In this article, we will explain to you how to setup the SSL and TLS and how to force your blog or website to use only the HTTPS. No code expertise is a need at all.
These days, one of the most important things everyone should be paying attention is to safety connections on the Internet.
Google has started the “war” against nonsecure connections by setting Chrome 56th version to warn about this kind of connection and explaining what to not do within the site you are visiting. The worries about safety are growing every day and most probably, Search Engines will start to prioritize traffic to those sites allowing a secure connection.
But what means HTTPS, SSL, and TLS? What it does and why you should have it?
HTTPS stands for “Hyper Text Transfer Protocol” with Secure Sockets Layer (SSL). For that, you will need an SSL certificate (dedicated or shared) and setup a TLS certificate.
The SSL is used to Encrypt communication to and from your website, while the TLS is a certificate you install on your server so a client verifies the identity of the server it is talking to. If you have the need to verify each other’s identity (server <-> client) then you will need to have also TLS Authentication. But this is not common unless you want to certify you communicate with specific clients only.
So the SSL encrypts the information between both sides and TLS certifies that you are talking to the correct website. This avoids, for instance, Phishing attempts, malware injection, etc.
In order to complete this tutorial, you will need:
- a hosting (most probably paid, since the free services will give you access to the server configuration)
- a Cloudflare account
No code whatsoever is a need.
If you have difficulties to setup the account please refer to this quick article at Cloudflare.
Setting Up CloudFlare
Step 1 – Ensure you have the correct configuration
Please make sure that you set the Nameservers of your domain to point to CloudFlare Nameservers. For assistance check this article.
Now click on Crypto icon as you see in the bellow picture. In the SSL, choose the Full option if not selected yet.
The main difference between the 3 SSL options is that Flexible is encrypting data between visitor and CloudFlare, while the other two are encrypting full route. For the full SSL (strict) you will need to have a valid SSL certificate installed on your server signed by a publicly trusted certificate authority which has not expired and contains the domain name for the request (hostname).
In this example, we are working with a shared SSL of Cloudflare. You have always option to buy an SSL certificate for $5 / month.
Step 2 – Create the TLS Certificates
Now let’s create the TLS certificate. In the Origin Certificates, click Create Certificate.
A box will open as the bellow one. Choose what hostnames you want the certificates should protect, including wildcards (subdomains). Click Next.
You will see now a new box with an Origin Certificate. Yes, all those numbers, letters and symbols are the certificate (coded…) and the Private Key.
Copy these two codes to your notepad.
Step 3 – Configure your server through CPanel
Now login to your CPanel or similar service that gives you access to your website service and search for SSL/TLS, like in the following image.
Click on Private Keys, scroll down till you see “Upload a New Private Key”. Copy the Key from your txt file and paste it into this box. add a description if you have more than one certificate, so you can identify it. Click Save.
Note: You must copy the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– marks, otherwise system will return an error message.
Now Click on Certificates (CRT), scroll down till you see upload a new certificate. copy the certificate code from your txt file and paste it here. Save it and move back to the previous menu.
So far what we have done, was to provide your server with the key and the certificate. Now we will need to install it.
Step 4 – Install the Certificate
Go to Install and Manage SSL for your site (HTTPS)
Choose the domain, browse certificates, choose it. Now if the service asks you for the Certificate Authority Bundle (CABUNDLE), go here and copy the RSA Root Certificate. (Cpanel doesn’t accept EEC version). Paste the RSA to the CABUNDLE field and click install certificate.
You should now a green or blue box showing that the certificate was accepted and installed.
Note: If you do not have a dedicated IP address, some web browsers that do not support SNI will probably give false security warnings to your users when they access any of your SSL websites. Microsoft® Internet Explorer™ on Windows XP™ is the most widely used web browser that does not support SNI.
Now if you check your website by writing “https://www.yourdomain.com”, you should see:
Although if you use “http://www.yourdomain.com” it will not redirect automatically to https. So we need to configure this.
Step 5 – Force the use of HTTPS
Going back to CloudFlare website, go to Page Rules and click Create a Page Rule.
Insert the domain URL like “http://www.yourdomain.com/*”. this will enable that for any page under this domain, it will be requested an https connection. If you have subdomains than use instead “HTTP://*.mydomain.com/*”.
You should now get redirected automatically from HTTP to https.
Step 6 – Additional stuff
Now that you have improved the safety of your blog and to your visitors, you should check additional improvements, like enabling DNSSEC or Automatic HTTPS Rewrites.
CloudFlare provides also CDN service (Content Delivery Network). This means that you can, for instance, serve the images of your posts through their network, saving bandwidth to your server and make it quicker to your visitors. Furthermore, you can also activate functions like Auto Minify and AMP which will be very welcome by Google! All these for free!
While no one can guarantee 100% safety, it is important that we keep adding measures and tools to avoid data leakage, DDoS attacks or any other kind of security issues. This article brings you a free way to do it, in a safe and easy way.
Of course that there are other alternatives, and if you are willing to pay, then the range is even wider, even within CloudFlare universe.
You might want to explore the Let’s Encrypt, a free, automated, and open Certificate Authority which is being supported by several Tech giants, like Cisco, Facebook, Google, among other.
We will be posting in the coming weeks some roundups on must have WP plugins to increase the security of your blog. Stay tuned!
Thank you for reading.