Not so long ago, WordPress added an extra item to its requirement list: HTTPS support. You may not be familiar with this connection protocol (see A web host), yet, you must have noticed the padlock icon in the address bar of your browser. Likewise, you may not care that HTTPS stands for HyperText Transfer Protocol Secure, or that it is a set of rules for transferring files on the World Wide Web (e.g. between a browser and a server in order to serve a web page). However, here is what you need to know: when the URL (Uniform Resource Locator, namely the web address) starts with https:// – as opposed to http:// (without the “s” for secure) – and the padlock is locked, then the connection between the server and visitor’s browser is secure. In other words, this prevents anyone from intercepting and stealing information exchanged between the server (where the website is) and the visitor.
HTTPS support is only a recommendation – not a requirement strictly speaking. It is nonetheless advantageous to enable HTTPS on your WordPress website (even if the latter does not handle sensitive information1). Besides, all the big players on the web (i.e. not only Google) are pushing for more, if not all the, websites to be served over HTTPS. Now, to have HTTPS, you need to have a Secure Sockets Layer (SSL) certificate installed on the server.
Don’t worry if you don’t know what an SSL certificate is and how to install it on the server; this is what this post is about.
As briefly touched upon, the primary purpose of an SSL certificate is to keep information sent across the Internet encrypted so that only the intended recipients can access it. By encrypting your visitor’s information, you give them the peace of mind that hackers can’t easily steal their data.
What they are
At its core, an SSL certificate is encryption for web servers. It protects the exchange of information by utilizing a set of cryptographic keys:
- A public key, which encrypts your message
- A private key, which decrypts it.
The information becomes unreadable to everyone except for the keys holders (i.e. the browser and the server); hence, the connection is entirely secure.
Beware: if the https:// (or the padlock) is colored red, it means the site is attempting to use the secure protocol but the certificate is not valid (or not recognized). Therefore, the connection may not be secure.
must be purchased from a recognized Certificate Authority (CA)2. They issue certificates only after confirming the identity of the company and/or person who is applying to obtain the certificate. In keeping with this validation process, there are three types of certificates:
- Domain Validation (DV)
- Organization Validation (OV)
- Extended Validation (EV)
The simplest form of validation (DV), which is done online through e-mail, Domain Name System (DNS) or HTTP, states that the person or entity on record owns the domain. The validation process for OV certificates involves, in addition to domain ownership validation (as above), verifying that all the organization information provided are valid and correct. The highest level (EV) includes all the verification steps for the OV certificates, as well as additional steps to ensure the business actually exists as a physical entity.
Although you can get a DV certificate within few minutes, it takes longer to obtain an EV certificate because the validation process can take weeks. Because of these vetting requirements, each validation level is therefore more trustworthy than the one preceding it, but it is also more expensive. Hence, EV certificate is the most secure type of SSL certificate when it comes to validation level. Yet,
any certificate will provide the same level of protection, no matter the type of validation3.
In addition, these certificates will come with different visual indicators displayed in the address bar. For example, web browsers will just display the https:// protocol and the padlock symbol for DV and OV certificates. On the other hand, the EV certificate comes with the iconic Green Address Bar for the site (with the name of the organization).
A self-signed certificate is a certificate that is signed by the person creating it rather than a trusted CA. They enable the same level of encryption as the aforementioned certificates and are free of charge, but they have a major drawback. A visitor connection could be hijacked allowing an attacker to view all the data sent, thus defeating the purpose of encrypting the connection.
There are use cases for this kind of certificate (e.g. intranet); however, they are not appropriate for the situation described in this post. Besides visitors will see a warning in their browser when connecting to a server that uses a self-signed certificate. Often, the alerts advise the visitor to abort browsing the page for security reasons.
Keep reading for a better alternative!
Single-name vs. Wildcard SSL certificates
An SSL certificate does not automatically secure domains and subdomains. In fact, the standard certificates, namely Single-name SSL certificates, are issued to a single Fully Qualified Domain Name (e.g. cogitactive.com). In contrast, Wildcard SSL certificates allow securing an unlimited number of subdomains on a single certificate.
While wildcard certificates are an ideal choice for websites with multiple networks, single-name certificates can be a great option if you need to add a certificate to just one subdomain added later when your site evolved. This blog is a good example of this use case.
Of note, there are also certificates for several different domains, namely Multi-domain SSL certificates (or SAN certificates). This kind of certificates becomes relevant when you start playing in the big league.
Until recently, installing an SSL certificate was
one of the trickiest functions you will ever have to perform in your hosting2. Without going into details, you will need to provide three required elements:
- A Certificate Signing Request (CSR)
- The certificate itself
- A private key
Actually, you have to create the CSR on your web server before you can even order the SSL certificate. The CA will indeed use the information in the CSR, such as your domain name, public key, and company name, to make your certificate.
Again, given the inherent difficulty of the whole process, it is better to request that the hosting company perform the installation. Or…
(Keep reading for better alternative!)
Why do I need an SLL certificate? (reloaded)
Granted, HTTPS support is part of WordPress
requirements recommendations, but my website(s) have nothing to do with eCommerce (i.e. I don’t accept payments online). Actually, I am fitting in
the example scenarios that illustrate when you do not need an SSL certificate2. Specifically, my sites are purely informational and I do not process any sensitive information; nothing more than a name and e-mail address (e.g. Comment Form). Moreover, SSL certificates
are4 used to be difficult to implement and expensive (see above). So, why should I bother?
Actually, there are many benefits of using an SSL certificate beyond keeping your visitor’s information secure in transit. For instance, it shows that the site is trustworthy;
that is, made by a legitimate person or company2. Indeed, HTTPS also provides authentication by ensuring that the visitor is really connecting to the right site and not an imposter one. In addition, enabling HTTPS on your site could result in higher search rankings with Google.
If you want your website to look legitimate and trustworthy, you need an SSL certificate.Neil Patel
Admittedly, there is also strong incentive. In particular, the Chrome browser started recently to mark any website without an SSL certificate as
Not Secure. Not the best way to encourage people visiting your site!
Fortunately, obtaining and installing SSL certificates is no longer the costly and difficult process that it once was.
Let’s Encrypt is a
free, automated, and open certificate authority5, run for the public’s benefit. They offer (as in zero cost) DV certificates. Furthermore, they give people the possibility to set up an HTTPS server in the most user-friendly way possible. In keeping with their own saying,
[they] do this because [they] want to create a more secure and privacy-respecting Web.
They provide two types of DV certificates: single-name SSL certificates and Wildcard SSL certificates. However, they do not offer OV nor EV certificates. Importantly, there is no difference between Let’s Encrypt certificates and other DV certificates:
in terms of secure encryption, they are equal.
Granted, their certificates are valid only for 90 days, but they can easily be renewed automatically. In addition, they do not come with any form of warranty (e.g. in case of certificate failure resulting in loss of money). Yet, they are perfectly suited for websites or blogs not handling any sensitive data. Last, they have some rate limitations, such as allowing only five duplicate certificates successfully issued and installed for the same domain name per week. However, I doubt that any of these limitations will be of concern for users like me.
Again, previously, the only way to secure sites with SSL was by using a paid SSL certificate. Moreover, installing SSL certificates was tricky. With Google and others pushing the entire web towards HTTPS adoption, Let’s Encrypt certificates are a great option.
Given the nature of my websites,
a Domain Validation SSL certificate was a no-brainer.
A free certificate was the icing on the cake!
What has SiteGround to do with all this?
As explained in a previous post, given the inherent difficulty with SSL certificate installation, I intended to get one from my hosting provider (instead of directly from a CA). While I chose SiteGround for several reasons, among which security, speed and scalability were of prime importance, I was also pleased to know that they provide Let’s Encrypt SSL certificates. Actually, they issue automatically (for free6) the single-name SSL certificate for all primary (and addon) domains that point to their shared servers.
In addition, you can issue as many free Let’s Encrypt certificates as you need. Not only Let’s Encrypt SSL installation is immediate, but also
the SSL is active for your domain as soon as the installation is completed. You can even upgrade them to Wildcard certificates – easily and free. Both types of SSL certificates are issued for a period of 90 days and are renewed automatically 30 days before their expiration (as recommended by Let’s Encrypt).
The only requirement for a Single-name certificate is to have the A Records for both your domain.tld and www.domain.tld pointed to your SiteGround account. Otherwise, they cannot verify and install the certificate on your domain. Similarly, there should not be a general redirect upon the installation of the certificate, as it would prevent the HTTP validation from completing. If you opt for a Wildcard SSL certificate, however, you will have to point your DNS to your hosting account (i.e. update the nameservers).
Time for action
Quick reminder: immediately after signing up with SiteGround (see Getting my web host), I requested them to install WordPress on my account. Then, I changed my DNS – replacing the nameservers of my registrar by those of SiteGround – in order to point my domain name to my website. To sum up, I was using the DNS of SiteGround and WordPress was already installed on my server; still my website was new.
Why is this important? First, it means that given my DNS configuration, I could have opted for a WildCard SSL certificate if I needed to7 (see above). Second, while the certificate is installed on the server and should have nothing to do with the Content Manager System (CMS), CMS applications like WordPress require additional configuration to work with SSL. Now, the method varies whether it is a brand new website (as in my case) or an existing site (i.e. already indexed by search engines). Luckily, I was in the former situation.
Anyway, as my hosting provider offers Let’s Encrypt support, the procedure was straightforward. I logged into my SiteGround User Area, navigated to my cPanel by clicking on the Go to cPanel button. Then, I clicked on the Let’s Encrypt icon (located in the Security section), selected my domain (in the drop down menu) and click Install. That is it! The tool requested the free certificate on my behalf, installed it, and will keep it up-to-date automatically from now on.
Let’s Encrypt certificate installation success.
Almost immediately, I could see my newly installed certificate listed with an Active status. Now, according to several tutorials, the next step was to make my website work properly over HTTPS. Providentially, SiteGround had created a shortcut in the Let’s Encrypt tool that allows enforcing the certificate. To access it, in the Action drop down menu (Select an Action), I chose HTTPS Settings. Then, in the Manage HTTPS Settings pop up window, I turn ON this shortcut tool, namely HTTPS Enforce.
Forces your site to work entirely over an encrypted HTTPS connection. The redirect is performed on server level and works for any website.
What I should have done instead
When installing an SSL certificate, you need some additional configuration so that your domain is not accessible both over http:// and https://. This is to avoid duplicate content! I thought that by turning ON the Enforce HTTPS tool, I just accomplished that. Granted, the tool forces all your domain traffic through https://, but
this is a server level enforce, that does not perform any change to your application configuration and database8.
the best way to make your site work through HTTPS is to manually re-configure your application8. There are other methods as well, but it is always better to do the right thing!
Given my newly installed WordPress configuration, the correct procedure would have been as simple as this one-click shortcut9. Simply, I should have accessed my WordPress admin area, clicked on Settings, then General, and updated both the WordPress Address (URL) and Site Address (URL) fields to use “https” (instead of “http”). Clicked Save and I would have properly configured my application to work via https://. That simple!
However, I didn’t. Who would have thought that one day, this tiny mistake would be the source of so much trouble. Anyway, this is another story10…
Turning ON the Enforce HTTPS tool also revealed another function: External Links Rewrite.
Ensures your website will not show any “Mixed content” warning due to insecurely loaded external resources.
having your domain switched to HTTPS may not be enough for your site to be marked as secure by the browser8. Therefore, you need to rewrite any http:// links to external content, so that your site does not show warnings for mixed content in the browser. In theory, I should have attempted to correct all of them to load over HTTPS manually, or simply turn ON the External Links Rewrite tool. In practice, my site was a brand new installation, meaning that there was no link to be concerned with! In spite of this, I turned the tool ON anyway.
My Let’s Encrypt SSL certificate was correctly installed
and my site was accessible via the https:// URL.
This concluded my SSL certificate installation and WordPress configuration to work over HTTPS. At least, that was what I thought…
1 SSL certificates were originally required only for websites handling sensitive information. It was typical to see advices like this one:
SSL certificates are not needed for any sites that are purely informational2. Things are changing and SSL is becoming the norm. Hence, the rule seems to be that everyone needs to have an SSL certificate. ^
2 Peter Pollock (2013) Web Hosting For Dummies. Hoboken, New Jersey: John Wiley & Sons. ^
3 Neil Patel (2019) How to Choose Between these 5 SSL Certificates for Your Site. ^
4 Keep reading, the “better alternative” comes next! ^
5 See Let’s Encrypt. ^
6 While SiteGround usually charge $30.00 per SSL certificate installation, they don’t charge anything for Let’s Encrypt certificates, as well as for the other SSL certificates purchased from them (here is a link to their SSL offers). Not every hosting providers are as generous as pointed out in the Let’s Encrypt FAQ page:
In some cases, integrators (e.g. hosting providers) will charge a nominal fee that reflects the administrative and management costs they incur to provide Let’s Encrypt certificates. ^
7 Actually, Wildcard SSL certificates were not available at the time I set up my account. They became available a month later. Thus, I could have upgraded my existing standard Let’s Encrypt certificate with a single click (at no cost). More on this in future posts. ^
8 Hristo Pandjarov (2017) Let’s Encrypt Interface New Options. SiteGround. ^
9 There was another one-click alternative which consisted in enabling SSL via the WordPress Toolkit in cPanel (under WordPress Tools). Interestingly, updating both the WordPress Address (URL) and Site Address (URL) fields to use HTTPS (in my WordPress dashboard) affected the WordPress Toolkit configuration as well. Indeed, upon my changes in the dashboard, the current SSL state for my application (in the Configure SSL Certificate section of the WordPress Toolkit) shifted from “Disable SSL” to “Enable SSL”. I assume it works both way. ^
10 Teaser: stay tuned, this tiny mistake was about to become an unbelievable misadventure. ^