#138: Walking Through an HTTPS Conversion on WordPress

Avatar of Chris Coyier
Chris Coyier on (Updated on )

We just recently moved to “HTTPS everywhere” right here on CSS-Tricks. I wrote up a blog post detailing the steps to get there. This video is a companion to that, talking through the steps, as I know some folks prefer that style and the type of detail it affords.

I should note that I’m not an expert on this stuff. I’m sure there are different types of SSL certificates that can be installed in different ways and that offer different levels of security. I can’t tell you about Heartbleed. I don’t even know how you get the kind of certificate where it says your sites name by the green lock like some sites have (e.g. Stripe). If you’re interested in advanced stuff like that, this isn’t the video for that.

Some things talked about in the video:

  • Firesheep shows just how easy it can be to snoop public website traffic. Can’t do that over HTTPS.
  • ISPs (and other internet middlemen) can mess with network traffic, don’t things like inserting their own ads. Even Google itself. Can’t do that over HTTPS.
  • HTTP/2 stuff will be awesome for web performance, and it’s likely some browsers will require HTTPS to use it.
  • Just getting your host to install your SSL certificate for you is probably slightly more expensive but it will (probably) be done right and be less work on your part.
  • If your site facilities any secure information being transmitted whatsoever, even if it never hits your servers or you never store it, your site should be HTTPS. At the very least, those pages that have the secure stuff, like login pages or signup pages.
  • WordPress has a simple setting for turning on HTTPS for the admin area, which will be easier to get working than user-facing part of your site.
  • If you can’t yet go HTTPS everywhere on the user facing part of your WordPress site, there is a plugin that helps makes individual pages HTTPS as needed.
  • Once you can force HTTPS everywhere, you can ditch the plugin and use this HTAccess snippet.
  • Make sure you change all the settings you possibly can to let them know your site is now http:// – to avoid redirects. For example, your CDN, and the settings right in WordPress itself.
  • Google says HTTPS factors into search rankings.
  • On an existing site with lots of content, perhaps the most work involved will be cleaning up “mixed content warnings”. You don’t get the secure green lock of HTTPS if you, for example, link to an image over HTTP. Worse, a script linked to insecurely won’t run at all.