[WordPress Tips] Migrating from HTTP to HTTPS

[WordPress Tips] Migrating from HTTP to HTTPS

Introduction

Nowadays many browsers show warning signs like “your page is not private”:

WP not private message.

http not private warning.

The problem is because the site is not using HTTPS. But why HTTPS? How to use it correctly? And why all these web server providers charge so much for this “HTTPS certificate”? We will explain these questions below.

Why HTTPS?

HTTPS stands for “HTTP Secure”. It provides more secured internet connection by encrypting the transmitted data into seemly nonsense data. This prevents man-in-the-middle attack where a malicious user intercepts and alters communications between two parties without their knowledge.

HTTPS is primarily used in website login and payment transaction. However now there is a trend of using HTTPS connection for every kind of website.

How HTTPS works?

The way HTTPS works is as follows:

  1. Two parties (A and B) connect to each other and give the other party a “public key” to encrypt data.
  2. When party A wants to communicate with party B, it uses the public key offered by party B to encrypt data. Party A send the encrypted data to party B. Public key can only encrypt but not decrypt the data.
  3. Party B decrypts the data via a secret “private key” that corresponds to B’s public key. Since only party B knows the private key, nobody else can decrypt the data except party B.
  4. Vice versa for party B sending encrypted data to party A.

An analogy is post office’s mailbox. The mailbox is like a public key: everyone can put packages in and they become inaccessible by others except the post office, as only the post office has the “private” key to open the mailbox. Thus sending packages via mailbox ensures packages are transferred confidentially only between the senders and the post office.

Certificate & Certificate Authority

There is a problem of authentication in HTTPS connection. In real world a USPS mailbox’s identity is protected by law authority: it is a crime to create fake USPS mailboxes to trick people for their packages.

On the Internet, a browser also has to make sure that a public key is indeed owned by the domain it intents to communicate with. It does so by checking the site’s “certificate“.

The certificate is essentially a digitally signed file verifying that indeed your domain owns this public key. It is issued by trusted 3rd party entities called “certificate authorities (CAs)“. The CAs are responsible for checking the nature of domain’s owner, whether they indeed own the domains, and put their approval that this public key can be trusted.

If the browser cannot verify the certificate, it would show the big red warning that this site’s HTTPS cannot be trusted, and block your access to the site:

https not trusted error

https not verified warning.

Certificate Package Confusion

Unlike USPS mailbox that is protected by specific federal laws, there are no universal rules specifying how to check a domain’s validity. Should I just check the site ownership? Or should I check if the site owner is a valid business entity?

This results into large amount of different HTTPS certificates offered by many companies, with different service content, and with dramatically different prices on the Internet.

For personal sites, a free, trusted CA is Let’s Encrypt, a non-profit service sponsored by many well known Internet companies like Facebook and Google (Chrome).

lets encrypt

Let’s Encrypt website.

Using “Let’s Encrypt”

Using Let’s Encrypt’s certificate service is as follows:

  1. Hit “Getting Start”.
  2. Select option by whether you have shell access. I have it so I clicked the recommended certbot page.
  3. On the certbot page, enter your web server software and OS version. Then simply follow the displayed instructions.

certbot

Certbot page.

The certbot script certbot-auto is nicely automated to both getting the certificate and configuring your server. Simply follow the instructions to complete the installation.

Remark:

  • Make sure you open the HTTPS port 443 in your server’s firewall before running the script.
  • It’s better not setting up “http redirection to https” during the certbot installation to prevent breaking the site.
  • It’s also a good idea to double-check the newly created config file by certbot to make sure the security configuration is properly copied from your old http config file.

Additional Configuration for WordPress

If you are using wordpress, you might have to do these additional configurations to properly transit to using HTTPS:

Set WordPress Address & Site Address

In admin panel, go to Settings >> General and change your url into https.

Force Using HTTPS for Admin Panel

If you enable both HTTP and HTTPS, it’s better to enforce HTTPS connection to the admin panel. You can achieve this by adding this code in wp-config.php: