Converting an existing WordPress site to SSL (HTTPS)

 


I received notification from my ISP (Krystal) that they were providing free SSL certificates for all sites. Their words were…

Free SSL via Let’s Encrypt
From January popular browsers are going to start penalising sites that aren’t secured by an SSL certificate (as some search engines already do).
As a result we’ve taken the decision to provide protection for every single domain and sub-domain hosted with us free of charge.

This was the first I’d heard about penalties for not encrypting but I suppose it makes perfect sense in the post Snowden world. For us in the UK it only gets worse – the latest ruling is that our ISPs are required to record our internet activity and hold the data for 12 months in case anybody from Teresa May to the local council dog catcher fancies a quick snoop on what we’ve been up to. I can only assume that the close ties between GCHQ and the NSI means Donald Trump and his mates (Farage?) can take a peep too. Encrypting the pages reduces the data the ISP sees and so the data government snoopers can see without a lot more effort. Using a VPN helps even more of course and since the new snoopers charter was announced that’s exactly what I’m doing. To keep costs down but maybe at the cost privacy (I really don’t know) I’ve been using the Opera browser with its free VPN option. This has to be turned off (an easy mouse click) for some picky sites but in the main just works with no obvious slowdown in browsing or small via-the-browser downloads.

So given all that I decided to investigate making all my sites HTTPS friendly. Here are the steps I took…

Firstly I amended the site URLs in WordPress General settings…

Wordpress general settings

Here in General settinhs you will see I have changed the old http:// to https:// for the site URL





Digitalham has no header or background images but some of my sites do and they need defining as HTTPS or you’ll see errors and no padlocks – all elements within the page must pass through SSL. Where this is done will vary by theme. This shows one such image definition in the Suffusion theme which I use for all my sites…

Suffusion Header background image

Making sure any images used by the theme are specified as HTTPS

One other thing probably peculiar to the Suffusion theme was that I had to set the Icon set to theme default to avoid persistent gripes about icons on the pages. There may be some clever way around this but I took the easy way out.

The next thing that needed correcting was the post_content in the wp_posts table for the various post images which had been defined already as HTTP. Rather than trawl through the pages correcting these I simply opened up PHPMyAdmin and ran the SQL below (actually as a security measure against bots I don’t use the wp prefix for my wordpress database tables but the SQL shows what is needed by default).

UPDATE wp_posts SET post_content = REPLACE (post_content, 'src="https://www.digitalham.co.uk/wp-content', 'src="https://www.digitalham.co.uk/wp-content');

My final fix was to redirect any HTTP requests to HTTPS in my .htaccess file

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.digitalham.co.uk/$1 [R=301,L]

With that all done and tested I had to add the HTTPS versions of my sites to Google Webmaster Tools along with modified sitemaps.

The result of this is that the site is slightly slower to load but what my visitors are looking at here is significantly more private than it would otherwise be. Plus of course I’ll escape those mysterious “penalties” the ISP mentioned – presumably lower rankings.

An incredibly useful site when making these changes was https://www.whynopadlock.com/ – it was this site that pointed out the problem with the icon images so I was able to research that and found the solution I took.