SSL for WordPress sites - WordPress forum at WebmasterWorld - WebmasterWorld

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

SSL for WordPress sites

NickMNS

3:47 pm on Jan 17, 2020 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I stupidly opened my mouth about the lack of SSL on a "volunteer" website. I don't know the person managing the site but my impression is that the person has little to no experience with managing anything other than the content. The result will likely be that I will be asked to correct or assist in correcting the SSL situation. The issue is that I have zero experience with WordPress and my impression is that it is glass black box and that nudging it wrongly will break it.

A quick search on the topic reveals that there are many different plugins available. To me using a plugin for this seems crazy. But that just me I like understanding and being in control how things work and what is being changed.

For non-WP websites, I use Let's Encrypt, I provision the cert, update the .conf file by including a redirect in the *:80 virtual host and adding the *:443 virtual host. Does this work on WP sites, or are there some other steps required such as implementing redirects in the .htaccess? Finally, is it dependent on how it is setup and what plugins are running and is mucking about the .conf or .htaccess opening a Pandora's box that will end in total disaster?

Why does anyone use WP? [rhetorical]
I see the allure of being able to quickly install, deploy and add content with little to no coding experience, but all that is happening is that this kicks the can down the line to some future point where you need to find an expert unravel the resulting Spaghetti Bolognese.

not2easy

5:14 pm on Jan 17, 2020 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

A lot depends on how many posts and options they have, the quantity of text content. There are plugins for converting old http: links to https: - I have never used one of them so can't recommend.

The easy-peasy way to convert the content to SSL friendly would be to download the .sql as a data dump, use any good text editor to search/replace internal links with either https: or use relative links for internal links and replace external links with "//" rather than guessing about http/https. Ideally you would save the edited .sql with a different name, import it and try it out with a temporary wp-config.php file.

IF it is a small site with half a dozen pages/posts it would be easier to manually edit the text content (pages/posts) via the admin interface than to go trough the temporary steps needed for a larger site.

The important part is the steps in the process - out of order can make a mess. Here is my list of steps:

Steps 2 and 3 can be switched, they're in that order in case your certification would cause a delay.

lammert

1:12 am on Jan 18, 2020 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Finally, is it dependent on how it is setup and what plugins are running and is mucking about the .conf or .htaccess opening a Pandora's box that will end in total disaster?

The .htaccess file used by WP is http/https independent. If you switch the site to https, there is no need to make changes to this file. The rewrite rule you add from http/https can be added in a separate VirtualHost section in your .conf file and does not interfere with the rewrites in the WP .htaccess file. The VirtualHost section which I use for all WP sites is the following:

<VirtualHost *:80>

 ServerName www.example.com
 ServerAlias example.com

 KeepAlive Off

 RewriteEngine On
 RewriteRule ^/(.*)$ https://www.example.com/$1 [R=301,L]

</VirtualHost>

tangor

5:07 am on Jan 18, 2020 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Is there a reason the SSL cannot be done at the server level?

tangor

5:07 am on Jan 18, 2020 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Or am I missing something?

Lexur

7:18 am on Jan 18, 2020 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Is there a reason the SSL cannot be done at the server level?

That's the question.
With Plesk or Cpanel, installing a free certificate with Let's encrypt, and all of the redirection rules is child's play.

not2easy

5:54 pm on Jan 18, 2020 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

The SSL is done at the server level, the same as you would do on any site. Preparing the content is the only detail before it is ready to change the Location in the Settings file.

The WP install takes its URL structure from the Settings which is why you would need to log in to admin, go to Settings > General and change it there.

BUT the rest of the steps I listed are to deal with updating the existing content because it is stored in a database as a .sql file. If you don't update the existing http: links in the content they will continue as hard coded http: links and the site will show mixed secure/unsecure content and old image links may be broken as WP does not use relative links. On large old sites that can be a lot of links.

New images and new links will use the new https: URL structure, but data in the .sql file, including image links will not be altered just by changing the Settings.

In the .sql file, the

# Data contents of table `wp_posts`

contains the contents of all pages/posts and can be edited in MySQL or using a text editor. Note that the wp- part of the table name, the prefix may be different, "wp-" is the default. It is not uncommon to change the prefix to help security, but you'll see that before beginning, if it was done.