How do you make sure your website is secure? This episode I’m going to tell you one more thing you need to know when creating your first WordPress website. That is installing an SSL certificate on your website and what you might be dealing with if you don’t do this at the very beginning. These are the questions I’ll be answering:
- What is SSL?
- What is it for?
- How do you install an SSL certificate?
- What is mixed content?
- And how do you solve this?
In the previous episode of this blog series, I introduced you to my 5 favourite plugins. I told you what you can use these for and why I can recommend them to you.
Let me begin by explaining what SSL is. Have you ever noticed that on many websites, there’s a little padlock icon before the domain name in the URL? This icon lets you know that the data exchange via the website is encrypted with SSL. SSL stands for ‘Secure Sockets Layer’. To put it simply, it’s an internationally recognized computing protocol that enables an authenticated and encrypted internet connection between computers in a network. In turn, this enables secure data relaying. In 1999, SSL was succeeded by TLS (Transport Layer Security) but this technology is still called SSL or SSL/TLS.
Secure data exchange
So, SSL ensures secure data exchange between your website and your visitors’ computers. This is very important when visitors enter personal data, for example, on a contact form, when subscribing to your blog or newsletter, when making payments in your webshop, or when logging into an account on your website. Another way of recognizing a website with an SSL connection, is by looking at the domain name in the URL. If the website has a secure SSL connection, the domain name will be preceded by the letters ‘HTTPS’. HTTPS stands for ‘Hypertext Transfer Protocol Secure and is the less secure HTTP’s, meaning ‘Hypertext Transfer Protocol’, successor.
For an SSL connection you need an SSL certificate. Most web hosts provide a free SSL certificate once you register a domain name with them. There are various types of SSL certificates. At the very least, they provide information on the certificate holder (that’s you), the domain name, the certificate issuer, the country in which it has been issued and the period of validity. Validity varies between 3 months and several years, and is usually renewed automatically.
So, there are free certificates, but also paid certificates that vary in price between € 10.00 and approximately € 3,000.00. This big difference in price relates to the degree of validation that goes with the certificate. There are certificates for Domain Validation, Organisation Validation and Extended Validation. A higher degree of validation enables more comprehensive proof of certificate and website ownership. If your website doesn’t have an SSL certificate yet, I advise you to take care of this now. Firstly, it’s safer; secondly, visitors will be more inclined to trust your website; and thirdly, search engines will rank your website more highly.
How do you install a free SSL certificate?
The easiest way of getting an SSL certificate is via your web host. There you can install one for free from Let’s Encrypt. There will probably be instructions on your provider’s website, but I will now show you how to install a free certificate on your website in 4 steps.
Login to your web host’s management panel, for example DirectAdmin or cPanel. I myself use DirectAdmin and the following instructions are based on this. However, the steps you take in cPanel are very similar. Once you’ve logged into DirectAdmin, select your domain name first. Then scroll down a bit until you get to ‘Advanced Features’. There you click ‘SSL Certificates’.
You will arrive at the SSL Certificate page. Here you click the ‘Apply’ option to apply for a Let’s Encrypt certificate.
Shortly afterwards, around 1 minute, you will notice on the screen that the domain name has received a certificate and that the status has been granted.
Now go back to the main screen in DirectADmin and click ‘Domain Setup’ in ‘Your Account’. Click your domain name here and you’ll see two panes. If in the second pane, the lower little button hasn’t been selected, then select it now by clicking it. Then click ‘Save’ followed by ‘OK’ in the notification pane that appears. Your SSL certificate has been installed.
As soon as you’ve installed the certificate by following these steps, it would be wise to read the rest of this episode, even if you’ve installed the certificate on an existing website. That’s because you have to adjust a number of things in the backend of your website to make sure that the SSL connection will be effectuated.
Do you want to install a paid certificate instead? This is possible. How you do this depends on your web host, which is why I advise you to contact them or check out their manuals or instructions. It usually amounts to the following: you insert the contents of a .crt file, that you receive from the certificate issuer, below the so-called ‘private key’. You then save the contents and subsequently install the root and intermediate certificates. Last of all, you save the certificates.
Need help? Do not hesitate to contact me!
Mixed content doesn’t go together well
In any case, it’s best to install the SSL certificate before you further develop the theme. Have you already been working on the website design and installed the certificate afterwards? Or did you install the certificate on an existing website because it didn’t have one yet? In this case, you might be dealing with mixed content error. What does this mean? When you create a website, you create content that is loaded as soon as someone enters the web address of your website. If part of this content was created via an HTTP connection and the rest via an HTTPS connection, two types of content will have to be loaded. Hence the name mixed content. The mixed content of HTTP and HTTPS. Unlike Duo Penotti, this mixed content doesn’t go together well, which means your website won’t be loaded properly.
How do you solve this?
Luckily, this is fairly easy to solve with a search and replace command, where you change HTTP into HTTPS wherever you come across HTTP. Now all of the old HTTP URLs will be replaced (updated) by HTTPS URLs. You can use the Velvet Blues plugin for this. Afterwards, you will also have to change the WordPress URL and the website URL. You can do this in the configuration file that you used to load the MySQL database with before installing WordPress manually. You can also go to the general settings on the WordPress dashboard. In addition, I advise you to add the so-called ‘force SSL’ code in your configuration file. This will force the connection to be made via SSL. Here is the code that you can simply copy and paste.
/* SSL */ define( 'FORCE_SSL_LOGIN', true ); define( 'FORCE_SSL_ADMIN', true );
Besides carrying out the search and replace command, you’ll have to do what you did when loading the MySQL database. You’ll need Filezilla or Cyberduck for this. Add a file with a ‘find and replace data script’ to replace the old script. Remove the file immediately after you’ve done this to prevent your database from being hacked. Is this too difficult for you or are you having difficulty with something else? Feel free to contact me.
Summary of ‘Need extra help with your first WordPress website?’
We’ve now come to the end of this ‘Need extra help with your first WordPress website?’ blog series. I have made a brief summary of the 5 episodes for you.
When you install WordPress manually, you use the configuration file that has been downloaded to create a MySQL database. You then load this with data and settings that you need in order to create the website. In this episode, I also explained what to do if there’s a critical error.
In this episode, I took you on a WordPress dashboard tour. I explained what the various menu items are for and how you can create and edit a menu.
This episode was about Divi, an all-in-one theme and page builder. I mentioned Divi’s advantages and tremendous user-friendliness, but also what difficulties you can run into.
In this episode, I introduced you to my 5 favourite plugins and explained what they do. The plugins are: Yoast SEO, WPML, WooCommerce, WP Rocket and Gravity Forms.
This final episode was about creating an encrypted data exchange between your website and your visitors’ computers via SSL. In addition, I explained how you can solve the problem of mixed content.