SSL for bloggers

SSL for the extra paranoid blogger!

SSL is an acronym of (Secure Socket Layer) and is commonly used on a website whenever confidential information is passed between the client and the server under the HTTPS protocol. Commonly, SSL is used for E-Commerce because you know, credit card data security is kind of important!

But if it's for commerce why really have it on a WordPress site that sells nothing? What the hell S? What are you doing wasting perfectly good money on a protocol that has no benefit to you what so ever!?!?!

Oh, but it does! And for those with the cash to do it benefits just about any blogger! Read on if you want to know more.

Lets just dive right into this topic here.

Benefits of SSL:

  • Overall Security. - This site enforces the HTTPS protocol as of 09/25/16. Meaning that even if you are arriving to this site via standard HTTP traffic that any links you click on will bring you into HTTPS. What this does is it allows you privacy to my site regardless of what network you may be on. Firewalls, network administrators, and so on will not be able to see what you're seeing. Those people would have to actually visit my site themselves to determine what's going on.
  • No third party hijacking hilarity! - Whenever you log in to a public access point there's a potential for that access point to inject banner ads and pop-ups during your visit. This is both shady and annoying. Especially if you have already paid for the Wi-Fi service like in a hotel or via your cable provider (Time Warner Cable and AT&T in my area are the worst about this). By having a HTTPS connection it is impossible for the public access point to inject ads to you the user visiting my website without breaking everything about the security layer. So in effect, you will see this site as it's intended instead of through the banner-ad hell of some garbage Wi-Fi hotspot.
  • Search Engine Optimization (SEO) - Ugh, there are some terms on the net I wished were totally removed from the vocabulary. But according to Google. This apparently helps you rank better because Google trusts you. If they're not even maintaining SiteRank scoring anymore. Is it really that important? We don't know. We think SEO is a fraud. So take this "Advantage" for whatever grains of salt you want.
  • Newer internet protocols - There is an array of other reasons why Google is rewarding users for this. As well such as the introduction and roll-out of HTTP/2. Which is the first revision to the original HTTP 1.1 protocol in almost 15 years! Based on Google's SPDY protocol it has been known that you can do HTTP/2 without SSL. But Google is making sure that browsers do not support it that way for a variety of reasons. People seem to be really hyped about it. But it will take many years before it is adopted down to the web-hosting level. This is mostly because customers even know if they want this on their site.
  • Mobile Client Support - WordPress does have a mobile client for android . However, the only way this client will work with your privately hosted website is if you have an SSL connection. With obvious reasons. Tablets/phones can be easily hacked over public Wi-Fi.

In order to use SSL / HTTPS you must get a security certificate.

Since we're hosting through AnubianHost the provider was able to get me this certificate in a matter of minutes. You can, of course, try to get your own certificate though the many providers out there. But it's not a straight forward process if you go at it on your own. This, of course, caused a bunch of changes since I needed a dedicated IP and this very domain name needs to be the primary one that holds the SSL certificate. You can't have multiple domains on one IP each holding their own SSL. It's for this reason along with generating the certificate that this process will cost some money.

The clean-up of WordPress for SSL / HTTPS:

In the "Not so much fun." Catagory of WordPress for me is all of the cleanup I had to do to legacy articles. Just to give you an example on the front page of my site. The logo within the page.

<img class="alignright wp-image-1897" src="http/core/wp-content/uploads/2011/12/S-Config-logo.png" alt="S-Config Logo" width="200" height="151" />

Typical Mixed Content Warning Message.

This is no good. Because this will cause my website to get a "Mixed Content" SSL warning.

The way to correct this is to simply make relative linkage. Regardless if the user is visiting my site via HTTP or HTTPS. All data will be delivered according to the protocol used.

<img class="alignright wp-image-1897" src="/core/wp-content/uploads/2011/12/S-Config-logo.png" alt="S-Config Logo" width="200" height="151" />

WordPress - General - HTTPS URL change.

At the time of this posting WordPress, CMS has no good way to easily migrate over from a traditional HTTP site to HTTPS. Sure, it gives the option to move your website name in the general tabs, which will help out things like the menus and widgets. But currently, there's no way to change the data on the fly within the database of WordPress itself. (At least without inciting a lot of problems like some of the plugins out there)

Plugins:

You can use temporary solutions like WordPress HTTPS. However, HTTPS plugins for WordPress are like temporary band-aids. Ultimately you're going to have to rip them off in order to get other plugins working (such as AMP) and in order to do that you'll have to go through the hard work of finding every image that you use in your theme customization, your custom coding, your comments, and your pages and postings.

Manually fixing pages and articles within WordPress:

One way of fixing those pesky old articles is by editing each of your pages and blog entry points.

WordPress Edit Mode and Select All.

You could go entry by entry and edit each of them. Select the Text tab to reveal all of the HTML code that is currently within your blog article. highlight and copy all of it.

notepad-paste-and-replace

Using a program such as NotePad++ (Or Gedit in Linux) you could go through and use the replace feature to find anything with the //www.s-config.com and replace it with just //www.s-config.com . Now it's important to spell out the full domain name. Otherwise, you may over-write outbound links to sites that may or may not have HTTPS installed as of yet.

Once you are done modifying everything in NotePad++ you can copy all of the text and paste it back into your WordPress editor and save the updated page or blog article.

The manual method will catch all of your internal URLs. But it's slow to almost impossible if you have a blog space with several thousand articles!

The htaccess file.

One thing that we need to do after you verified that your HTTPS is working 100 percent by making your first HTTPS page is to start forcing everything to go towards HTTPS. This is what I put into my .htaccess file.

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

SQL fixing your WordPress

Note: always backup your website prior to passing any commands in SQL. None of us on the net are responsible for any damage that you do.

Now for those with thousands of blog entries, you may want to take the SQL hacking approach with the following.

This is to catch all entries which are throughout your blog:

UPDATE wp_posts 
SET    post_content = ( Replace (post_content, 'src="http://', 'src="//') )
WHERE  Instr(post_content, 'jpeg') > 0 
        OR Instr(post_content, 'jpg') > 0 
        OR Instr(post_content, 'gif') > 0 
        OR Instr(post_content, 'png') > 0;

This is to catch single quoted entries:

UPDATE wp_posts 
SET   post_content = ( Replace (post_content, "src='http://", "src='//") )
WHERE  Instr(post_content, 'jpeg') > 0 
        OR Instr(post_content, 'jpg') > 0 
        OR Instr(post_content, 'gif') > 0 
        OR Instr(post_content, 'png') > 0;

And then the custom fields:

UPDATE wp_postmeta 
SET meta_value=(REPLACE (meta_value, 'iframe src="http://','iframe src="//'));

This method will cover about %80 of the links on your site. Other links such as videos or music may have to be edited manually.

Final thoughts.

The simplest solution would've been me just getting a SSL certificate right away and starting the blog in pure HTTPS/SSL mode! But like many people who start down the road of owning a blog you have zero idea as to where it will end up and go. However, as annoying as it is to get SSL setup it's worth it.

I've heard of the controversy over the speed of HTTPS that it's slower and in some cases yes it is. If the browser is an older browser then there may be some issues in regards to establishing that socket layer first prior to transfer. For example, on my firefox, it can take up to a second to load. But if I load this site on my phone or tablet it's almost instantaneous. Even under the worst-case scenarios I will still accept it over have no encryption what so ever. Understand that if this site goes to HTTP/2 then there is nothing I really have to prepare WordPress for. All of HTTP/2 is literally handled by the Apache web-daemon. But right now I've placed myself in a position to be ready for it! To be one of the few blogger sites that will take advantage of it because of our bizarre fascination with security and making sure no one is monitoring you including ourselves.

Until next time, that's what server said.

END OF LINE+++

 

Leave a Comment to the Void