How do you add a security certificate to your site?
First off, let’s answer the why behind that question.
SSL provides your browser with a way to verify that the site you’re trying to get to, is in fact, the site that you are trying to get to. You’d think that was a given when you enter in a URL but not in today’s world with so many ways for hackers to highjack your internet voyage. I’m not going to get into the technical details of how it does this as many people have explained it better than I could ever describe. Let’s just say it verifies that you site, is your site, and move onto other reasons why you should have it installed on your site.
Google announced several months ago sites that have SSL will be rewarded in the rankings. Which, essentially, punishes those that don’t have it in Google rankings.
Now let’s get into the how.
Previously getting a SSL certificate was an enormous hassle. Yes, yes it was, don’t argue with this point. I know some of my tech friends will say how easy it is, but to me, if I have to touch the command line for anything, it’s no longer “easy”. Easy for coders, yes, everyone else, it was migraine waiting to happen even to power users. Add to that that it was expensive for smaller businesses who really didn’t have sensitive data and it wasn’t worth the time or money.
Enter Let’s Encrypt. An open source SSL provider that other developers have made handy tools for and has been embraced by the open source community. NOW we have a tool that’s relatively easy to implement. You still have some work to do, and an understanding of the ramifications of switching, but it won’t require you to take a coding course in network security and your clients won’t get steamrolled into buying expensive certificates from resellers. Love it! Go to their site and support these fine folks.
Here’s how we’ve implemented SSL using Let’s Encrypt on this very site.
- Get it on cPanel. This may require specifically making the request to your hosting provider if it’s not turned on your cPanel already. It takes some configuration on the backend in WHM so not all host providers have it installed by default. They should, but that’s another argument. Suffice to say, if you’re with a big hosting provider they either have it or don’t, and your “pleases” and “thank you’s” won’t change that till they change on their own. Also, it’s not in their interest to offer free SSL certificates as they are resellers or affiliates to companies that sell SSL certificates. Basically, don’t hold your breath waiting for it to happen if they haven’t already. There are benefits to knowing your hosting company on a personal level. let’s talk.
- Go into Let’s Encrypt on cpanel.
- Select the site you want to have SSL, agree, and you’re done. Not too many options here.
- That’s it. No, seriously. Your site now has https and a functioning SSL certificate that’s auto-renewed, free. Wow.
- Tweaks need to be done to your WordPress install at this point to make sure it’s displaying the https and that people can’t get to the http version of your site. Also, we don’t want to lose any Google juice in this process – one of the main reasons to have https is Google is starting to penalize sites that don’t have SSL – so let’s deal with those issues.
- Verify that the https is working, so go to that version of your site.
- Now login as you normally would.
- In your Dashboard > General Settings, you need to change the default WordPress Address (URL) and the Site Address (URL) to the https version. That basically tells your site to always use https even if links to your site use http. You’ll have to log back in after you save these changes.
- Last step, let Google know that you’ve made this change.
– Google Analytics (choose the site, Admin > Property Settings > Default URL and select https). If you don’t do this step you’ll be tracking the old non-ssl version of your site which will be non-existent at this point.
– Google Webmaster Tools doesn’t allow you to simply make the change like Analytics. You’ll have to set up a new site but that’s pretty easy as you’ve already set up the verification code required if you’re running Google Webmaster Tools.
– Google Adwords. Hooboy-this is a “not fun” doozy of a situation. If you’ve installed the plugin above, your site should handle the redirecting that Adword campaign URL’s will send your way. The better solution is to run a bulk find (http) and replace (https) in the campaigns to get them sending to the correct URL. HOWEVER, if you do this, you may be corrupting your historical ad data! Adwords is much less useful without historical data so you’ll want to preserve that. What you really need to do is to pause all campaigns, duplicate them, THEN do the find and replace mentioned previously, and start the new campaigns. Considering how large some adwords campaigns get this is a bit duanting to say the least. I told you it wasn’t fun.
– Final Note to Google: You’d think with the push from Google to get SSL on all sites they’d make it easier throughout their properties to reflect sites making this change but, umm, nope. Google, you can do better in this regard.
Congrats! You now have that beautiful lock beside your URL in the toolbar with the HTTPS! Your site won’t run up red flags as being insecure and you’ll be able to sleep better knowing you didn’t have to spend hundreds of dollars to get it done. Thank you to the Let’s Encrypt team and the Really Simple SSL team for their work. Donate to their work, they deserve it.
I’m sure there’s points I’ve overlooked with this tutorial so feel free to comment away at me and let’s get the dialogue happening here.