Moving To a Fully Secure Website

Written by Nick Leffler | 2 Comments | 5 min read

Home » The Online Presence Blog » Web Design » Moving To a Fully Secure Website

This post is a bit outside the realm of WordPress and the WordPress difficulty level I usually write at. I still decided I wanted to write about the topic and document my process though.

This would be helpful for those that have purchased a secure certificate, have it working for portions of their website but want a fully secure website.

I decided to make my wife’s website fully secure (front and back-end) and not just payment pages and some log in pages (some did not switch over to SSL which concerned me).

My wife’s website is an eCommerce website that has a sign-up form and can exchange private information such as usernames, passwords, addresses, phone numbers, etc. If a website is transmitting anything private or personally identifiable information (PII) then it’s a must to secure that information as it traverses the Internet.

Rather than leaving it up to WordPress and 3rd party plugins to decide when it’s best to switch to SSL, I wanted it all to be SSL. I was having an issue with a 3rd party plugin that had a sign-up form and login form but didn’t switch to SSL so all that information was in the open, not good.

After failing to work with the developer to have the necessary parts of the website switch to SSL as WooCommerce does, I decided to go full SSL.

I already had the secure certificate in place and working for portions of the website. You don’t want to try this unless you’ve purchased an SSL certificate and have that working properly.

Going SSL

GoDaddy Solution

My first solutions to force the entire website into SSL had many failures. I searched the Internet for different codes and would end up with partial SSL, no SSL, or even worse complete server errors.

I gave up my search and contacted GoDaddy support (that’s who I’m using for hosting) who was helpful at helping me find a solution. The support guy I called fortunately had a solution he was using on his website successfully. At first glance it worked out great and seemed to solve the problem. The more I played with it though, the more I found that it didn’t meet the full SSL solution.

I wanted users no matter where they came from or how they typed the URL to always be redirected to the SSL version of my website.

It worked good if I typed in domainname.com but if I typed in www.domainname.com it failed to redirect and would stay in unsecured mode until I clicked a link. This wasn’t acceptable, I wanted a website that didn’t even have an unsecured version available.

All of these codes have to go into the .htaccess file in the root directory of your server (usually the public_html folder).

This is what GoDaddy provided as a solution:


# BEGIN GD-SSL
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_USER_AGENT} ^(.+)$
RewriteCond %{SERVER_NAME} ^yourdomain\.com$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Header add Strict-Transport-Security "max-age=300"
</IfModule>
# END GD-SSL

Almost There

I figured at this point I was on my own if GoDaddy couldn’t even figure out how to properly create a 100% secure website, so I went on another search. I feel after I was better equipped with what to search for, I was more successful at finding solutions that worked a little better, just not all the way.

The next solution I found in a forum that was quoted directly from the Apache documentation. This solution was much more successful for the root domain and forwarded with and without the www.

I was using this for at least a week without uncovered issues, but I eventually ran into a problem where it wasn’t directing users from unsecured content to secure content for certain folders. Specifically one of the products didn’t forward to the secure version.

This is the code from Apache that didn’t work:

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

This meant I had to go back to the drawing board.

Final Solution

My final solution is now what I have in place and has proved to be completely successful and I can’t make it fail. I can type in any URL in any way and it always redirects to the correct secure version. I also found this one on a forum but I don’t think it was pulled from any Apache documentation.

The successful solution:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

So, this is the best way to do it on a GoDaddy server. It may also be the best way on other servers but I’ve only tested it on one.

Success

It took Quite a while to arrive at a successful solution to get the entire website secure, but I’m glad I took the time and found the right one. I feel more comfortable having all traffic being redirected through a secure connection, and I hope visitors do too.

It requires a lot of testing to see if you found the best option, and some solutions are better than others. The first solution from GoDaddy was the weakest and didn’t forward many users from unsecure to secure while the second solution was harder to uncover the flaws, it worked well. Eventually, I was able to uncover a flaw and found the third option which has so far been bullet-proof.

Subscribe To Grow Your Business Online

Website SEO Scan Audit Comparison
See How Your Website Compares

Get a complimentary website SEO audit and report. We'll show you how your website compares to your competitor.

Categories

Check Out Other Posts From The Blog

Ready to get more customers for your business?

Start with a local SEO audit and report if you're a local business, otherwise get a website search engine optimization report card.

Website SEO Report Card Laptop

Author Bio:

mm

Nick Leffler

Nick Leffler is the owner of Exprance, a Sacramento web design and digital marketing agency which helps businesses reach their customer online. Nick has grown his online presence with a small marketing budget by blogging, organic social media posting, and email marketing.

2 Comments

  1. BrunoWinck on June 18, 2015 at 3:01 am

    Two extra benefits of being on ssl: you get a bonus on ranking on google (similar to the bonus of being mobile first) and you support properly protocol less URI like //www.domainname.com (notice that neither http or https is leading the link) which are perfectly legit and increasingly popular in social media. One more benefit is achievable is embedded pictures or twitter cards. For pictures, you want to use the same protocol as the containing page. so if a pic is reused for illustrating a mail, a comment, an ad it’s best to be able to serve them both under http and https. This is done by simply omitting the protocol in the link //www.domainname.com/media/linktoimage.jpg

    • Nick Leffler on June 18, 2015 at 3:25 pm

      Absolutely Bruno, I forgot to mention this (well, the first part). I was sort of aware of the second part but am not as knowledgeable as you are about the purpose and benefit of it :-)

      Thanks for the comment!

Leave a Comment





Want a free website SEO scan and report?

See how your website compares to your competitors in less than 10 minutes!

No Thank You
Website SEO Report Card Laptop

Sign up for email updates

Get helpful tips to grow your business in your inbox every other week.

Sign up for email updates

Thank you for your submission. Check your email (and spam folder) to verify your subscription and gain access to lots of free documents.

Close

Want to get more local customers?

How much are you willing to invest in your business each month?

Sometimes doing it yourself is the best option to save money.

Would you like to learn more about a company we work with that has the tools you need to succeed?