Much of the web continues to march towards creating secure communications between devices through the use of things like HTTPS/TLS (aka SSL). We’ve seen Google talk about giving SSL a ranking boost and flagging non-HTTPS websites within the browser (Chrome) as insecure. We have also seen various organizations take the call to arms – with StartSSL offering free SSL Certificates, organizations like LetsEncrypt being established, Automattic (parent company of WordPress.com) enabling HTTPS for all its domains, and we too announced our support through our own LetsEncrypt partnership.
HTTPS secures data in transit – it does not secure the website itself. If you have HTTPS enabled, it will not stop attackers from attacking your website and exploiting its weaknesses. Additionally, if your website is hacked, it will not stop the distribution of malware; in fact, it’ll only distribute the malware securely. While HTTPS is definitely an important piece of the security framework for any website, it’s important we don’t get caught up in the noise and distort it’s true purpose and value. Read more…
For those that have tried to deploy SSL, myself included, there are a number of issues to be mindful of. The most common seems to be with how assets (i.e., images, css, etc…) are being loaded once you make the switch. I went ahead and put together a little tutorial to hopefully reduce the potential anxiety you might feel with this undertaking. This will be especially important if you are using our Sucuri Firewall.
Planning for the HTTP to HTTPS Switch
The idea of switching to using the HTTPS protocol can be a daunting task, but it doesn’t have to be. Like most things, taking a few minutes to mentally prepare and answer a few questions can go a long way to ensuring a seamless deployment.
- How does your host handle SSL Certificates?
- How will your website account for HTTPS?
- Does your website leverage a Content Distribution Network (CDN)?
- Does your website Leverage a Website Application Firewall (WAF)?
Mixed Content Warnings – Loading Assets Over HTTP
This can prove very problematic for some website owners; it could break your website.
Accounting for HTTPS With WordPress
If you’re using the WordPress CMS, you are in luck because you can make use of the really-simple-ssl plugin. It will automatically fix all your schemes and redirect HTTP to HTTPS on your behalf. After installation and activation, it will show you the following screen:
The tool will automatically log you out of WordPress and force HTTPS on your website.
Note: There is a great resource on the ManageWP blog – WordPress SSL Settings and How to Resolve Mixed Content Warnings. I encourage you to give it a review as it provides a number of great discussion points.
Accounting for HTTPS on Generic Files
If you are using a generic content management system where your template and files are in HTML or PHP files, you can do a mass search and replace to rewrite your content from HTTP to HTTPS.
If you have terminal access to the server, a grep command can help you identify every file that references a http://, be sure to be in the root of your website (i.e., /public-html/, /www/html/, etc..):
$ grep -r "http://yourdomain.com/" .
You will need to manually fix all references to include https://.
Accounting for HTTPS in your Database
Depending on the technology you choose, your website technology might dynamically render the asset locations in the database and so you’ll want to go through the database and update all protocol references. Here are some quick instructions that will help you:
1. Identify and Replace HTTP with HTTPS
There is a great tool called Database Search and Replace, built by Interconnected/IT. As the name implies, it allows you to do a quick search of your database, replacing values as needed (be careful).
Download the Database Search and Replace tool at the root of your website:
[root@server [domain directory]# wget https://github.com/interconnectit/Search-Replace-DB/archive/master.zip [root@server [domain directory]# unzip master.zip [root@server [domain directory]# cd Search-Replace-DB-master/
Once you have installed, you can access it directly by going to http://yourdomain.com/Search-Replace-DB-master/index.php
When you load the tool, it will pull the values from your /wp-config.php. If for whatever reason it doesn’t, here is how you map the values:
Name = define('DB_NAME', User = define('DB_USER', Password = define('DB_PASSWORD', Host = define('DB_HOST', Port = Default 3306
Search and Replace
When running the search and replace be mindful of all the things you can break. To account for this, I recommend being as specific as possible. For instance, in the image above, you can see I search for http://perezbox.com and replace with https://perezbox.com. This is an effort to avoid breaking any other http references that might cause you more issues.
Before you run the tool, please be sure to have a database backup. The tool also helps by giving you two very distinct options: Dry Run and Live Run. I recommend running a Dry Run first, checking the output, then running a Live Run if everything is configured.
2. Identify and Handle HTTPS Traffic
Next you want to make sure that your server/website is ready to handle HTTPS traffic. You can do this via your /wp-config.php file.
/* Handle HTTPS Protocol */ if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') $_SERVER['HTTPS']='on';
This will make it so that your website/server accepts all HTTPS requests, and also enables HTTPS on your website. There are obviously a number of different deployment types. For more variations you can reference this Codex article on WordPress.org.
When done, clear any caches you might have enabled and visit your website. You should now get the secure padlock in the browser:
3. Remove DS&R Tool
Please, whatever you do, do not forget to remove the DS&R tool from your root once you’re done. Leaving it on your server could introduce itself as a potential attack vector later.
If you’re an existing customer and are having issues getting things configured please connect with our team by submitting a ticket. If you are deploying LetsEncrypt locally here is a simple guide to help get you started.