Migrating website from http to https

Installing SSL Certificate Successfully

I have recently migrated my website from http to https( secure http). All the non-secure HTTP requests are now redirected to HTTPS. On migrating the Site I faced many problems and learnt a lot. So here’s the list of steps to perform in making the web more secure :

Selecting SSL Provider :

The first step is deciding your SSL provider. Many SSL Providers are present in the market like Comodo, Symentac, Verizon, Namecheap etc. They all charge a lot of money but also provide Extended Validation, means not only secure but also proves your legal identity as “operational and physical presence of website owner“.

For normal use you just need a Domain level Certificate. From Namecheap you can buy an SSL certificate in 600₹ for 1 year(Single Domain). For EV Certificate(Extended Validation) it’s good to buy a Certificate, but for Domain level I suggest you to use Let’s Encrypt. Let’s Encrypt is Free! and it is free because of it’s Sponsers like Google, Facebook, Mozilla, Automattic etc. So I am going with Let’s Encrypt.

Installing SSL Certificate :

Installing SSL Certificate is an easy task if your Hosting Provider support Let’s Encrypt. You can check the name of your hosting provider on the list. For non-supporting hosting providers we have certbot. You have to select your software and system. While Installing do redirect all of your traffic to https permanently. It’s an essential step because now you have two versions of your site.

Installing SSL Certificate Successfully v2
Installing SSL Certificate Successfully v2

After installing just make sure if SSL is working properly from SSL Labs.

Testing new URLs :

Mixed Content :

If your website is using some hard-coded HTTP links then the browser may show a warning for mixed content. Sometime Browser’s hides the padlock if they find any mixed content. You can check your URL for non-secure content at JitBit.
Make hard-coded links more robust by changing links:

http://google.com to //google.com . In WordPress you can install SSL Insecure Content Fixer Plugin.

Mixed Content Warning
Mixed Content Warning
Getting your Facebook likes back :

Facebook and google treat http and https links differently. Likes and Shares for a URL are for that Unique URL any change, and you will lose all your likes and shares count. Because of migrating you are now using different link so all your Facebook counts will change to “zero”.

Likes and Shares are set to zero!
Likes and Shares are set to zero!

How to get back all of your likes, you can use plugins like Warefare Plugin(expansive) of do it manually :

  • Changing .htaccess : In Facebook’s documentation they give a solution, to redirect Facebook’s crawler to the old URL. I’ve found a solution in Stack Overflow. You have to add FaceBot to the exception list of redirection. You can find your .htaccess file in your document root. CertBot uses the virtual host method instead. Both do the same thing but .htaccess method is less preferred.
  • Point og:url meta tag to old url : If you are using any kind of SEO tool or creating meta tags your self you have to change all the og:url tag to the http version again.
    So if you are using Jetpack SEO tool then Jeremy Herve created a gist for you. I am using Yoast SEO. I’ve created a small plugin for changing links in Yoast SEO.
  • Scraping : By doing both steps above you don’t get back your likes instantly but after 30 days. Facebook crawls each url after every 30 days of sharing the link. So my first step was going to open graph debug tools and fetch new info for every URL. But the problem was, many sites are too large that fetching each link is not possible.
    For overcoming this problem, I researched on “How to scrap links by script”. I’ve found a solution in Stack Overflow and tweaked it a bit with file operations. You have to make a list of your URLs in a file and pass through the script. Use your Website Sitemaps for getting all the links of your Web Site.
External Links :

Any external links to your previous http links will take your SEO juice away, So it’s good to change them all.

If you are using Google Webmaster tools, add new urls with https. Don’t delete previous urls. Submit sitemaps, and request indexing.

Facebook page and Google Analytics is the another place you want to change the link to your site.

Update! HTTPS is faster protocol then HTTP if you upgrade your apache to HTTP/2. For comparing these two go to httpvshttps .

 

Why SSL Certificate is Important for your Website

In today’s world everyone uses Internet. Everyone wants to be Secure. But only a few understand the importance of having a Secure version of your website. Adding SSL encryption is one of the ways to protect your website from serious Threats.  So the question is “What is SSL? Why do you need SSL? What are the benefits of having an SSL certificate?” I am going to explain why you need an SSL certificate and its advantages. So first of all:

What is SSL?

Secure Socket Layer is a security technology used for making the Internet a safer place by providing an end to end encryption to your website. So that the data passed through the network will remain Private.

SSL secures our websites but it’s not SSL actually :p  SSL is an obsolete technology and has some vulnerability that can be exploited by several tools. When SSLv2 was released it had some potential threats that made it useless and hack-able. For more on this you can see this answer on Stack Overflow and Drown Attack.

After having known such vulnerabilities the web moved with new technology TLS (Transport Layer Security) but we still refer TLS as SSL or SSL/TLS. So we will also refer TLS as SSL and TLS certificates as SSL certificates in this article.

Importance of a SSL Certificate

1. Security :

The main purpose of SSL is to encrypt information so that only browser and the hosting server would know what information is being transferred. Basically any information submitted over internet are transferred through several computers before reaching the destination. A simple Man-In-the-Middle attack can fetch all the information transferred, be it Basic Bio info or Credit Card Info. Default http transfers the data in a plain text format so that anyone in the coffee shop using the same ISP can have all your info.

SSL encrypts all the data in the Transport layer before sending to the Network. So if someone is sniffing your information in between he will rather get a useless encrypted data. 😛

Example: A simple string encrypted in SHA-512 –

Original : Shubham Pandey WordPress Developer
SHA512: f6c0302f9a3f440abae2a96909e56c9cd565d24d915b6d78b1fc21ffbca9e365fbed707a953c81614394055c261da552be869bd22f12f7864081eb063f121f8e

2. Trust :

Most of the People who use internet each day and visit E-Commerce websites, know that a green padlock in the Address bar is Good. They don’t know what is the reason for having a padlock and https in the address bar, but they know that It’s safe to surf your website.

A website with a green-ish lock icon in the address bar is the sign of trust so that the user is more likely to buy something or register with your website. Trust is directly linked with the revenues a website makes, so that it can bring more users to your website. More users: more revenue.

3. SEO Rankings :

Yes you read it right SEO rankings. I do not know if you know this or not But google says this in its official Blog, HTTPS as a ranking signal. They say “Security is a top priority for Google”. So for sure it boosts up your SEO ranking. But do redirect your non-secure Website to secure one otherwise your ranking will fall (because of the same content on 2 different protocols).

Disadvantages of having an SSL Certificate

With all these advantages does it have any disadvantages? Yes for sure it has some disadvantages, not any critical one and can be compromised with some software or hardware.

1. Performance :

If you are going to encrypt everything before served to the user, that will take more resources and memory on the server. It will only affect you when you are going to scale up everything and have a large number of visiting users. Then you can add extra servers or some load balancing software/hardware to reduce the load.

2. Cost :

If you are a normal blogger (like me) means just serving content but want to secure your users from security threats this won’t bother you. Because you can get a FREE! certificate from Let’s Encrypt and install it for free(I will write another blog on “How to install and configure SSL Certificate in Apache Server”).

But if you have a Business Website the E-Commerce stuff and want to be more authentic to your Users, you have to get a Certificate from a CA (Certificate Authority). And then you have to pay some money to the Certifying Authority. But if you are in Business you can afford!!!

Secure HTTPS Signed by CA
Secure HTTPS Signed by CA

 

Secure over https
Secure over https
TL;DR

SSL is awesome. Change your Website from http to https. Cheers!

Trust begins with understanding. Understanding requires transparency.

Edit : 25 / March / 2017 

I’ve posted another blog on Migration to HTTPS from HTTP.