SSL/HTTPSWhat,WhenandHow!ChrisBurgess– MelbourneWordPressMeetup2017

@chrisburgess chrisburgess.com.au

Overview• WhatisSSL?• SSLgrowth• WhenshouldyouuseSSL?• CostofanSSLcertificate• EnablingSSLinWordPress• Commonpitfalls• Benefits• SSLtools• Furtherreading

https://wptavern.com/more-than-50-of-web-traffic-is-now-encrypted

HTTPRequests2011-2017

http://httparchive.org/

SSLbyDefault2016-2017

https://trends.builtwith.com

WhatisSSL?(viaWikipedia)• HTTPS (alsocalled HTTPover TLS,[1][2] HTTPoverSSL,[3] and HTTPSecure[4][5])isa protocol for securecommunication overa computernetwork whichiswidelyusedonthe Internet.HTTPSconsistsofcommunicationover HypertextTransferProtocol (HTTP)withinaconnectionencryptedby TransportLayerSecurity,oritspredecessor,SecureSocketsLayer.ThemainmotivationforHTTPSis authentication ofthevisited website andprotectionofthe privacy and integrity oftheexchangeddata.

TheDifferenceBetweenHTTPandHTTPSTraffic

http://stackoverflow.com/questions/33934408/intercept-html-form-post-data

WhenShouldYouUseSSL?

• Ecommercesites• Wheneverdealingwithsensitivedata• Whenusertrustmatters

WhenShouldYouUseSSL?

EnablingSSL

• Intheory,changingyourhomeandsiteURLinWordPressshouldbeenough:

define('WP_HOME','http://example.com');define('WP_SITEURL','http://example.com');

• Inpractice,wesometimesneedsomeextrahelp

ForcingSSLforLogins

// Force SSL all WordPressdefine( 'FORCE_SSL_LOGIN', true ); define( 'FORCE_SSL_ADMIN', true );

MixedContent

WooCommerce

cPanel SSLManagement

cPanel SSLManagement

CostofanSSLCertificate

• $10to$10,000• Averagecost$50- $150forsingledomain• Wildcard(formultiplesubdomains)cancostalittlemore

• Let’sEncryptisfree!

WPForceSSL

EasyHTTPSRedirection

ReallySimpleSSL

MixedContentReport@WhyNoPadlock

https://www.whynopadlock.com/

SSLChecker@SSLShopper

https://www.sslshopper.com/ssl-checker.html/

SSLServerTest@Qualsys SSLLabs

https://www.ssllabs.com/ssltest/

MozillaSSLConfigurationGenerator

https://mozilla.github.io/server-side-tls/ssl-config-generator/

OpenSSLTesting

• YoucanalsouseOpenSSLfortesting,example:

> openssl s_client -connect example.com.au:443 -servernameexample.com.au -status

Let’sEncrypt

https://letsencrypt.org/

RankingBoost(2014)

http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446

RankingBoost(2014)

ABasicSEO-friendlySSLMigrationChecklist

• AddhttpsvariantsinGoogleSearchConsole• Checkandfixanyhardcodedresourcesthatwouldcause

mixedcontentwarnings,ideallyuserelativeratherthanabsoluteURLs

• Updateinternallinkstohttpsvariant• Ensure301redirectsareinplaceforallhttpURLs• Updatesitemaplinks(butdonotreplaceoldsitemapuntil

301sareindexed)androbots.txt (ifused)• TestallURLsareaccessible,fetchandrenderwith

Googlebot• ConfigurethewebservertosendSSLheaders(optional)

FurtherReading

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

FurtherReading

• https://wptavern.com/more-than-50-of-web-traffic-is-now-encrypted

• http://www.wpbeginner.com/wp-tutorials/how-to-add-ssl-and-https-in-wordpress/

• https://moz.com/blog/seo-tips-https-ssl• https://chrislanauze.com/design-development/wordpress-meetup/how-to-configure-https-on-wordpress-683/

Thanks!ChrisBurgess– MelbourneWordPressMeetup2017

@chrisburgess

@chrisburgess chrisburgess.com.au