to do in the front end of Wordpress, in order to complete the implementation.
Most of the guidance I've seen in forums refer to 2 additional steps but I have found that there are more than that
Depending on your circumstances you may not need all of the six steps I'm going to outline here.
The good news is that none of these require Java or php so you probably won't need any more expert help to complete the implementation.
The first step is to navigate to your site's Dashboard and update the General Settings
Does everyone here know how to find the General Settings on the Dashboard? If not, you will need help with all this and you should seek it out before doing any of this.
Update both the Wordpress URL and the site address URL and save the new settings
Sites have htaccess files that control access to the sites.
However, Conrad found that it is not applicable to sites hosted on Siteground so skip this step if your host is Siteground.
The file not part of your actual wordpress site, it sits in front of all the wordpress stuff. Think of it as the gateway to the site.
So you access it from cPanel usually not wordpress itself.
You need to redirect users and search engines to the new url for your site and you use the .htaccess file to do that
In it you create 301 redirect records that specify the replacement URL for your old insecure URL
Because you can really wreck the site by making wrong edits to this file, good host providers give you easy ways to edit the file safely
Do the demo
My provider has this set of tools available from its main menu, before I get to WP
do the demo
After selecting the .htaccess editor then I can choose the modification I need to make to the file,
Then I can easily give it the options I need and it will format the syntax in the file for me correctly
Note that I’ve redirected both www.tricks and tricks
Google considers www.tricks and tricks to be two different sites when counting page views for ranking. I want them counted as one in order to move up in the search rankings.
There are two additional options available to do this.
The two basic steps generally required for every wordpress site are now complete.
Next you need to test because.....
You want to make sure that you see the secure symbol in your browser and that your site has not been broken by the changes.
I’ll be explaining why this could happen in the next few minutes.
Here are the steps to take when testing
Start by clearing caches
Cache, both in your browser and on your wordpress site is a set of pages that are served faster because they are already stored. You want to clear any pre-stored old pages so that you are testing all the latest changes you have made.
Do you know how to clear your browser cache?
here's how to do it in Chrome - do the demo
Click F5 to reload the current page
To completely clear the history, click on the dot dot dot at the far right of the screen
A pop-up of options will appear
Click on History and then history again in the next pop-up
The blue screen shows the list of pages you've recently visited
Click on Clear Browsing data and your stored pages will clear from the browser cache
If you have also implemented a caching plugin such as W3Total Cache or WP SuperCache you should also clear that prior to testing. I'm not going to demonstrate that here because they all have different ways of being cleared.
why no padlock is a great testing tool, particularly for Mac users
works at the individual page level so you may need to run each page through it
target pages with images, sliders and buttons first
work through demo
this will also give you results for images and bad urls as well as htaccess example shown here.
Back to testing:
First you need to validate all the internal references on your site Remember that every post, picture, page or custom post on your site has a url
Every http:// reference in your site needs to now use its https:// version or the you will not see the lock symbol or your site will be broken.
WP does a great job of converting the standard stuff, like Media items.
BUT
WP may not handle everything perfectly.
Look at any references to Sliders, Features, Portfolio items, anything special you use on your site and verify they have been converted to https://. If not, edit the links and re save them.
This is why complete testing is important.
Now that you have taken care of the internal http references within your site, you need to take care of the external ones.
Content delivery networks speed up your site by moving parts of your site, such as pictures, to faster servers that are distributed worldwide, closer to your site visitors.
You need the CDN to both recognize your site's SSL certificate and serve up your content using SSL
Remember that your SSL certificate only deals with the pipe between your visitor and your host provider's server.
You need to have all of the external resources your site uses to be secure as well. That includes your payment service as well as your CDN service.
Every provider's setup will be different so click into the settings for your provider and set them up.
This is the example of Cloudflare and my own site.
I know that my provider took a little bit of time to re-cache the secure images, so you may find that it takes half a day or a day for it to cycle through.
Have your registered your site using Webmaster tools for Google, Bing and Yandex?
Registering in the various Webmaster tools is an essential thing to do. It's critical for your search rankings to let Google, Bing etc. know you are out there by registering with them and supplying your sitemap to them to help them index your pages faster.
It is recommended that you ensure all versions of your website have been registered with Google, Bing, etc. and reverify them.
Do the demo
The easy way to do the search registration is in the webmaster tools in Yoast
Yoast provides a link to each of the engines. Click on the link and it will take you to the Search console.
At the console acquire a unique key for your site. Once you have the key you store it in Yoast.
Then you go back to the search console and verify your site. The search console will look for the key in the header record of your site
This is the Google search console example
You need to copy the string of text within the quotes, go back to Yoast and paste in into the Google API key field and save it and then go back to Google and hit the verify button.
I found out two things as I was doing this:
I needed to clear my cache
I had a password on my site and I needed to get rid of that because it stopped Google and the others from verifying.
If you don't have Yoast, no worries, my favourite plugin for this is All Meta Tags, which does the same thing and has the added benefit of allowing you to add your meta tags such as the ones needed for Pinterest or Google Plus to your site.
The documentation associated to All Meta Tags tells you how to access the various tools.
Last step is to update your privacy policy
Every site should have a policy on a page called Privacy Policy and a link to the privacy policy should be displayed on the footer of every page of your site
Why?
Polite to let people know what your policies are with regard to their information and the existence of a privacy policy is a factor in Google and Bing's ranking of your site.
Where do you get one? Google and you will easily find privacy policy generators
So that's the complete set of steps to implementing an SSL
Your steps may vary from this of course, depending on your circumstances
Are there any further questions?
Thanks so much for listening!