WHAT IS HTTPS, AND WHY SHOULD YOU CARE ABOUT MIGRATING FROM HTTP?
HTTPS is a protected and encrypted version of the underlying protocol in data communication between your browser and each site you visit. On the other hand, HTTP is the plain-text version of the protocol. Anytime you visit a site using HTTP, your activity could be watched, tracked, and recorded by anyone sniffing on your network traffic.
HTTPS is necessary for security reasons whenever you are transmitting sensitive data like credit card numbers or passwords. HTTPS ensures that only the server can decrypt the information sent between your browser and the website. Without HTTPS, your browser will send requests in plain text to the server, which leaves you vulnerable to attacks like Man-in-the-middle (MITM). A man in the middle (MITM) attack basically occurs when a perpetrator gets into communication between a user and an application, listening to one of the parties, making it look as though a regular information exchange is taking place. It is important to choose sites that protects your transmission from eavesdropping, man-in-the-middle attacks, and tampering with any data you send or receive.
WHY IS IT BENEFICIAL TO MIGRATE YOUR SITE’S TRAFFIC OVER TO HTTPS
In the past few years, cyber-attacks and data breaches have been a major concern as it has lead to personal information exposure. As a result, many businesses are making the switch to HTTPS for their site’s traffic.
But HTTPS isn’t without its caveats. You’ll need to ensure that your website is free from mixed content issues to reap the rewards of serving traffic over SSL/TLS.
To ensure your website is ready for HTTPS, you need to take a closer look at both the server configuration and any in-site content.
Let’s start with the server-side of things.
What about my server? My site runs on WordPress. Do I need to do anything on the server level?
It’s best practice not to configure your server to use HTTPS manually. Most web servers can serve content over SSL/TLS automatically, though you’ll need to check the settings for your chosen platform.WordPress offers built-in support for HTTPS if you’re using version 4.4 or higher – enabling this is as simple as changing the WordPress Address (URL) and Site Address (URL) in your wp-config.php file to use the HTTPS:// prefix.
Next, navigate to Settings > General and ensure that your WordPress Address (URL) and Site Address (URL) both have the HTTPS prefix. In essence, if your site serves from a standard web server such as Apache or NGINX, you’re probably already using SSL/TLS without even knowing it!
HOW TO MAKE A MOVE FROM HTTP TO HTTPS
Making a move to HTTPS is a relatively straightforward process, though it will require careful planning and testing before making the switch. As with most things related to your website’s security, this is as much about preparing for future-proofing as it is about making the switch.
HOW TO OBTAIN AN HTTPS CERTIFICATE
Obtaining an SSL certification is the first step in enabling HTTPS on your website. There are several types of SSL available, but it is always recommended to use a certificate with an “Extended Validation” status. While these certificates cost more than their domain-validated counterparts, they provide the most apparent visual indication to site visitors that your site will be using HTTPS.
- Host with a dedicated IP address
All primary web servers such as Apache and NGINX can use SSL/TLS without any issues. A dedicated IP address is a must if you plan to support only one domain with your certificate. It means that certificates with multiple fields will be a limited incompatibility. Your website’s DNS records will also need to be updated for visitors to redirect to the new HTTPS URL.
- Buy an SSL certificate
Before using HTTPS on your website, you’ll need to purchase an SSL certificate from a trusted Certificate Authority (CA). Your web host may provide you with SSL certificates as part of their service. If they don’t, or if all major browsers and operating systems don’t accept their certificates, you may wish to opt for a dedicated SSL certificate rather than using your web host’s in-house certificate.
You should also ensure that all major browsers and operating systems trust your chosen Certificate Authority – otherwise, visitors to your site won’t be able to access it via HTTPS.
- Request the SSL certificate
If you have purchased a single-domain SSL certificate, you will need to generate a Certificate Signing Request (CSR) using OpenSSL. After that, your CA will provide you with a signed SSL certificate which must be installed on your web server by your hosting provider.
- HTTP Strict-Transport-Security (HSTS)
Once you have enabled HTTPS on your site, helping the HTTP Strict-Transport-Security header is an excellent second step towards securing visitors’ communications. It will ensure that web browsers automatically use an encrypted connection to access your site – provided they meet specific criteria such as having TLS 1.2 support and their clock set correctly – even if your site gets accessed over HTTP.
- Install the certificate-parsing library
This page describes installing the SSL certificate-parsing library in PHP. Nowadays, the preferred method for verifying an SSL/TLS certificate is to use a Certificate Authority file, also known as a bundle. It contains all of the CA certificates trusted for server authentication by significant web browsers. However, some websites may have custom requirements to trust only a subset of CAs or wish to generate their CA-signed certificates rather than a certificate bundle.
- Update your site to enable HTTPS-only connections
Once you change the domain to HTTPS on your website, the next step is to configure it so visitors can only access content via an encrypted connection (i.e., “HTTPS-only”). If users attempt to load any URL in your site that they cannot access via HTTPS, their browser will display an error message. However, if they’re still using an insecure version of HTTP, then they’ll get a mixed content warning, and the page will load as expected.
- 301 redirect to HTTPS
If you’ve enabled SSL on your website, the final step is to configure 301 redirects so that search engines and other users can easily find your content via HTTPS. Otherwise, they’ll be stuck connecting over HTTP, which isn’t secure. If you’re using a caching plugin (a caching plugin generates static HTML pages of your website and saves it on your server).W3 Total Cache, it’s straightforward to configure 301 redirects so that all requests for content on your website get redirected to HTTPS rather than HTTP.
COMMON MISTAKES PEOPLE MAKE WHILE MIGRATING FROM HTTP TO HTTPS AND HOW YOU CAN AVOID THEM
The key to successfully migrating your site from HTTP to HTTPS is preparation – if you aren’t careful, it’s easy to miss something and carry on using the wrong protocol. Here are some of the most common mistakes people make when migrating their sites and some simple ways to avoid them.
Not editing your site’s .htaccess file
.htaccess files are similar to Apache’s HTTPd.conf file in that they contain many configuration settings for the .htaccess file itself and any content which gets embedded within it. Editing your site’s .htaccess file with care can let you control how visitors are handled by your website when making requests with insecure HTTP connections.
Forgetting to update your internal links and forms
When you change your website’s protocol from HTTP to HTTPS, it can be easy to forget about all of the different places this information gets embedded within your site, such as internal links, forms, JavaScript code, etc. If you don’t update these, users will get mixed content warnings if they’ve migrated over to HTTPS, and you’ll lose out on the security benefits of using SSL.
Not setting up an HSTS header
An HSTS (HTTP Strict Transport Security) header is a way for browsers to tell web servers that they must always use HTTPS – even if the user tries to access your site by typing in the HTTP version.