WordPress HTTPS Everywhere

https_everywhere
“I always feel like somebody’s watching me”, the 1984 hit song from Rockwell sums it up…and he might just be right! At the Google I/O Conference back in 2014, Google introduced (or at least endorsed) the principal of HTTPS Everywhere. Where as traditionally HTTPS was only used on login and credit card pages, during the conference, Google suggested that HTTPS be used on all pages on all sites, EVERYWHERE!

Why

Not interested in the “Why”, skip to the “How” below.

Before we get into the “why”, it’s important to note that it’s not just Google. Over the last couple of years, most major sites have been moving towards this concept of HTTPS Everywhere as well. Now Google, Facebook, Twitter, The New York Times and others only serve pages over HTTPS. Last month, AdPlugg followed suit and switched to 100% HTTPS as well. We still allow you to serve your ads over HTTP but anytime you are viewing a page on our website, it will be over HTTPS.

In 2017, Google has gotten more serious about this initiative and it is no longer just an option, now there is a penalty! Beginning last month (January, 2017), Google Chrome now displays an exclamation point in the search bar any time you are viewing an HTTP page. This is designed to alert the user to the fact that they are not on a secure page. Where previously the norm was HTTP and only some pages had HTTPS, Google now wants all pages to be HTTPS and to alert users when they aren’t on HTTPS. In addition, Google is now using HTTPS as a ranking factor, favoring sites that are on HTTPS to those on HTTP for Google’s search results.

The reason Google is doing this is interesting as it represents a shift in what is considered “sensitive” data. In fact, as I am writing this article, I wanted to describe passwords and credit card numbers as “sensitive data”. Google is suggesting that all of our activity online be considered sensitive, and it makes sense. Any time you are browsing over HTTP, a man (server) in the middle somewhere on the internet (or your own ISP) may be spying on what you are doing. In some cases ISPs even alter the content that you see. For instance, if you were to request http://www.example.com, your ISP could easily change what is returned to you since it is being transmitted in plain text. If however, you were to access https://www.example.com, your ISP and servers in the middle can’t read the request or response and you know that not only are you not being spied on but that no one has messed with the information that you are viewing. This can be especially important when you are using public WIFI. If you are on public WIFI over HTTP, the hotel, coffee shop, airport might be spying on what you are doing, if you are on HTTPS, you know that no one in the middle can see anything.

There are some concerns for the publisher however, HTTPS is costly. First of all, you need an SSL cert and your server needs to be configured to support HTTPS. You need to be aware that every page requested must be individually encrypted by the server and not just once, it needs to be individually encrypted for each user. This can cause quite a bit of additional load on your server and result in additional hosting costs.

However, Google has spoken and publishers would be wise to listen. For Google to remain popular, the user must have a good experience using the Google Chrome browser and Google search engine. Google has decided that the user will best be served by viewing pages only over HTTPS. It’s my belief that 10 years from now, Google won’t return HTTP results at all and Chrome will turn red with alerts any time you are viewing an HTTP page.

Because of Google’s initiative, blogs are now recommended to use HTTPS only as well. In this post I’ll be explaining how to set your WordPress site up for HTTPS only.

How

Now that you know why you should move your WordPress site to HTTPS only, in this section, I’m going to tell you how to do it.

Get an SSL Certificate

If you don’t already have one, first you are going to need and SSL certificate. SSL certificates are used to encrypt the data that is transmitted between your WordPress site and the user’s browser. If you are already feeling like you may be in over your head, you may want to just contact your hosting company. They can provide you with an SSL certificate and install it for you. However, if you think you can do it on your own, you can save some money.

I recommend ssls.com for inexpensive certificates that work just as good as the pricey ones. Go to www.ssls.com. For the average WordPress blog, their Comodo Positive SSL for $8.95 for 1 year is a great deal. SSLs.com provides instructions for how to create a private cert and CSR (Certificate Signing Request). Once you checkout, they will provide you with your SSL/TLS cert.

Install the SSL Certificate

How you install the SSL certificate is going to vary based on your host. Check your host’s help for details. You can also contact your host for help, once you have your own cert, most hosts will help you install it for free.

Configure WordPress for SSL Only

Once your SSL cert is correctly installed you should be able to view your site over http or https.

Now we want to configure WordPress and Apache so that they know that your site is only on https and to redirect all http requests to https.

Update Your WordPress Settings

  • Log in to your WordPress admin.
  • Go to Settings and then General.
  • Update the “WordPress Address (URL)” and “Site Address (URL)” fields to use https (ex: “https://www.example.com”).
  • Save the Changes.

Update your internal links (Optional, but recommended)

Most likely, you have links throughout your site that link to other parts of your site. And likely, these links all say “http://”. In the next step, we are going to redirect all http bound traffic to https. So while these links will continue to work, for SEO reasons, it’s a good idea to update all of your internal links to https so they point to the real page and not to a redirect.

The easiest way to do this is using a tool called wp-cli. In order to use wp-cli, you will need to have command line (SSH) access to your hosting account. Once you have wp-cli installed, issue the following command (update example.com to your own domain).

wp search-replace http://www.example.com https://www.example.com

If you don’t have SSH access (or don’t feel comfortable using it), you can do the search and replace using the WordPress Search and Replace Plugin.

Redirect all HTTP Traffic to HTTPS

We can update our internal links to use https instead of http but we don’t have any control over backlinks from other sites, google, etc. The last thing that we want to do is to break all of those links. What we should do instead is 301 (moved permanently) redirect the http request to https.

You can redirect all http traffic to https by adding the following to the top of your .htaccess file:


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Conclusion

You now know both why you should move your WordPress site to HTTPS only and how to do it. Have something to add or need help? Post to the comments section below.

Also note that AdPlugg can serve ads over HTTPS in both our Free and Pro versions.