Running Your Sites under SSL

Whether or not you have concerns about security for content on your domain, there are very good reasons for understanding to make sure your content is served over SSL, and how the http:// in front of web site addresses is different from ones that start with https://.

The latter are sites that send content that is encrypted. You and are are likely not transmitting super secure information, but when we do log into sites with passwords (like in WordPress), it’s worth setting up your sites to use SSL. But more than that, Google’s Chrome web browser will soon start inserting the word INSECURE before web content not using SSL, and is changing their search results to favor sites using SSL.

One more reason that may come into play later is that there are ways you can bring your domain content into an LMS, using what is known as iframe tags – for this to work, the content must be served over SSL.

the https thing was tricky for those of us at OU because our old fac/student web hosting did not offer https, so switching to @ReclaimHosting & Domains was huge for us: to work with embedded content of any kind, https is the key. now that we have https, options are unlimited! 🙂

— Laura Gibbs (@OnlineCrsLady) July 17, 2018

This may sound excruciatingly like technical mumbo jumbo, but trust us that it’s well worth ot to have an understanding and appreciation for what that one extra “s” in a URL means for your domain.

Reclaim Hosting offers a free cpanel tool that makes it easy to be issuing, managing your SSL certificates. Let’s dive in.

Issuing a Let’s Enrypt SSL Certificate for Existing Sites

Inside your cpanel, look under the Security panel for the icon link to Let’s Enrypt SSL.

Under Issue a new certificate you will see entries for your main domain, and all of the subdomains you have created. Choose one where you have set up a simple site as we did with the cpanel Site Publisher tool.

This might be at the front of your domain, like extendlabs.ca or for a subdomain like about.extendlabs.ca. Find this entry in the list, click the +Issue link. In the next screen, just leave all the default settings, and click the Issue button at the bottom.

What you have done now is enable all URLs from the main domain extendlabs.ca to be available as a Secure site, e.g. try visiting your domain with https://domain.me rather than just entering domain.me or http://domain.me.

This is not terribly exciting, eh? But it is a big step.

You can make your site automatically force serving content over https:// no matter how the URL is entered.

1. Go into your cpanel File Manager
2. Click the Settings button (with gear icon) in the top right, and check the box for Show hidden Files (dotfiles)
3. Navigate to the public_html directory
4. Click the +File menu items to create a new file, name it .htaccess (it must have the dot in front).
5. When the file is created, select it once, and click Edit
6. In this file copy this code exactly and enter it

   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

7. Save the file

If this worked, if you enter extendlabs.ca or http://extendlabs.ca in a web browser it should automatically dispaly the secure symbol and https://extendlabs.ca.

All other URLs in your main domain will work like this.

What About Existing WordPress Sites?

Like you, the Mad Scientists have already done a few activities creating WordPress sites. These two can be easily set up so all content is served over SSL. As you did above, go to the Let’s Encrypt SSL area of your cpanel (under Security).

The top area under “Your domains with Let’s Encrypt™ certificates” lists all sites enabled with SSL certificates. If the domain.subdomain where your WordPress site is installed is listed with a certificate, you are ready. If not, find it in the lower section under “Issue a new certificate”, and click the +Issue link to create the SSL certificate.

Now you need to get to your WordPress Dashboard- do you remember how to do that? (Look in cpanel under My Apps, find your site, and use the 2nd link that ends in /wp-admin. Now…

1. Under Plugins, on the left, go to Add New
2. Enter into the keywords box enter Force HTTPS
3. Look in the results (it should be first) for Force HTTPS (SSL Redirect & Fix Insecure Content)
4. Click the Install Now button and when it is done, click Activate

This plugin will take care of a few things, it will redirect all the requests to the https:// version of your site, and will also take care of tricky situations where your theme may have mixtures of secure and non secure content.

Install New Apps into HTTPS

From now on, you may want to just start by creating new sites to be available over SSL. If they are going inside a domain or a subdomain that already has a Let’s Encrypt SSL certificate, you are ready. If it’s a new subdomain, repeat the steps above to issue the new certificate.

When you are adding an app like WordPress (or others we will explore soon) in the Reclaim Hosting Installatron, when you select a domain, for the Location setting, be sure to choose the one that has https:// in it.

For the Mad Scientists their site will work out of the box for https://thoughts.extendlabs.ca

For this activity, try issuing certificates and setting up existing sites you have made already to be accessed via SSL, or create a new subdomain and add a WordPress site like described in the preceding section.

For further information see Force HTTPS For Your Site in the Reclaim Hosting Community.

Example for "Running Your Sites under SSL":
https://extendlabs.ca/stuff/screens/extendlabs-ssl.jpg