Last night I purchased an SSL certificate for levidsmith.com, so my site can now be accessed via https. It may take a while for search engines to update the links in their engines to use the https URLs. It was a little more than $100 to have a certificate issued for 2 years.
I’m very familiar with CSRs (certificate signing requests) and installing signed certificates for web servers. The price for my web certificate was fairly steep, but it did automate the signing and installation process. Next time I may shop around and see if I can get a better deal. It’s a fairly simple process, but for public websites you’re pretty much forced to use one of the root certification authorities (registrars) that are defined in the Windows certificate store (Internet Explorer, Opera, Chrome) or the FireFox certificate store. I highly recommend looking through your certificate store, and removing any trusted root certificates that are questionable (such as CNNIC or the Hong Kong Post Office).
You can see the Windows certificate store by entering certmgr.msc in the run box. Then open the Trusted Root Certification Authorities folder and select Certificates. The FireFox certificate store can be found in the Privacy and Security settings under Certificates.
One thing that I had to fix, was updating the site URLs in WordPress under Settings > General. There were a few other URLs in my functions.php file that had to be updated to use https. My wiki also no longer worked, so I had to remove one outdated .htaccess file in the wiki directory, and I had to rearrange the rules in the main .htaccess file for my site.
It would be nice if my site automatically did a HTTP 301 redirection when using http, but from what I’ve read the optimal solution is to make a change at the web server configuration level, which I don’t have access. I may try to do a mod_rewrite change to redirect to https, but I’m just happy that it’s working right now. Clicking any of the links on my site will automatically transfer to the SSL encryption version.
After doing some research, I found that creating a few mod_rewrite rules is the correct way to do a 301 redirect for the secured version of the site if direct access to the web server configuration files is not available.
This may not make a huge difference since I’m not running a site with financial transactions (buy or selling), but it will add a bit of extra protection whenever logging into WordPress or MediaWiki, especially when logging in using public WiFi. Having the SSL certificate also displays a lock next to the address in most browsers, and eliminates any browser notifications that my site is unsecure.
I found one more problem with my site. All of the embedded images still use http:// instead of https://. This causes a problem, because most browsers will show your site an insecure, if any of the images are not using https. I found a site that gives the appropriate command to use to update all WordPress images to use https. I had been doing this manually with a search and replace, but with so many pages, it would take a considerable amount of time to change them all.
UPDATE wp_posts SET `post_content` = REPLACE (`post_content`, ‘src=”http://www.your-site.com‘, ‘src=”https://www.your-site.com‘);