There are a few different ways we implement HTTPS for our clients.
- Let’s Encrypt
- Sucuri Web Application Firewall
The traditional way to implement HTTPS has always been to buy an SSL Certificate from your web host or domain registrar, validate information with the Certificate Authority, install the SSL through cPanel (typically), make sure your site URL is set as https://www.yourdomain.com and then renew the SSL certificate every year.
The traditional method is good for all types of websites including eCommerce and businesses that prefer an Organizational or Extended Validation certificate.
If a basic SSL certificate suits your needs, there are other ways to implement HTTPS and many of them are free.
If your web hosting company supports it, Let’s Encrypt is great way to acquire a free SSL and implement HTTPS. Let’s Encrypt is a service that issues SSL certificates and eliminates many of the complexities that come with a manual implementation.
Sounds great, doesn’t it? It is.
Web administrators generally do not work directly with Let’s Encrypt. Instead, they work through a web host company who offers this option and already has an API that integrates with it.
One of our preferred hosting providers, SiteGround, offers a Free SSL for web hosting customers through Let’s Encrypt.
So good news, if you’re a SiteGround customer or would like to become one (just let us know, we can help!) it’s easy to get your site up and running under HTTPS.
Cloudflare is similar to Let’s Encrypt except its a bit easier to use and has some bonus features built in. They are another one of the few providers that offers basic SSL protection free of charge.
Free accounts on Cloudflare allow you to run HTTPS. They even include a rewrite feature to make sure you are FULLY HTTPS and not serving mixed content (some secure and some not secure). You can obtain upgraded SSL certificates through Cloudflare also.
Read about mixed content and Automatic HTTPS Rewrites | Cloudflare.
However, due to the way Cloudflare works, this option offers incomplete encryption and should only be used on basic websites without eCommerce.
One benefit our Magento Managed Solutions Plan and WordPress Managed Solutions Plan customers take advantage of is the Sucuri Website Application Firewall (WAF) and a free SSL. A firewall helps stop website hacks and attacks. Managed Solutions Plan customers are offered a free SSL through this service.
Running your site through a firewall delivers many benefits:
- Run sites over HTTPS
- Automatically rewrite non-HTTP content
- Block spam, malware, and other malicious bots from accessing your site
- Add a layer of caching to speed up the delivery of your site to visitors and increase performance
For starters, you’ll need an SSL certificate. The section above outlines various options for obtaining an SSL certificate. Regardless of the option you choose, you will need to plan your HTTPS migration and schedule time for it.
One side effect of moving to HTTPS is a URL change – http://yourdomain.com to https://yourdomain.com. Social sites often recognize these as two different URLs therefore impacting your sharing counts. For example, if an blog post has 30 Facebook shares, Facebook will no report share counts accurately. You will need to find out if your social plugin supports “share recovery.”
If you’re running WordPress and are not a developer, there are some plugins to simplify the HTTPS migration. We recommend using Really Simple SSL. The plugin won’t do everything for you but it saves time and is as simple as activating the plugin and enabling SSL.
A plugin is not necessary however. You can also simply change the URL in the Settings of the WordPress dashboard and update any redirects you may have via a plugin or htaccess.
You’re almost done and it is hopefully everything is working correctly. However, it’s good practice to double check and make sure there are no hidden problems. An easy way to do this is to use the SSL Server Test tool from Qualys SSL Labs.
The tool will provide a certificate summary that looks something like this:
It’s good practice to let Google know when you make these types of site changes. One way is to force a re-crawl of the site. Google will naturally re-crawl on its own, but you can speed up the process using Google Search Console.
If your site isn’t already setup as a property in search console, this is a great time to do that. You simply need to create an account, add the site as a property and then verify it.
Usually this is done via uploading a html file via FTP or inserting some code into the head of the site. If you are running an SEO plugin like Yoast SEO, you can verify your search console (and analytics) connections in the plugin directly.
You should also update your URL on any local and social properties. These are called citations.
Some typical places you may need to update your URL after you migrate to HTTPS:
- Facebook Business Page
- Google Places
- Google Plus
Moving forward, you should always be careful when adding new functionality and features to your website and make sure any external scripts being linked to are from a secure source running over HTTPS. This is the biggest culprit for making a site non-HTTPS. One way to check this is to use the SSL Server Test tool.