I have two questions for you:
1 – Do you have a self-hosted WordPress blog that receives a lot of visitors from Google every month?
2 – Do you earn money with that blog?
If the answer to one or both of those questions is yes then you need to make sure your blog is secured with SSL (https) encryption asap!
If your blog doesn’t have any sign-up forms or request sensitive information from your visitors you might be thinking it doesn’t need to be a “secure” site.
Well, that used to be the case, but no longer.
All of the major web browsers will soon begin warning your blog’s visitors that your blog isn’t encrypted – and thus not safe for them to use.
Some web-savvy visitors will understand that an informational blog doesn’t really need encryption and choose to visit your blog anyway. But unfortunately most of your visitors won’t understand that distinction.
You can bet your bottom dollar that the vast majority of visitors who see that warning will click away because they’ll think your blog “isn’t safe”.
And there’s also another reason why you need to install SSL on your blog: Google and the other major search engines will soon start giving preference to secure (i.e. encrypted) sites when they rank pages in their search results for a given search term.
This ranking advantage will be minimal at first, but SSL encryption is sure to grow in importance over time.
Adding SSL encryption to a website used to be a very complicated and expensive process, but luckily that’s no longer the case. In fact, you can now get an SSL certificate for free (and most good web hosts will even install it on your server for free)!
With all of the above in mind, I recently enabled SSL on my own blogs. The process was fairly painless and it was working flawlessly within just a few hours. Here’s how I did it (and how you can too):
In a nutshell, AutoSSL is a script that runs on your server. Once enabled, it will automatically obtain a free SSL certificate on your behalf and install it on your server AND automatically renew the certificate right before it expires.
As you can see, AutoSSL takes virtually all the hassle out of obtaining, installing and renewing an SSL certificate!
Let’s Encrypt is a free, automated, and open Certificate Authority (as self-described by them). They issue free SSL certificates that you can use to provide a basic level of encryption for your blog.
And this is not some fly-by-night operation. In fact, Let’s Encrypt is supported by dozens of major sponsors including Mozilla, Google Chrome, Facebook, Cisco and more.
Note: If your blog is hosted on a shared server you’ll need to have a dedicated IP address. Just ask your web hosting company to assign one to your hosting account (You might have to pay a buck or two per month for the dedicated IP).
If you have a VPS or Dedicated Server you already have a dedicated IP address. That means you’re all set and ready to get started!
The folks at cPanel have out together this fantastic guide to manually enabling AutoSSL and installing a free SSL certificate issued by Let’s Encrypt.
As I mentioned earlier, most good web hosts will enable AutoSSL and install the certificate for you, and usually at no charge.
My own blogs are hosted on a very inexpensive VPS from inmotion hosting (affiliate link).
Inmotion’s friendly tech support folks installed AutoSSL and the Let’s Encrypt certificate for me in a jiffy after I submitted a Support Request. (Thanks for such awesome support!)
Quick plug: I simply can’t say enough great things about inmotion Hosting. They’ve gone over and above what’s expected from a hosting company to make sure my blogs work great and that I’m a happy customer. If you’re looking for a great web host at a great price, check them out!
And now, back to the topic at hand…
2 – After the SSL certificate was installed on my server I did a quick check check to make sure I could access the blog via https. All I had to do was append an ‘s’ to the http part of my blog’s URL. This is what I typed into my browser’s the address bar:
As expected my blog’s home page came up in my browser with the above URL showing in the address bar. I also tried loading a few pages and posts to ensure that other pages were loading as https as well.
But there was a problem: I didn’t have the little green padlock indicating that RicksDailyTips was now a secure site.
3 – Once I confirmed that my blog’s pages were accessible as https pages I logged into my WordPress Dashboard and clicked Settings>General and changed both the WordPress Address and Site Address to the “secure” version: https://www.ricksdailytips.com.
WordPress immediately logged me out of the Dashboard as soon as I saved the changes, but I was able to log right back in again by visiting the secure version of the login page.
4 – The next thing I had to do was change all the URL references in my blog’s database from http:// to https://.
I could have easily done this using a “Search and Replace” plugin, but to save time I installed a fantastic plugin called Really Simple SSL.
Let me tell you, this plugin is nothing short of amazing! It immediately took care of the URL reference changes mentioned above (on the fly as opposed to making the actual changes in the database).
What’s more, it added a 301 permanent redirect to my .htaccess file to redirect all requests to the non-secure versions of my web pages (http://) to their secure counterparts (https://).
When time allows I’ll go back and use a plugin like Better Search Replace to actually change the URL references in the database from http to https and manually change the .htaccess file to add the 301 redirect, but for now the Really Simple SSL plugin is getting the job done quite well.
5 – Next I tested the 301 redirect by typing the non-secure URL to my home page (my home page URL beginning with http://) into my browser’s address bar. As expected, the page was redirected to the secure https version.
But again there was a problem: Still no little green padlock next to the URL in the address bar.
The problem was due to mixed content issues. The page was still loading a few files and bits and pieces of code from non-secure URLs. And if the page has even one of these non-secure components you won’t get that little green lock (or depending on the browser you’ll get the lock along with a warning).
To help track down the source(s) of the insecure content I enlisted the help of a fantastic tool called Why No Padlock?
Using Why No Padlock is easy. Just type in the URL to your blog’s home page and click the Check button. The tool will scan the page and tell you which resources are loading insecurely (i.e loading from an http page instead of https).
Fix any issues you find on that page and verify that the browser now shows the little green padlock when you load it. Then check a few other pages and fix the issues there as well.
Note: If you have a large site with hundreds (or even thousands) of pages it will take some time to check every page. You might want to add a note to your blog’s posts and pages asking your readers to report any security warnings they encounter so you can remove the mixed content from those pages.
6 – After I finished resolving the mixed content issues I made one final check to ensure that the entire SSL encryption scheme was working as expected, with no errors. For that I used another fantastic aptly-named tool called Qualys Labs SSL Server Test.
This tool is also easy to use, it only takes a few seconds. Simply type your blog’s secure URL (ie. https://www.ricksdailytips.com) into the text box and click the Submit button.
The tool will run a number of tests on your server/site and highlight any issues it finds. Everything came up good to go with my setup (and I breathed a huge sigh of relief!).
Note: A “good” score on this test is nothing less than an A- (actually, an A or A+ is what you’re really shooting for). Keep that in mind when you run the test on your blog.
7 – And that brings me to the grand finale: I signed into the Google Search Console and added a new site for the URL https://www.ricksdailytips.com.
Yes, Google treats the move from http to https the same as it treats a move from one domain name to another domain.
In other words, Google sees the http version and https version of your site as two separate and distinct sites.
That means all the links pointing to your old http pages are NOT pointing to their new https counterparts, but that’s ok.
As long as your 301 permanent redirects are correctly implemented in the .htaccess file (and they will be if you use the Really Simple SSL plugin), Google will recognize and honor the redirects and start sending “link juice” from your old links to the new https versions of your pages.
Also, your http pages will (eventually) be replaced in the Google index with their new https counterparts.
If all goes well (cross your fingers on this one) your traffic level won’t drop due to your enabling SSL encryption on your blog. But if it does the drop should only be temporary.
5Conclusion: I hope my experience of converting my blog from unsecured (http) to secured (https) by enabling SSL encryption will help you when you get ready to make the switch yourself.
And yes, you really need to make that switch if you want to keep all the traffic you currently have coming to visit your blog! And you need to do it asap!
As I mentioned above, a good web hosting company can make all the difference here. If your current host can’t or won’t give you the level of support you need you should carefully consider switching to one that will.
The customer service and technical support I’ve received from inmotion Hosting has been nothing short of spectacular. Click here to read more about why I switched from my old host to inmotion!
Bonus tip: Want to make sure you never miss one of my tips? Click here to join my Rick’s Tech Tips Facebook Group!
Want to ask Rick a tech question? Click here and send it in!
If you found this post useful, would you mind helping me out by sharing it? Just click one of the handy social media sharing buttons below.