Securing WordPress

Google and Security

Why is it time to be securing wordpress? Google is now ranking sites lower which don’t use HTTPS to secure their sites, and that includes sites that don’t handle sensitive data. Which could mean less traffic to your site!

Additionally some customers at Development Matters have been alarmed that their wordpress websites were getting warning signs from Google Chrome and Mozilla Firefox. These were healthy sites which now appeared for no reason to be “unsafe”.  New browser updates now will show sites that aren’t HTTPS as unsafe to browse.

Securing WordPress

The good news is, with most competent hosting companies, changing to HTTPS is relatively easy and free to do.  This tutorial is how to do it with Let’s Encrypt but it should work the same with all other SSL certificates.

Please consult with your hosting provider on SSL / HTTPS and see if they provide a certificate that is appropriate for you.  Once activated and enabled on your domain, it would be wise to wait 24-48 hours to pass before changing any settings on your wordpress installation, this allows for DNS propagation and relevant caches to clear.

As stated before we’ve gone for Let’s Encrypt as it is provided by a non-profit organization that issue the certificates for free, and works well with company websites on a wordpress platform.

Once the certificate has been issued and active for more than a day we can now make chances to the wordpress installation.

1 – WordPress

One of the first steps is to change the general settings of your wordpress installation to reflect your certificate.  This is simply going to Settings > General and changing the WordPress Address (URL) and Site Address (URL) values to have the https in the URL.

Securing WordPress

 

2 – wp-config.php

Next we’ll need to update the config file of the installation to force users to browse securely.  Editing the wp-config.php file adding the following lines (below) before the /* That’s all, stop editing! Happy blogging. */  comment.

define('WP_DEBUG', false);
 define('FORCE_SSL', true); 
 define('FORCE_SSL_ADMIN', true); 
/* That's all, stop editing! Happy blogging. */

3 – .htaccess

Then it would be wise to alter the .htaccess file to inform search engines that the paths have been permanently moved.  Add the following (preferably at the start of the file) before wordpress text.

#Make everything go HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

4 – Replacing Old Posts (with SQL)

Lastly, many older blog posts with references to images and internal links to the site will need to be changed.  In SQL you can easily replace this;  we used PHPmyAdmin to run the following lines.   Please note you should replace yourDomainName.com with your domain.

# Update self-hosted embeds (images, iframes, scripts, etc.)
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourDomainName.com', 'https://yourDomainName.com');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.yourDomainName.com', 'https://www.yourDomainName.com');

5 – Final Considerations

A consideration you might wish to look at is the theme you’re running the site on, if you made the theme yourself please check the CSS files for linking to images scripts and the like, this will cause errors if not appropriately addressed.

Leave a Reply