Google – Making the Internet more secure

With Chrome 62 around the corner (due in October 2017) and Google’s push to make the web ever more secure, it’s imperative you start to think about moving your site to HTTPS sooner rather than later.

The new Google rules for contact forms on HTTP

Example HTTP contact form on Chrome 62

Example HTTP contact form on Chrome 62

Would you enter data into a form labelled “not secure”? No? Then your customers probably wouldn’t either.

Thankfully, SSL is cheaper than ever to implement and if you’re on WordPress it’s not difficult to do either.

Step 1: Get an SSL certificate.

You used to have to pay for these, and you still can, there are some reasons you may want to purchase one. But for the majority of small business owners, you probably don’t need to.

Most hosts now support Let’s Encrypt, which is a free SSL certificate.

Rather than re-invent the wheel, I’m going to link to the hosts tutorials for getting the certificate in place.

Siteground instructions are here

And TSOHost are here

In both instances, skip the “enforce / force SSL ” for now, we’ll come back to that later.

Step 2: Change your WordPress homepage to HTTPS

This bit is usually a doddle, head over to Settings – General, and add an “s” in front of the HTTP then click save.

Sometimes, depending on your installation, these options are greyed out. In which case, go into your File Manager or FTP. Open wp-config.php

And add the following two lines, obviously putting your own domain name in them (assuming you are using the default prefix of WP, but the prefix is also listed in your config file, so it’s easy to spot).

define('WP_SITEURL', 'https://www.yourdomain.com/');

define('WP_HOME', 'https://www.yourdomain.com/');

Step 3: Update your database

Ok, so now your site is secure. But some of your attachments, images and links will still be pointing the HTTP version. This can lead to some “mixed content” warnings, and you still won’t get the green padlock in Chrome.

For this step, you need to log into your PhpMyAdmin from your CPanel and run an SQL query, the details of how to do this are found here.

First you need to run this query:

UPDATE wp_posts SET `post_content` = REPLACE (`post_content`, 'src="http://www.yourdomain.com', 'src="https://www.yourdomain.com');

This searches your database for any attachments you’ve added to posts that are using src=”http….” and replaces them with links to the now secured data.

Once you’ve done this, you then need to run:

UPDATE wp_posts SET `guid` = REPLACE (`guid`, 'http://www.yourdomain.com', 'https://www.yourdomain.com') WHERE post_type = 'attachment';

This does the same thing, but to your attachments.

Step 4 – Force SSL

Now all that’s left to do, is the bit I told you to skip earlier. Go back to Step 1 and the instructions for adding SSL and follow the instructions for Force SSL.

Regardless of host, I prefer the method of adding a rule into your .htaccess file which is located in the root of your site.

Simply add:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

and it will redirect any incoming HTTP requests to your HTTPS one.

One Final Important Note

Google sees your HTTPS site as a different asset to your HTTP one, so you need to re-add your site in Google Search Console as HTTPS.

If you’re using Yoast (and you should be) you’ll also need to disable, save, enable, save the XML Sitemap functionality, so that it generates it with the new URLs.

And then you’ll need to add these sitemaps to Search Console under the new asset. All fetches and analytics should then be done under this version.

I’ve read the instructions and I’m still not brave enough to do it

Then get in touch through the contact form, and I’ll give you a no obligation quote for doing it for you.