When you visit a website, your browser (also known as a client) sends a HTTP request to a web server. Once the web server sends an HTTP response, the browser can then render the page to your screen. However, HTTP traffic has a problem; it is a plaintext protocol. This makes it susceptible to snooping and meddling.
If an attacker is on the same network as you they can intercept and read your HTTP traffic. They may also modify both your requests to the server, as well as the server’s responses back to you. This is known as a Man-in-the-Middle (MitM) attack. This can easily happen on public WiFi’s, such as the ones in hotel lobbies and public spaces.
That is why a website should be on HTTPS – so traffic cannot be intercepted. This article explains what HTTPS, SSL and TLS are. It also explains how you can configure your WordPress website to work on HTTPS.
What is SSL/TLS?
Once the internet started to grow in use, it became obvious that we needed a mechanism to securely transfer information between a client and server without anyone being able to eavesdrop or modify traffic — enter SSL, or Secure Socket Layer. SSL is an Internet security protocol, first developed by Netscape back in 1995 to solve this exact problem.
More specifically, SSL set out to accomplish the following:
- Encryption — to encrypt the traffic so it cannot be intercepted by an unauthorized third-party by eavesdropping,
- Authentication — to make sure the server the client is talking to is indeed the server they say they are,
- Integrity — to ensure that the data sent between the client and the server is not modified by someone else along the way.
However, over time security researchers identified a number of security issues in SSL. Therefore SSL was superseded by TLS (Transport Layer Security protocol). While the under the hood differences between SSL and TLS are drastic, the purpose of TLS remains largely the same.
NOTE: you may frequently see SSL being used to refer to TLS. SSL is a legacy protocol and is no longer safe to use. From here on, this article will only mention TLS.
What is HTTPS?
HTTPS, or Hypertext Transfer Protocol Secure is a secure version of the HTTP protocol. HTTPS relies on Transport Layer Security (TLS), formerly known as Secure Socket Layer (SSL). TLS provides encryption, authentication and integrity to HTTPS requests and responses.
You can think of HTTPS as HTTP (that’s the plaintext version of the protocol) requests and responses passing through a TLS tunnel. The technical term for this is encapsulation. It’s pertinent to note that TLS may be used to encapsulate other protocols, not just HTTP.
You can spot websites that use HTTPS by either looking at the beginning of the URL (starts with HTTPS) in the browser navigation bar or by the green padlock. If you are browsing a website on HTTP the browsers marks it as Not Secure.
How does HTTPS work?
When you request a web page using HTTPS, your browser and the web server start a process called TLS handshake. The TLS handshake is a way for the client and server to decide if and how they should communicate. During the course of the TLS handshake, the client and server do the following:
- decide on the version of the TLS protocol to use (TLS 1.0, 1.2, 1.3…),
- agree on which cipher suites (a set of encryption algorithms used to establish secure communications) to use,
- authenticate the identity of the server,
- generate encryption keys to use after the handshake is complete, in order to communicate securely.
The TLS handshake
During the TLS handshake, the server sends the client it’s certificate in order for the client to verify that they can authenticate the server. A certificate is similar to a passport — it’s issued by a trusted central authority called a Certificate Authority (CA) which independently establishes the website’s identity it may be proved to your browser.
The public and private keys (the keypair)
The TLS certificate that the web server sends to the client contains the public key. The public key is one of two special keys called keypair. A keypair consists of two keys; the public key and the private key. While the public key is shared with the clients, the private key is kept secret on the server and is never disclosed. The keypair are forged together.
The public and private key pair have a particularly interesting relationship — without knowing the server’s private key (this is secret and only the server should know it), a client can encrypt data using the server’s public key which the server may decrypt using it’s private key.
If this sounds confusing, think of this as though the “server” sent your “browser” an open suitcase (public key) protected with a padlock — once you place something in the suitcase and lock the padlock, only the “server” with the key to the padlock (private key) can see what’s inside.
Do I really need HTTPS on my WordPress website?
Yes. No matter what kind of traffic your website is serving (be it personally identifiable information (PII), card holder data ,or cat pictures) there is absolutely no reason why you should not be serving your website over HTTPS.
Aside from the security benefits and a better user experience, the new HTTP/2 protocol, which offers several performance benefits can not be used without TLS within web browsers. Furthermore, HTTPS also has Search Engine Optimization (SEO) benefits and is part of Google’s search ranking algorithm.
How do I configure WordPress HTTPS?
Most WordPress web hosts offer HTTPS as part of their hosting plan. So if you want to switch, ask your web host. If you have your own web server or VPS, then follow the instructions below.
Configuring the web server
If you are setting things up yourself, we would recommend using the Mozilla’s SSL Configuration Generator which provides you with all the settings you need to set up HTTPS on a variety of different web servers.
Getting a HTTPS (TLS) certificate
To setup HTTPS you will need a TLS certificate if you are setting everything yourself. While you will see dozens of paid TLS certificate offerings, you can get a free TLS certificate from a non-profit Certificate Authority called Let’s Encrypt. There is absolutely nothing different between a certificate you get from Let’s Encrypt for free and one you pay for.
HTTPS on shared and managed WordPress hosting
Please note that for managed or shared hosting solutions, your hosting provider may or may not charge for adding HTTPS — if this is the case, before shelling out money for a certificate, ask their customer support if you can use a Let’s Encrypt certificate with their service instead. The Let’s Encrypt community forums are also a great resource that may help you.
Configuring HTTPS on your WordPress website
One you enable HTTPS on your web server, you’ll also need to set up WordPress. In theory you can do this manually: simply change the WordPress Address and Site Address in the WordPress general settings. However, you might have plugins and links on the website which might still point to the HTTP URL, even after switching.
So it is much easier to use a plugin to switch your WordPress website to HTTPS. You can use a popular plugin like Really Simple SSL to help you through the process.
Add the HTTPS website on the Google Search Console
Google treats HTTP and HTTPS websites as different entities. So once your WordPress website is running on HTTPS, submit it to the Google Search Console to let Google know that your website has moved to HTTPS in order to avoid any SEO issues.
My WordPress runs on HTTPS, is it secure?
Green padlock icons and the words “secure” next to your browser’s address bar may have led you to believe that HTTPS is some magic wand that solves all website security woes. Unfortunately, it does not.
HTTPS is only a small part of WordPress security: it allows visitors to browse your website over a secure connection. However it does not protect your website like a WordPress firewall, or make it more secure. It does not mean that it is more secure than a website running on HTTP either. Like any other security defenses, HTTPS helps solve part of the problem.
In other words, while you certainly should implement and enforce HTTPS, it does not mean you can rest easy and never worry about security again. You should still: