Which SSL certificate to choose?

First, there are different types of SSL certificates:

1. Validation Domain is the typical certificate and usually the cheapest. These certificates allow basic encryption, are issued very quickly and require a simple verification for domain ownership.
2. Coporate Validation: These certificates include the authentication of the company and / or organization owning the domain.
3. Extended Validation: With this type of validation, the CA performs an in-depth review of your business before issuing the certificate. This SSL certificate offers the highest degree of security.

Enable SSL certificate

There are as many possibilities as hosting and the procedure is different depending on your provider (dedicated, VPS, Shared, …)

For shared hosting, ask your hosts, some offer SSL certificates in their offers.

Attention to the fault SSL3 POODLE

A Google team recently highlighted a security flaw in the SSL protocol used to encrypt data exchanges between a browser and a website. Implementation, it allows a hacker to impersonate his victim and access private data on a service such as a webmail or the server of a bank.

This SSL vulnerability has been dubbed “POODLE” for Padding Oracle On Downgraded Legacy Encryption. It uses an old version 3 of the SSL protocol, released 15 years ago, which provides the encryption of a transaction. Another more robust and widespread method exists nevertheless: TLS 1.0. However websites still use SSLv3 to ensure compatibility with Internet Explorer 6 in Windows XP. Especially the technique can simulate a connection problem and force a browser to switch from TLS to SSLv3. More information on this SSLv3 Poodle vulnerability.

In conclusion, to guard against it, you will have to disable the SSL v3 on your server.

Finally to check the quality of your SSL certificate, simply test your domain on https://www.ssllabs.com.

Source : wpformation

From HTTP to HTTPS, how?

To place your WordPress in HTTPS, as we have seen, you must necessarily obtain an SSL certificate for your domain name, install it on the server and finally change the permalinks of the HTTP website in HTTPS.

All links in WordPress (such as attached images, CSS themes, JavaScript files) are linked to the installation URL, also to change your WordPress from http to https, the installation URL must be changed: from http: //mywebsite.comin https://mywebsite.com

Log in to your WordPress dashboard and go to Settings >> General. Make sure the WordPress address (URL) and the website address (URL) are in https.

To easily enable (and enforce) administering WordPress over SSL, the FORCE_SSL_ADMIN constant must be set to “TRUE” in your wp-config.php file to force all connections and administrative sessions to occur on SSL .

define ( ‘FORCE_SSL_ADMIN’ , true);

If your WordPress uses a content delivery network (CDN) to serve its components (images, JavaScript, CSS style sheets), check that all the URLs are in HTTPS otherwise the certificate of your website will not be considered satisfactory by the Web browsers.

What to do next ?

Now that WordPress has been successfully moved to HTTPS, there are still a few things to do!

Do not forget to redirect! To set up a permanent 301 redirect, add the code below to your .htaccess file.

RewriteEngine on
RewriteCond% {HTTP_HOST} ^ yourwebsite.com [NC, OR]
RewriteCond% {HTTP_HOST} ^ www.yourwebsite.com [NC]
(*). RewriteRule ^ $ https: //www.yourwebsite.com/$1 [L, R = 301, NC]

Then look for all the URLs starting with http: // … in your contents. To do this, simply display the source code of your pages, sometimes we have real surprises …

Forcing the https for the canonical URLs of your website and it’s all the easier if you use the plugin SEO by Yoast (to adjust from SEO >> Permalinks)

There are WordPress plugins for HTTPS, personally I did not use it but it can still be useful:

• Really Simple SSL is the all-in-one extension, very easy to set up and configure
• WordPress Https forcing HTTP redirection to HTTPS
• Wp Force Https for images & items you forgot
• SSL Insecure Content Fixer for potential mixed content issues
• iFix from iThemes another alternative solution

Finally, do not forget to inform Google via Google Webmaster Tools of this change. Just validate your new domain in HTTPS and declare the transfer.

The checklist after the passage in HTTPS

To remember all this, make sure to:

• Redirect to HTTPS (301) via htaccess
• Change all URLs in your database in HTTPS
• Update your robots.txt
• Declare your site in HTTPS to Google Search et renvoyer un sitemaps
• Modify your Google Analytics code and verify it
• Test your site in HTTPS: www.ssllabs.com/ssltest/

Source : wpformation