Security, Tutorials, Websites

Install an SSL Certificate to change your website’s address from HTTP to HTTPS

Introduction

Google announced last year that they were prioritising sites that had a verified SSL Certificate over those that didn’t. This meant, in SEO terms, that those who made the move or who were already set up that way had a slight SEO advantage (all things being equal, which of course they never are.) They also devised a way to highlight this to the viewer: you may have noticed that some sites now have a website address that starts with HTTPS and also a little padlock that says “Secure” next to them, whereas others just have an exclamation mark in a circle. If you visit a site with the padlock, you can click on it and this message is displayed:The Connection is Secure Message in Google Chrome

Likewise, if you click on the exclamation mark (on an unsecured site) you get this less reassuring message:

Google Chrome message: the connection to this site is not secured

What is SSL?

SSL stands for Secure Socket Layer and is a security protocol that uses a certificate chain between the server that hosts your site and a third-party who is authorised to issue certificates to verify that you are who you say you are online. When you have set up your SSL certificate and followed the steps on your server to verify the certificate, your site’s URL changes from http://yoursitename.com to https://yoursitename.com – and the address shown in Chrome is displayed with the green padlock and is prefixed with Secure |, as shown above.

Do I need an SSL certificate for my site?

I had clients ask me whether this was an essential task and for a while I said that it should be on the to-do list but wasn’t something they needed to rush towards, given the nature of their websites. For anyone trading online, selling products, exchanging personal or sensitive date, the change has been more pressing and really, if that’s the purposes of your site, you should have done this by now. But if you’re not asking clients for their personal information via the web, why the need to change?

There are two main reasons for doing this now. First, as of today, the new version of the Chrome browser marks sites that do not have an SSL certificate as “Not Secure”. Essentially nothing has changed: the site is no less secure today than it was yesterday. The point really is that it’s not as secure as sites that do have an SSL certificate. As more and more sites make this change and we come to expect to see the word “Secure” up there in the address bar, there’s an element of reassurance, of professionalism, to a site that secure over one that isn’t. The second reason is that it can also help with identifying bogus sites and tells your customers that the site they’re on is the real deal. There are some common scams that rely on users not really understanding that the site they’re on is a convincing copy of the real one, and then the scammers use that fake front-end to abuse the trust you’ve placed in the company you think you’re dealing with in order to persuade you to hand over personal details that can then be used to access your bank accounts or cards. So there are definitely benefits to you as a consumer to only interacting with sites (especially for financial transactions) with SSL certificated sites. As a business, it means your customers can come to your site and be assured that they’re not on a copy site, and that it really is you that they’re dealing with, and that any data they send will not be falling into the wrong hands.

How do I make the change to HTTPS on my site?

The steps to create an SSL certificate and install it on your site are given below.

Once you’ve installed the certificate there are three more steps:

  • Fix the links on your site so they use the new https URL (the steps here are for WordPress users, since that’s what I use for my site);
  • Create a redirect to ensure that any searches for the HTTP versions of your site are automatically routed to the new HTTPS address; and,
  • Verify your site’s certificate;

With the optional fourth step of updating your Google Webaster Console.

As you can see, before adding the security certificate, my site’s URL looks like this:

Site URL with HTTP Address

By the time we’ve worked through these steps it will look like this:

Site URL with HTTPS Address


The instructions here assume you’re using a relatively current version of CPanel to administer your site. If you’re using a site builder like Wix or SquareSpace you’ll need to check their site-specific instructions. To help you out I’ve put some links to the most common platforms at the bottom of this page. If you’re not sure about this get in touch.


Step 1: Create and Install your SSL Certificate

1. Login to CPanel and scroll to the the Security section.

2. Click on SSL and then Install and Manage SSL for your site (HTTPS).

Menu Options in the CPanel SSL Security App

3. Click on Certificate Details.

4. Scroll down and click on Install an SSL Website.

5. Select your domain from the drop down and click Autofill by Domain.

You then get a message showing that the certificate field below is completed. That’s it!

When I did it I got a warning in Chrome that it was a self-signed certificate (as in one assigned by the same host as my server.)  Kaspersky decided to chip in too:

Kaspersky Error when clicking Self-Signed SSL Certifcate Site

This means that it has not been verified by a third-party and could, therefore, be a fake! Of course, I know it’s not but what about my customers? Let’s install it properly and verify the details. That will get rid of the warnings.

6. This time click Let’s Encrypt SSL in CPanel. 

Security Apps in CPanel

You can see from the list that I have an SSL certificate assigned to the site but that it is not installed.

List of Domains with LetsEncrypt SSL Certificates

7. Click Reinstall. You can see that the listing changes to show that the security certificate has been installed.

LetEncrypt List of Security Certificates Installed

Great. That’s the first part done. Now if you go to your browser and click refresh on your web page you should see the site listed as Secure.

Step 2: Change Site Links

On WordPress, which is what I use for my site, it’s really easy to do this.

1. Login to your Admin panel (yoursite.com/wp-admin), then click on Settings and General.

The SITE URL field in WP-ADMIN

  1. Change the WordPress Address (URL) and Site Address (URL) values to https.

  2. Scroll to the bottom of the page and click Save Changes.

That’s WordPress done.

Step 3: Redirect Search Engines to your HTTPS Site

If your site has been online for a while you will (hopefully) have other sites linking to you, links from social media, etc. Without a redirect in place the the browser will just assume any pages or posts with the web address starting HTTP have disappeared, which is very bad for your SEO and very bad for your business generally! Setting what’s called a “301 redirect” will ensure that anyone coming to your site from an old link will find your new HTTPS-addressed page. You do this by accessing your site’s htaccess file.

1. Access the server and navigate to your site’s files. You can either do this with FTP or directly via CPanel.

2. Create a local copy of your site’s htaccess file.

3. Add the following code at the top of the file:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.yoursite.com [NC]
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [L,R=301,NC]

4. In the code above, change yoursite.com to the name of your site. My htaccess file now looks like this:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^languedoc121tech.fr [NC,OR]
RewriteCond %{HTTP_HOST} ^wwwlanguedoc121tech.fr [NC]
RewriteRule ^(.*)$ https://www.languedoc121tech.fr/$1 [L,R=301,NC]

You can use any text editor, such as Notepad (installed with Windows) or something more sophisticated, like Notepad++ (freeware).

5. Save and copy the updated file back to your server.

That’s it: the redirect is in place. If you click on an old link to your site, say from a Facebook post, and it should find the right page.

Step 4. Check on your SSL Certificate

This is another non-essential step, but it’s nice to verify it’s all working so I recommend you visit the SSL Labs page to check your certificate. Click on the link below, enter your site’s URL and click Submit. All being well you’ll see the certificate details listed on the page below. 

https://www.ssllabs.com/ssltest/index.html

Now for one more step, which you can skip if you’re not using Google Webmaster Tools.

Step 5: Add your HTTPS site to Google Webmaster

It’s worth having all versions of your website’s address registered in Google Webmaster because Google likes verified sites – and we all want Google to like our sites! If you haven’t already set up your site with Google Webmaster, now is the time to do it. 

1. Sign in to your Google Webmaster account. You can see that there are already register versions of my site with and without the “www” – but nothing yet for HTTPS.

Overview of Sites Registered with Google Webmaster Console

2. Click ADD A PROPERTY.

3. Enter your site’s details, then click Add.

Add a New Site to Google Webmaster Console

4. Select the Alternate Methods tab and choose your method. I like the HTML file upload method, which involves downloading a file and putting in the /public_html file on your site’s server. If you’ve been through the verification process with other non-HTTPS versions of your site, you don’t need to copy the file again.

Verify Site with HTML File Upload in Google Webmaster Console

5. When the file is on your server, click I am Not a Robot and then Verify.

After you click Verify you’ll get a message confirming that your ownership of the site has been verified. Et voila!

6. Now do the same for the HTPPS version of your site but minus the “www” in the site address. For example, your site can be accessed using the URL www.languedoc121tech.fr or just languedoc121tech.fr so both need to be registered with the Search Console.

7. Next, click on Search Console to go back to the overview page (which lists all the domains you’ve registered using the Google Webmaster account) and check the listing. Mine looks like this, with HTTP and HTTPS versions for the variations of the domain name (with and without “www”).

Revised List with HTTPS Sites Added in Google Webmaster Console

That’s it: you’re done!

Conclusion

So there you have it. It’s a little bit of work, a little bit techy places, but not a major job and doesn’t cost a thing if you do it yourself. If a web developer tries to bill you for multiple hours or suggesting you pay for your SSL certificate, then you would be better to find another developer! Or you can contact me, of course.

If you do decide to do this yourself, please leave a comment below. Likewise, if you get stuck or have any problems.

Useful Links

Here are links to SSL installation instructions for some popular website builders.

SquareSpace

Wix

Weebly

Do you need help? Contact me now to arrange a personalised tech support or training session.

 

Leave a Reply

Your email address will not be published. Required fields are marked *