amirfarids - Tumblr blog

amirfarids · 5 years ago

Text

26 Amazing Free Browser Extensions for Marketers [2019]

New Post has been published on https://www.valendigital.co.uk/blog/26-amazing-free-browser-extensions-for-marketers-2019/

26 Amazing Free Browser Extensions for Marketers [2019]

This is a list of the 26 top free browser extensions on the planet.

I use these tools daily to quickly help me perform better in my SEO & marketing tasks.

These browser extensions are quick easy addons for your favourite browser. They help to make life simpler.

The best part?

All these tools are free and work GREAT in 2019.

Let’s get cracking…

26 Top Free Browser Extensions

1. Wappalyzer –

Quick access to website profile.

You often come across sites that make you ponder what platform they are created on.

Which technologies do they use?

Wappalyzer will provide you quick access via your browser to the website technology profile.

Best Feature: Free to use no signup required.

Great if your browsing many websites a day. It will show you which core technologies are being used.

This is available as an extension for Chrome and Firefox.

For those special sites where you need detailed info, the next free tool does the job…

2. Built-with –

Get a detailed profile of a website in seconds.

When you need detailed information on which technologies are used on a site this is the extension to use.

The extension will provide detailed information on the website. From which CMS it uses to the plugins, trackers and much more.

Best feature: Links to the technology used.

Information is delivered in a very readable manner. With straightforward explanations of what each technology is about.

You won’t need to fumble around doing web searches to find the tech being used.

Clicking a resource in the detailed section gives you access to usage stats and alternative solutions. A link to the original tech resource being used is also provided.

It’s free to use for up to 5 searches per day (registration required).

This is available as an extension for Chrome and Firefox.

3. FireShot Screen Capture –

Fullscreen captures at the click of a button.

Great if you ever need to capture a full web page to use in your portfolio or a screenshot of a section for your article. You don’t need a design program to do it.

No need to use PowerPoint, Photoshop or Illustrator this tool does it quickly and easily.

Best feature: Edit and annotate images.

Not only can you save the capture as a PDF, but you can edit it and annotate it for use in different media.

This is available as an extension for Chrome and Firefox.

4. Font Finder –

Quickly find font being used on a web page.

Typically to find a website’s font you may use Chrome’s or Firefox inspect element tools.

You’ll then fumble around to find the right element that contains the font.

This easy to use extension lets you see the font and family being used with 1 click.

Best Feature: Easily adjust the font options.

What I like about the extension is you can adjust the font styles quickly. You can then export the styles to use on another website.

This is available as an extension for Chrome and Firefox.

5. Grammarly –

Grammar and spell-check web documents as you type.

When writing on the web whether that’s in social accounts, email apps or online documents. Grammarly will provide suggestions and corrections as you type.

Best feature: Contextual spell checker.

You won’t have to click your apps spell checker to correct mistakes.

It’s done by Grammarly, your personal AI writing assistant.

This is available as an extension for Chrome and Firefox.

6. Google Translate –

Translate pages in a click.

I often find web pages that are not in my native English language.

Copying the text, opening a new tab and then pasting sometimes takes too long.

This extension lets you select text and automatically send it to Google translate. No copying and pasting required!

Best Feature: Selecting default language other than English.

Ideal for those whose primary language is not English. It also has a very good voice feature to listen to the translation.

This is available as an extension for Chrome and Firefox.

7. Clear cache –

Quickly clear the Chrome Cache.

Often when I visit loads of sites the cache gets full of garbage that needs clearing.

Going through the settings and options to clear it out can take some time.

I want to quickly clear it and continue browsing. This app lets you do that in 1 click.

Best Feature: Customise what should be cleared.

You can specify what gets cleared from the cache and which sites to exclude. Once set its good to go.

This is available as an extension only for Chrome.

8. Flagfox –

Display a country flag in the address bar.

The extension shows a country flag based on where a website is located.

When I want to reach out to website owners in a specific country this extension shows the location of the site in a very simple way.

Best Feature: Displays if a site uses HTTP/2 protocol.

I optimise a lot of sites and move them over to use HTTPS and HTTP/2.

This extension lets me quickly see if the sites using HTTP/2. No checking via online services or inspecting Chrome/Firefox console.

This extension is available only for Firefox.

9. Check My Links –

Displays broken links on a web page.

Broken link building is a common tactic I use to acquire backlinks.

This nifty little tool checks all the links on a page and highlights all the broken links in red.

Best Feature: Copy all broken links in 1 click.

A very simple and straight forward extension.

Extremely flexible with settings to exclude Adsense and nofollow links. As well as other useful options.

This extension is available only for Chrome.

10. IP address and Domain Info –

Displays detailed domain ISP information.

This extension allows you to quickly display all ISP information related to a website.

You can check the location, sites on the same IP, open ports and PTR /SPF records. Plus which mail servers (think Google) are being used.

Best feature: Spam and blocklist lookup.

Hosting your website in a bad neighbourhood can have a negative effect.

This tool allows you to quickly check which sites are in your neighbourhood. Whether they are on spam or blocklists.

I also find this very useful when problem shooting web hosting issues.

This extension is available for Firefox and Chrome.

11. Hash Test –

Finds the best hashtags to use online.

Simple and easy to use, find the best hashtags for your social media accounts.

Using real-time colour-based quality scores you can see the best hashtags to use for your posts.

Best feature: Copying only valid high-quality hashtags.

This tool makes it easy to increase your reach by utilising only the best hashtags for your posts.

You can copy them directly to Twitter or the clipboard for use on other sites.

This extension is available only for Chrome.

12. Keywords Everywhere –

Quick access to keyword date from the web.

Keyword research is a very important part of any SEO campaign.

This tool lets me see keyword data directly in my browser without using an expensive tool!

I get to see keyword competition, search volume and CPC info for any web page which is extremely useful for our SEO Rochdale projetcs.

Best feature: Bulk upload and exports.

Automatically check-up to 10k+ keyword data. I can then export and manipulate the data as required.

This extension is available in Firefox and Chrome.

13. SEO Quake –

Review all major SEO metrics on any website.

This tool provides a suite of SEO metrics integrated with major providers. You can use it on any website.

It provides a very detailed breakdown of traffic and ranking statistics. This can help a website maximise its chances of being seen in search results.

Best feature: Integrated SEMRush data.

View all the major metrics vis SEMRush without having a paid account.

You can see the backlink data, rank and example display ads using this tool all for free.

It also lets you examine internal/external links and compare domains and URLs.

This extension is available in Firefox and Chrome.

14. Tag Assistant by Google –

Quickly troubleshoot various Google tags.

When I set up Google analytics or tag manager with this tool I can verify that the goals and events are set up correctly.

It’s important to get as much data into your analytics account. It helps to track the progress of ongoing campaigns.

Errors and suggestions for improvements are shown in the extension clearly so you can fix them.

Best feature: Check conversion tracking.

Confirming the conversion codes are working correctly.

Hooking up your AdWords and ecommerce data can show you how well campaigns are performing.

Together with the ROI and performance of individual services and products.

This extension is only available for Chrome.

15. Facebook Pixel Helper –

Verify Facebook pixel set up on your website.

A quick and easy tool to verify a FaceBook pixel has been set up correctly.

Best Feature: Conversion & event tracking check.

Setting up a FaceBook pixel is easy but custom events are another matter. Often very complex.

This plugin will check that events and conversions are being sent correctly. It will also display any errors so they can be fixed.

This extension is only available for Chrome.

16. Lighthouse –

Measure the performance of your website or app.

This extension lets you run technical audits on any URL. I found the results to be more accurate than the online version and other performance tools.

Open a site in a chrome tab and then click the lighthouse icon. It will start to run an audit.

Best feature: Easily share reports online.

When an audit is completed a report is generated which shows how well your site did.

You can easily share the report online with any users you wish in a simple PDF format.

Any failing tests are clearly shown via indicators which you can then use to improve upon.

This extension is only available on Chrome.

17. Web Developer –

Swiss army knife of developer extensions.

This extension gives you instant access to a range of developer tools at the touch of a button.

The latest browsers give you access to dev tools but they are difficult to use for a novice.

When you want to quickly inspect page structure, form content or even CSS styles this is my go-to extension.

Best feature: Eyedropper tool.

Easily identify a HEX colour on a web page with the eyedropper tool and its copied to the clipboard for use.

The extension also comes with advanced features. You can inspect CSS and JavaScript to quickly solve mysterious style issues.

A must-have extension in any marketer’s arsenal.

This extension is available for Firefox and Chrome.

18. Bitly –

Shorten and brand your links in 1-click.

Integrated directly with your free Bitly account. You can shorten, measure and optimise any web page links for use around the web.

Best feature: Branded domain sort links.

Use a custom domain to create branded shortened links for free.

This extension is available for Chrome and Firefox.

19. Buffer –

Manage social media accounts from 1 place

Buffer has a free plan which you can use to manage social media profiles and schedule posts in advance.

Click the extension icon to schedule your favourite links and web pages to share on social media accounts.

Best feature: Share image button on images.

Social media thrives on image related posts. Easily share images with a click of a button. You can also customise post messages to increase exposure.

This extension is available for Chrome and Firefox.

20. Hunter –

Find email addresses in seconds.

The Hunter extension is a perfect tool in your outreach arsenal.

Quickly find the right email address for any website you visit in 1 click. Perfect to use with your email outreach campaigns.

Best feature: Verified email addresses.

You no longer have to worry if an email address is correct. Hunter verifies emails belonging to websites using various sources and is 96% accurate.

Hunter provides 50 free credits per month to use with its free extension.

This extension is available for Firefox and Chrome.

21. One Tab –

Quickly convert open tabs to a list.

Too many open tabs? Multiple open tabs can quickly become overwhelming.

This nifty extension creates a list of all your open tabs and converts them to a list.

You can then restore each individual tab from the list later or open them all at once.

Best feature: Privacy assured.

Not only does this extension save your browser memory but any tabs you save as a list are not visible to anyone but you.

Tab information saved in lists is never shared with either the browser or developers.

This extension is available for Chrome and Firefox.

22. Loom –

Record your browser screen as a video.

Create and share a video to communicate your messages more clearly.

Loom provides a free plan to allow you to capture screen recordings to share via a simple link.

Best feature: Unlimited recording time.

You can store 100 videos of unlimited length in the Loom vault.

Password protect individual videos. Share them via simple links or with one of the many integrations available i.e. Gmail, Jira etc.

This extension is only available for Chrome.

23. Open Access Button –

Access research at the click of a button.

Often when you need to reference your sources you cannot access the research without signing up.

This extension gives you quick access to thousands of sources. Get legal access directly from the authors.

Best feature: No login required.

It will find the open-access files of a paper for you to use as a resource in a legal manner.

This extension is available on Chrome and Firefox.

24. Rescue Time –

Increase your productivity.

Track how you spend your time on the internet to help increase your productivity.

Get a clear picture of what you have been doing all day.

Best feature: Auto categorizes sites you visit.

Rescue Time lets you see how you spent your day, week or month. It gives you a score from very productive to very distracting.

This extension is available for Firefox and Chrome.

25. Surf Safe –

Wade through the sea of fake news.

Catch the fake news stories before you join the legion of unknowing people who distribute it around the internet.

If you’re on social media tall day then it’s easy to get sucked in and mislead by fake news.

This extension allows you to make informed decisions about what you are really reading.

Best feature: Images classified as ‘safe’, ‘warning’ or ‘unsafe’.

The extension clearly shows which images have been doctored or taken out of context. It helps to expose fake news articles.

This extension is only available for Chrome.

26. Pocket –

Capture articles, Videos or any other content and save with 1 click.

Pocket is an integrated service in Firefox for your bookmarks.

Not one single bookmark service exists for you to easily manage or share bookmarks.

Best feature: Available on ALL browsers/devices.

Pocket is easy to use, can be used on all browsers and even has Android/iPhone apps.

Your bookmarks are with you wherever you go.

This extension is already integrated with Firefox and available for Chrome.

Did I miss anything?

These are my favourite go-to browser extensions.

I use them daily to make my life simpler and my marketing tasks easier.

And now I would love to hear from you…

Have I missed anything out?

Or perhaps you have a question?

Either way, let me know by leaving me a comment below.

#Top5Reads

0 notes

amirfarids · 7 years ago

Text

HTTP to HTTPS Migration The Definitive Guide (2019 UPDATED)

New Post has been published on https://www.valendigital.co.uk/blog/http-to-https-the-definitive-guide/

HTTP to HTTPS Migration The Definitive Guide (2019 UPDATED)

This new guide will show you how to switch your site from HTTP to HTTPS.

In this guide you will learn why it’s important for you take this step; how it will benefit your SEO and the step by step process to use when switching to HTTPS and implementing an SSL.

The best part?

In 9 easy steps YOU will convert your existing website from HTTP to HTTPS in less than 1 hour!

Contents

Chapter 1

Benefits of Switching to HTTPS.

Chapter 2

Different Types of SSL Certificates

Chapter 3

Where to get an SSL, What to look for and Mistakes to Avoid.

Chapter 4

9 Steps to Implement SSL on your Website.

Chapter 5

Advanced SSL Implementation Tips.

Chapter 1Benefits of SSL Implementation

In this chapter we are going to be looking at the benefits you will get from switching your site from HTTP to HTTPS.

The search engines (especially Google) are always moving the goal posts and its important to stay ahead of the trend.

Moving to SSL can improve your SEO, site speed and also increase trust amongst your website visitors.

Lets have a look at the potential benefits…

Moving from HTTP to HTTPS for SEO

One of the biggest search engines, Google, announced that having an SSL (HTTPS) website would be considered a SEO ranking signal from as long ago as 2014.

Reading "HTTPS as a ranking signal": http://t.co/nEjcGhm8bJ

— Matt Cutts (@mattcutts) August 7, 2014

Many experts in the industry argue that this wouldn’t correlate to a significant boost to your websites ranking it is nevertheless a ranking signal which is one of the 200+ signals Google’s algorithm uses to position your website in the search engine results.

Google’s 1st page search results now contain more than 50% of websites that are on HTTPS and this figure is only growing. An analysis of 1 million Google search results conducted by Brain Dean in conjunction with SEMRush, Ahrefs, SimilarWeb and MarketMuse found that having an SSL enabled website is moderately correlated with higher search engine rankings.

An interesting blog post on SEMRush spoke to digital marketers from a range of industries and countries for their opinions on switching to HTTPS.

Although they agree that it doesn’t have a big impact on your websites rankings it does clearly indicate your site as trustworthy and secure. It’s worth a read to see what experts have to say about HTTPS and the benefits it can give your organic search results.

Combine this with the fact that in January 2017 introductions of the new FireFox and Google Chrome browsers are now show warning errors and an ‘i’ symbol in the browser address bar for HTTP websites that have any type of forms. Be it contact forms, signup forms, comment forms or anything of that nature, that don’t use SSL.

All popular browsers are now showing deterring messages on sites that have not made the transition over to HTTPS potentially driving customers away from your website.

According to Sucuri a leading security website, Only a few months ago Google had actively started to blacklist non-https websites that contained any type of form.

Last month Google also started to send out notices for HTTP only sites that from Chrome browser version 56/62 any type of website with any kind of text input will require an SSL certificate to avoid any errors or ‘not secure’labelling applied to their site in its browser.

Another benefit of having a HTTPS enabled website (Hypertext Transfer Protocol Secure) is that it provides a secure connection to users on the web pages where they may share their personal data with you. When a user shares private information, like credit card details, HTTPS adds an extra layers of protection.

It’s become increasingly more important to ensure that you’re website is secure and trustworthy. Implementing an SSL is highly recommended, you’ll get a slight SEO boost and it will provide more trust to end users.

Chapter 2What types of SSL Certificates are there?

There are a different range of SSL (Secure Socket Layer) certificates available in the market ranging from £10 to £300+. The type of SSL you need will depend on your requirements. For example the validation type (more on this below) and do you need to secure multiple domains?

SSL certificates have different validation levels. The most basic of which are a domain validated SSL to extended validated SSL’s.

Domain Validated SSL Certificates

This is the lowest level of SSL certificate you can get. The certificate authority simply checks that the organisation applying for the certificate has authority over the domain in question. Verification is generally done via email and to validate you have authority you can be (a) requested to upload a file to your domain or (b) update your DNS settings. Its relatively simple, doesn’t require any human intervention and can take a few minutes to a couple of hours for the certificate to be issued.

Once installed, the browser will show the green padlock to users confirming that they have a secured HTTPS connection to your website.

Organization Validated SSL Certificates

Similar to standard certificates with the exception that humans are involved. Although your organisation is not checked deeply, it is checked to verify that you are indeed an organisation. The issued certificate will then show your organisation details in the certificate which may include your business name, city and country. It generally takes a few days for this type of certificate to be issued.

As with the standard certificate once installed your users browsing your website will see the green padlock to confirm that there connection to your website is on a secured HTTPS connection.

Extended Validation Certificates

The strictest level of certificate that you can obtain. The certificate authority will validate and check the ownership, organisation information, physical location, and legal existence of your company. Usually they will require documentation to verify the existence of your company by real human involvement. For this reason they are generally expensive and can take a few weeks to be issued.

Once issued your users are greeted with not only a green padlock but a green address bar with your company’s name in it. Also as per the organisation validated certificate your organisation details are also present within the certificate itself.

Securing Multiple Domains

If you have multiple domains i.e. sub domains to secure as part of your main domain then you will require a wild card SSL certificate. This is different to the above single domain SSL certificates.

You can secure unlimited domains with such a wild card certificate as show in the image below:

A disadvantage is that you cannot secure domains such as example.example.example.com. For this you will need an SAN Certificate which is also known as Unified SSL Certificates/Multi-Domain SSL.

You should decide before proceeding which is the most relevant SSLfor your website.

Chapter 3Where to get an SSL, what to look for and mistakes to avoid

In this chapter we are going to look at the options you have to acquire your new SSL certificate.

We will also look at the potential pitfalls and mistakes that you should avoid to make sure it doesn’t impact your website in a negative way.

Getting an SSL doesn’t have to be a difficult task, in fact if you follow the guide it should be pretty straight forward and easy to do.

So lets dive right in…

Your Options to Obtain an SSL Certificate.

There are plenty of options to get your new SSL, in many cases it can be completely free! Lets take a look at your options available to you…

Your Web Hosting Provider

Every hosting company gives you the ability to purchase an SSL. It may be as easy as going to your existing hosting provider to purchase your new SSL certificate.

However many times the cost to purchase one is significantly higher than usual. After all they also have to make a profit, right? You could be looking at costs starting from £30 p/y.

If your using a reputable hosting provider they may also provide you with a free SSL certificate. Many web hosts have the Lets Encrypt service installed on there servers.

Way back in 2014 a group of security experts got together and created a new certificate authority called Lets Encrypt. They have the backing of big players like: Mozilla, Cisco, Akamai and many others.

The aim of the project is to provide every website with a secure SSL certificate for free and with complete transparency, security and cooperativeness.

The Lets Encrypt service works because no one company is in control. It is run by several initiatives with the aim of benefiting the community as a whole.

The benefits of the Lets Encrypt service are:

No requirement for a dedicated IP address.

No costs associated. Its totally Free.

Its all automatic even down to the renewals.

Recognized by all the major browsers.

Easy to install and setup via your hosting control panel.

However it’s not all good news for Lets Encrypt. There are some disadvantages to the Lets Encrypt SSL service in comparison to other options out there:

Doesn’t have a trusted root certificate.

Domain Validated certificates only.

Single Domain SSL’s only. Each separate sub domain needs another manual installation.

No site seal to provide additional trust to users.

90 day validity for issued SSL’s

Another option that your web hosting provider may offer (if they have run on WHM/cPanel) are Free SSL’s via the cPanel AutoSSL option.

In 2016 cPanel the industry leading web hosting control panel provider announced that they would be rolling out the AutoSSL option to provide free SSL certificates via Comodo.

The AutoSSL feature is pretty straight forward. Its available with all the latest versions of cPanel from version 58.

There are no forms to fill out, no validation to complete and its all automated.

Its similar to the Lets Encrypt service but with a few key differences. Unlike Lets encrypt which doesn’t have a trusted root certificate the AutoSSL feature powered by Comodo does.

Comodo is a is a top SSL provider taking almost 35% of the market share according to a W3tech Survey. There SSL’s also come with 256-bit encryption and 2048-bit signature which is almost impossible for hackers to crack.

The benefits of the AutoSSL service by cPanel:

Covers both the WWW and non-WWW version of the domain.

Covers additional services i.e. webmail, cPanel, FTP.

No requirement for a dedicated IP address.

No costs associated. Its totally Free.

Its all automatic even down to the renewals.

Recognized by all the major browsers.

AutoSSL certificates are easy to install and setup via your hosting control panel once your web host has activated the service from there WHM (web hosting manager) install.

Once they have done that simply head over to your website and replace your HTTP URL with HTTPS and it will works instantly. Don’t forget to take the steps in chapter 4 to prevent any duplicate content issues!

Some disadvantages to AutoSSL:

Domain validated certificates only and not EV or multi domain.

90 day validity for SSl’s.

Quick Options to get an SSL certificate! Share on Twitter

Other options apart from your web hosting provider

Your hosting provider isn’t the only one or option to get an SSL. There are many reputable SSL providers that can provide you with a new SSL at a fraction of the cost. A good website to start hunting for your perfect SSL is SSLShopper.

They are a good reputable site giving you all the information required to make an informed choice. Providing you with reviews from other website owners and detailed SSL comparisons can make it easy for you to decide which SSL to get.

The SSL’s are split into different categories for you, so you can view all the popular cheap SSL’s or the more robust EV SSL certificates. Look at the reviews to make an informed choice. It can cost as little as £10 for your new SSL per year.

What to Look for and Mistakes to Avoid.

One of things to watch out for is who the actual SSL issuer is. This is the underlying certificate authority who will issue you with the certificate.

There has been a huge battle going on behind the scenes with Google and Symantec for a couple of years now.

In March 2017 Google (and Mozilla the developers of the FireFox browser) announced that it would no longer be trusting certain certificate authority providers.

The whole point of an SSL is to provide you with security when browsing online so that it can protect your data from hackers and the like.

Google found that Symantec, one of the largest certificate authority’s and providers of SSL certificates in the industry, miss-issued certificates!

Symantec root certificates power popular SSL brands such as: Norton, Thawte, RapidSSL and many more. As of April 2018 your website and more importantly any SSL issued by the effected brands will no longer be considered secure in FireFox or Chrome browsers.

Find out more how this could affect you or which brands are affected in this post here (for whatever reason this post has been removed so here we updated the link to a web archive version.

OK, now what you have been waiting for. The easy steps you can take to implement an SSL and switch your website from HTTP to HTTPS.

A couple of caveats apply here.

We hope that you have made an informed choice of which SSL you are going to use and are ready to take the steps to proceed.

We are assuming that you already have web hosting and it’s on the cPanel platform. This will allow you to easily install the SSL certificate in a few steps. Many of the popular and decent hosting providers are using the industry standard cPanel platform that will allow you to manage all aspects of your web hosting from its admin interface.

If you are unable to install an SSL because you’re on shared hosting and it doesn’t give you that option then you should seriously consider moving providers.

We are also assuming that you have an existing website and its running WordPress. Although the steps relate mainly to a WordPress install they can also be applied to a bog standard site (with a few small differences).

Chapter 49 Steps to Implement SSL on your Website

In this chapter we are going to go over the steps required to install your SSL and configure the settings on your website to switch to HTTPS.

Some of the steps will relate to installing your new SSL. These may not apply especially if your have a good web hosting package that comes with a free SSL. So skip those steps and go straight to step #4.

At the end of the steps you will migrated your site from HTTP to HTTPS and the search engines will start to re-index your new SSL URLs without having a negative impacting on your current organic traffic!

Lets jump right in and get you moved over to HTTPS.

Step# 1: Generate a SSL CSR Request

Firstly what we need to do is generate a CSR. This is a certificate signing request for your domain. Each domain needs to have a specific signature in order for you to obtain an SSL. That is unique to your domain and your domain alone.

TIP: If you have opted for an OV/EV validated SSL certificate OR are using a free SSL via the Lets Encrypt or AutoSSL via cPanel service you can skip this step and go straight to step #3.

So head over to your hosting control panel (cPanel hosting) and navigate to the security section.

There you will see the option for SSL/TLS. Click on that to go to the next screen.

Once there you will have four options. You want the 2nd option which is to generate Certificate Signing Requests (CSR). Once you click on that link it will take you to the CSR section to generate a unique key. It will look similar to below.

The most important part of this page is the domain section. Generally an SSL can secure both the WWW and non-WWW version of your domain. This is however dependant on the SSL provider you have chosen.

We generally add in the domain with WWW here. So it would be: www.example.co.uk and not the non-WWW version. That would be secured anyway. However IF you put in example.co.uk then the SSL would only secure the non-WWW version and not the WWW version as well. Be careful here to ensure you have chosen the correct variation correctly. If in doubt ask the question from your SSL providers support section or live help which is usually way quicker.

After that, fill out all the other information as requested. Again depending on the type of SSL you have gone for (standard/EV) this information will be used within the certificate itself.

That’s it, simply click on the generate button and it will spit out a CSR which will look similar to this:

============================================================ Certificate Signing Request: /home/ /ssl/csrs/www_example_co_uk_9e3d1_1581b_5bfee6d2be6324cbf8c8ac52a059de76.csr ============================================================ -----BEGIN CERTIFICATE REQUEST----- MIIDFzCCAf8CAQAwgbYxEzARBgNVBAgMCkxhbmNhc2hpcmUxCzAJBgNVBAYTAkdC MSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBhbG9lLWhlcmJhbC5jby51azEeMBwGA1UE +BekOyV1jwvNVPMEYJwI9Noj3Xl8VzfXkCGuOBu3Do94+EAs6NtAyzwlMDLRRBQfBucZx1wj SJT2JewEHhJ18daw8mqM6+N/auWApGlOIgDoH4PxGBrxscBjQmf8uzP2qOIMedpn IKJxWBsCAwEAAaAbMBkGCSqGSIb3DQEJBzEMDApiYXJvbm5hbG9lMA0GCSqGSIb3 DQEBCwUAA4IBAQCdKwftLUrnFcDZh6VOIfmbxAg8hU8NSx8RQQANcTmsQDgVnTxx wGqKF8cKK4a2RqK8HQhFXE5x694XxSvWJSYoOglpUThhMP2x47M3bEA10RWOMLvh sUK/vUqq5PUcrddSM4zdYaT8N6FkB4krqgMeDbDGQd5fFwO43YcvHWAq2mCItQs/ C0VRkyd2+9JGeFQVBiCSrZzLv7f6UBzuOnIGa/YDr/d7ut1NtC66E6CiHPUL/oYq WJedO6ove+/l6h5eXQ9BnUGaDrXtnzrtruaI6x6fEv3Q6C+m6EP8Ty8flOzqjwRK MjPqUqr1Ab1vmjFclwvtsvhZJfC/scBUw6iT -----END CERTIFICATE REQUEST----- ============================================================

Copy your CSR code and keep this to hand. It will be saved on the server for your to use in step #3 buts it’s better to keep it to hand just in case you need it. Open it in a notepad or Notepad++ file ready to use should you need to.

Step #2: Buy your OV/EV Validated SSL

The next step will be to use that code that you generated above and add it to the section requested when you are purchasing your SSL. Every SSL supplier will have a different setup to allow you to generate an SSL however the process should be the same.

Without the code you generated above you will not be able to proceed, so make sure you have generated the correct signature and followed step 1 properly.

Step #3: Installing an SSL

Once you have purchased your SSL depending on which one you have chosen you will receive an email with your certificate. The bundle you will receive will contain a few certificates. One will be your actual certificate and the other will be the certificate authority. As we discussed above, a standard one could potentially be issued in a matter of minutes to an EV certificate which could take a couple of weeks.

Open the email your received from your certificate issuer. It will contain a text copy of the certificate in the email, so copy that ready to use. If your issuer didn’t include the text file in your email then in your certificate bundle open up the zip file and locate your domain certificate which will usually be named after your domain i.e. valendigital_co_uk.

Right click and open that up in notepad or our preferred tool notepad++. When you do, you will have code that looks similar to step 1 you took.

Now you are ready to install your SSL. Simply head over to your hosting account and navigate to the Security > SSL/TLS section. This time you will be clicking on the last link which is: Install and Manage SSL for your site (HTTPS) and you will then see the install SSL page as shown below:

You don’t need to click on the auto fill by domain boxes first as sometimes this can be more confusing to follow.

Simply copy the certificate you have received from your SSL provider which you should have in your email OR open it in your notepad file and the copy and paste it into the first box (Certificate: (CRT) box). If you have done everything correctly this will auto populate all the required boxes from the information within the certificate. You can then click the auto-fill button and this will populate everything. Then click install. That’s it, nice and simple. Your SSL is now installed and ready for you to use!

Installing Lets Encrypt SSL’s

Implementing an SSL from the Lets Encrypt service is much easier than the steps above. You wont need to generate any CSR’s or buy an SSL (unless you plan on using an OV/EV validated SSL) your simply going to choose your domain and click install. Its very simple and easy to do.

Go to your cPanel account and navigate to Security and then click on the Lets Encrypt logo:

On the following screen you will see domains that have already been issued with an SSL in the top section and the domains that you have available with a ‘+ Issue’ next top them in the bottom section. Select ‘+ Issue’ for the domain you wish to add the SSL for.

The following screen will allow you to choose the variants for your selected domain. Its recommended to also choose the service sub domains (as per the arrow in image below) so that all the domain and its related services are secured.

Then simply click issue. That’s it. Your website will now be issued with an SSL which you can use straight away.

cPanel AutoSSL Install

Installing an SSL via the cPanel AutoSSL service is even simpler. You actually don’t have to take any steps at all. So long as your web hosting provider has activated it on the server then the SSL will be available immediately. If that’s the case you can proceed to step #4.

If you manage your own VPS or dedicated server, then so long as your system is up to date with the latest cPanel/WHM version you can activate AutoSSL via your WHM GUI.

Login to WHM and navigate to: Manage AutoSSL or type it in the right hand search box. Then select the option once its shown.

You now have a couple of options available. If this is the first time that you are using this service then you will need to change the setting from ‘disabled‘ to ‘cPanel (powered by Comodo)‘ option under the providers tab and then hit save.

Before you go ahead and click the Run AutoSSL for ALL users button its best to configure some additional options. These will allow WHM/cPanel to automatically renew and send emails etc. for when your SSL certificates are expiring or for any issues that may arise. Select the options tab and configure your settings as desired.

Once you have selected all the required options click on the button ‘run AutoSSL for ALL Users’. That will begin the process to install SSL certificates for all domains that are hosted on the server. Fairly easy and straight forward.

The manage users tab will allow you to override any AutoSSL settings for domains that you do not wish to be used. This may be the case when you migrate to an OV/EV validated SSL and as such having AutoSSL enabled can in some cases override your OV/EV validated SSL install with an AutoSSL powered domain validated certificate instead. Its best to disable AutoSSL for these domains before hand.

Step #4: Migrate HTTP to HTTPS WordPress URL Settings

Login in to your WordPress admin section. Firstly turn off any cache plugins that you may have enabled. That will save you seeing any errors upon completing the next couple of steps.

Then navigate to your general settings. There you will have to 2 settings. One is the WordPress URL and the other is site URL:

Change those URL’s protocols from HTTP to HTTPS and click save. This will most likely log you out of the admin section and back to the login page. Log back in and navigate back to the Settings > General page. Confirm that the settings have indeed changed.

You can also see if the settings have been updated via the browser address bar which should now have a green padlock in it.

Step #5: Update HTTP to HTTPS .htaccess File Code with 301 Redirect

Now although your site may have an SSL installed and you have configured WordPress to use HTTPS for your URLs the old HTTP URLs are still available! We want to quickly address this.

Using a few lines of code we are going to: 301 redirect all the HTTP URL’s to their respective HTTPS versions.

So go to your hosting control panel again. Navigate to the file manager which is in the files section of cPanel. This will bring up all the files for your website. Under public_html (or where ever you have your WordPress site installed) look for a .htaccess file.

Sometimes these types of files are hidden. To view those files if you can’t see them, click on the settings link in the top right hand corner on the file manager screen. A popup box appears where you will have the option to show hidden files. Click the check-box and hit save. This will refresh your file manager screen and you should now see those hidden files.

OK, open up your .htaccess file (right click > Edit)

In this file you are looking for this line: # BEGIN WordPress

Above this line you want to add in the following code:

RewriteEngine On RewriteCond %HTTPS off RewriteRule ^(.*)$ https://www.example.co.uk/$1/ [L,R=301]

TIP: make sure you replace example.co.uk with your own domain. Also take out WWW if you’re using the non-WWW of your website.

Basically what this code says is that if a URL is browsed on your site that’s HTTP (HTTPS off) then go to the HTTPS version. It’s a very simple piece of code that will 301 redirect the HTTP URL’s to the HTTPS version without multiple redirect chains. It’s nice and simple and just works!

Confirm your 301 Redirect from HTTP to HTTPS

Now that you have your 301 redirect in place we want to make sure that its actually working as expected. You can check this via a free online tool called Redirect Checker.

Pop in your old HTTP URL into the box and hit analyse. If all is good then you will see a success message. That means the HTTP URL was successfully redirected to your HTTPS version.

It will even show you your header response codes direct from your website which will contain some additional information and it further confirms your 301 is in place and working.

You can also check other HTTP URLs for your website and the result should be similar to the previous check: 200 response code given.

Step #6: Check for Insecure Content Errors

Now you should be using a good theme and if you are then you shouldn’t have any error messages on the front-end of you site.

If you get insecure content messages or the browser padlock isn’t green but crossed out this means that there are files being called by your site via HTTP and its usually image/CSS/JS files that are the culprits.

Identify HTTP culprits using Screaming Frog

Screaming Frog is a nifty little tool that will crawl your website and give you all the nitty gritty information that you need.

Its free to use for 500 URLs after which you will need a paid subscription to crawl more URL’s.

Pop in your HTTP only URL into Screaming Frog, we are looking for the response codes given for the HTTP URL and they should all be coming back as 301 (redirected to HTTPS). We can also look at the protocol URLs that are being given by the site. Your on the look out for HTTP protocols and those are the ones you want to fix. This nifty slide shows you how that can be done.

Using your browser to find HTTP files

To find out which files may be causing the issue simply visit the website in the FireFox browser (if you get the insecure message click advanced and accept for now). Once the site has loaded click on the ‘i’ icon next to the padlock in the address bar. This brings up a popup to show the connection details. Click on the arrow in that box and then more information link at the bottom of the next box.

The following pop up box opens up by default on the security tab. You want to select the 2nd option tab which is media files.

This will show you all the media files on your site. If you click on the address label you can toggle between the results.

What you’re looking for is images that have the HTTP protocol. These are most likely inserted into your website page manually. So you will need to go to the page/post in WordPress and look for that image.

Once you have found it simply change the HTTP to HTTPS, or as we like to do, strip the HTTP/HTTPS altogether. Browsers are clever enough to apply the HTTP/HTTPS protocol depending on if you do or don’t use an SSL. This saves us a huge headache when we are developing websites locally!

For other types of content i.e. CSS/JS files these are more difficult to find. You could view the page source (CTRL + U in FireFox) and CTRL F to bring up the find box. Type in HTTP:// and it will show you all the elements called using that protocol.

Once you have identified those you need to address them. Typically they exist in the header or footer php files of your theme.

Use an online tool to find insecure content

If you don’t want the kafuffle or its overwhelming for you to do this, then you can use this service which will find those files for you.

Fixing insecure content and HTTP resources

Again navigate to your WordPress admin section and from the menu select Appearance > Editor select the header.php file from the right hand side (ensure you are selecting the one from your current theme) this will then bring up that file in the editor. Then it’s a simple case of looking for any CSS/JS files that have the HTTP protocol and to replace them with HTTPS.

TIP: rather than replacing the HTTP with HTTPS simply remove HTTP: (leave the //) as stated above the browsers can decide the protocol to use themselves.

Follow the same step for the footer.php file and don’t forget to hit save for both files.

That should be it.

HTTP to HTTPS Migration Checklist

On some occasions it’s not that simple. A poorly coded theme could have CSS/JS file calls within multiple files or the page builder you use with your theme like visual composer hard codes the links.

Our recommendation would be to get either your developer or theme publisher to resolve this. You don’t want to break your site completely!

Failing that we can help you, get in touch with us today.

Step #7: Configure Google Search Console

Head over to Google Search Console (formally known as Google Webmaster Tools) there are a couple of settings that you should already have in place.

If you’re using the WWW version of your site Google should be aware of this. If you haven’t already done this you will have to add both variations of your site into search console and verify them. So add in www.example.com and example.com. Verify them with one of the options that Google search console gives you.

Verify your domain version on Search Console.

After you’re verified you can then select which is your preferred domain. With WWW or without. That setting is in the top right hand corner. Click on the cog icon that will bring up the menu and select site settings. That screen will then allow you to choose your preferred option.

Once that’s done simply add in your new HTTPS URL via the add a new site screen on the home page of search console.

Submit you HTTPS sitemap to Search Console.

Next we want to submit your new sitemap to your newly created HTTPS website variant. That will ensure that Google starts to crawl those new URLs.

Use Fetch as Google to quickly request indexing

Then head over to Crawl > Fetch as Google for your new SSL property. This will immediately get GoogleBot to crawl your site. Once GoogleBot has crawled your URL you can request it to index just the main URL or the main URL and all direct links. Its recommended to request all direct links also. This should speed up the indexing of your site for Google.

You can’t set HTTPS as your default preferred domain however if you followed all the steps above Google will pick up the 301 redirects to your HTTPS version and start to show metrics.

Google Disavow file update

The last step you need to take in search console, if it applies, is if you have a disavow file. This file now needs to be duplicated for your new domain you added in. Simply download it and re-upload (checking to make sure it’s still relevant) to your newly added domain. Be very careful here. Any errors can mean your site disappearing from the Google search engine altogether!

Finally if you are using Bing (which you should be and if you’re not, why not?) duplicate that same process there. It’s more or less the same procedure for Bing. So head over there and complete that whole process again.

Step #8: Update Google Analytics

The final step is to make sure that Google Analytics has your correct URL. You are using Google analytics right?

Head over to analytics and go to your admin section. Under your property (middle section) select the correct property (website) from the drop down and then click on the property section. There you will see an option for default URL. Simply toggle between HTTP to HTTPS.

Next go to the view section (last box) and make sure you have selected the correct view (you can also apply this to all views if required). If your Google Analytics is all setup properly you will have a minimum of 2 views.

One view which has ALL your raw data unfiltered and untouched and another which has filtered data according to any filters and settings you may have applied. Click on the view settings link. Again as before simply toggle between HTTP to HTTPS and hit save.

That’s it, you’re all done. Everything should be purring like a sweet kitten now 🙂

Step #9: The results of implementing SSL

Great you’ve made it this far. It was a bit of a long read and complicated in some steps that you needed to take. But give yourself a pat on the back as your website has now been migrated to HTTPS.

Your site should show a nice green padlock.

And if you went one step further and got the EV SSL certificate well your business details will be show in the browsers address bar.

Combining that with the code you implemented in step 5 all your URL’s should be intact, no impact on your organic traffic from the switch and the search engines should be able to index and crawl your new URLs properly.

Complete guide to enabling SSL on your website! Share on Twitter

Chapter 5Advanced SSL Implementation tips

Now that you have migrated your website from HTTP to HTTPS there are a number of advance steps that you can take.

These advanced steps will further enhance your SSL implementation, making your website load faster and more secure to prevent potential hackers eavesdropping on your secure connection!

The advanced steps require a certain amount of access to your web server in order to configure and apply them. Many of the advanced tweaks can be done with only access to your website files, other will require direct server access.

Advanced Step #1: Apply http/2 protocol

At the time of writing (December 2017) many sites still use the HTTP/1 protocol on their website. It works but it’s a very old protocol from the early days of the internet. It doesn’t have any security issues or anything like that. This step is more related to the speed aspect of implementing SSL.

[IMAGE SOURCE]

Back in the days when we had very slow internet speeds having a site on SSL would make your website load slightly slower than if it was on bog standard HTTP. It did that additional round trip to navigate via the SSL route. That in today’s age is negligible with the advent of fibre broadband etc.

However moving to HTTP/2 can give you an ever so slight speed increase. Given that the whole purpose of implementing SSL is to appease the Google search engine (and others) which is indirectly associated with the page speed of a site it does make sense to tick all the boxes. Doesn’t it?

Core Benefits of HTTP/2 Implementation

The main benefits of applying HTTP/2 to your website setup can be summed up as follows:

Parallel multiplexed requests & responses which don’t block each other.

Single TCP connection to transmitting multiple data streams.

HPACK and HTTP Header compression.

Server push to send additional cacheable information.

Faster website performance, reduced latency.

Better search engine rankings!

For mobile, provides lower latency, battery usage and bandwidth usage.

Rather than recreating the wheel, there is a comprehensive guide to HTTP/2 that covers all the key aspects to HTTP/2 and its benefits. Well worth a read.

Enabling HTTP/2 for your Website

To be able to use HTTP/2 you will need access to your server. There a couple of ways which you can enable it.

Going through the easy Apache process (EA4) will allow you to configure the modules required to run HTTP/2 for your site (and will apply to any other sites hosted on the server). Generally HTTP/2 will work with any version of PHP that you have installed. However at times we have had the issue of EA4 (EasyApache4) warning that it will only install if you have PHP7 enabled for use on all the websites.

This in itself is not ideal. So many websites still have not migrated from older versions of PHP which are now outdated, unsupported and riddled with security vulnerabilities.

Alternative Options for Enabling HTTP/2

If you fall into this bracket then your options are fairly limited. You can either use PHP7 system wide (which is what would be recommended as it provides additional speed and security benefits) or install additional software like LiteSpeed.

Using LiteSpeed web Server for HTTP/2 connections

LiteSpeed is a web server that sits on top of and replaces your default Apache web server. It comes with HTTP/2 (one of the first to support this since 2015) and is significantly less resource hungry than Apache. Out of the box it provides better security, performance and compatibility for any website. It will also allow you to run whichever PHP version you desire in tandem with HTTP/2!

If you don’t have access to your server and are on a bog standard web hosting package then these steps will need to be taken by your hosting provider. All good hosting companies generally either have PHP7, HTTP/2 enabled by default and/or LiteSpeed installed.

If you are one of those unlucky website owners who is hosting there site with a web host that doesn’t have HTTP/2, PHP7 or LiteSpeed then its highly recommended to move now. For the same cost you are probably paying now (£5+ p/m) you can find a very decent host that will tick all the boxes.

Using A CDN for HTTP/2 connections

You last option would be to use a CDN provider. Many if not all provide HTTP/2 out of the box. The big providers like CloudFlare, MaxCDN and KeyCDN to name a few have HTTP/2 enabled as well as other security measure like DDoS protection as default. It also gives you a slight SEO boost as content is delivered to a server closest to the browsing visitor.

If you have a WordPress based website then this is quick and easy to configure (probably one of the easiest ways). It will work in tandem with your cache plugin (you are using one right?) Most popular ones like W3 Total Cache, WPRocket and WordPress Cache have a dedicated section within their plugin for you to integrate with a CDN host.

In this example we will be using W3 Total Cache with CloudFlare

If you haven’t already got a CloudFlare account then head over to Cloudflare.com and click ‘Sign up now!’. A free account will be more than adequate for your needs.

Create an account with CloudFlare, once you have done this you will be taken to the dashboard screen:

Follow the instructions to get setup. This will simply be to add in your domain name, click ‘scan’ to scan your DNS records and then select a plan (use the FREE plan, this is more than enough). Once that’s done you will be shown your new CloudFlare nameservers.

Head over to your domain registrar and add in the nameservers that CloudFlare provided to you. These are very fast and making this change will not result in any down time for your website 🙂

That’s about it. Your now using CloudFlare for your website. Keep your CloudFlare account open for the time being as you will need some details from it to use with your cache plugin (W3 Total Cache).

Head over to your WordPress admin section. Under Performance click on > CDN. You should see the options for CloudFlare there. I f you don’t then head over to Performance > Extensions and activate the CloudFlare extension. Once that’s done you will see this screen:

Add in your registered email and CloudFlare API key which can be obtained from your CloudFlare account and hit save. That’s it! Your all good to go. Your website is now setup to use the CDN and it will have HTTP/2 connections.

Common benefits of using a CDN are:

Use of HTTP/2 for your connections and DDoS Protection.

Improved load speed as visitors access your website via servers that closet to them.

Decreased site crashes when you have pikes of traffic that your server cannot handle.

Better user experience as your site load super fast for users.

So implementing HTTP/2 can have that ever so small speed increase and additional security protection. However applying it is sometimes quite another matter depending on which method your employ. It can be relatively simple or pretty complicated. In either case its a recommended option to implement…

Advanced Step #2: Implement HSTS Directive

Although you have now implemented SSL to be used for your connections it still somewhat insecure.

In the above steps, you redirected any incoming HTTP connections to your website with a 301 redirect. Your website SSL connection relies on the 301 redirect from HTTP to HTTPS. This presents a small window of opportunity for a potential MITM (man in the middle) attack or eavesdroppers to hijack your SSL connection which may lead to data being stolen or intercepted!

Implementing an SSL certificate on its own for your domain is not enough. Potential MITM attacks will still be able to access your website cookies, files etc. and may even be able to force a redirection to there site during that small window of opportunity.

The simple solution is to deploy HSTS which stands for HTTP Strict Transport Security. It’s a web server directive that informs user agents and browsers to force connections over HTTPS disregarding any calls to load information over HTTP calls. This type of directive is sent at the very beginning of a connection with a browser or user agent.

By installing an HSTS header it will be nearly impossible for potential hackers and eavesdroppers to gather any information from your site as all connections are forced via HTTPS from the very beginning.

The requirements to be met to apply HSTS are as follows:

A valid SSL certificate is required.

301 redirection of all HTTP website URL’s to your HTTPS version.

HSTS header must be served from the base domain.

The WWW and non-WWW domain variants must be covered by your SSL certificate.

A minimum MAX-AGE limit must be specified of at least 10886400 seconds or 18 Weeks.

The preload directive must be specified in your directive.

You should also include the includeSubDomains in your directive.

A recommendation before applying the MAX-AGE limit; set it as low as possible until you are happy with the outcome. You can then increase it to the minimum required limit. This will allow you to correct any issues beforehand. In the code example below we have set the limit to 300 to allow you to test the setup prior to increasing it to the minimum limit specified above.

The code directive you need to implement depends on the type of server you are hosted on:

Apache-based web servers

Simply add the following directive into the top level .htaccess file in either public_html or document root level of your site:

Apache .htaccess Code Directive Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

NGINX web servers

The NGINX directive goes in your site.conf file which is usually located in your /etc/nginx/ folder:

NGINX Code HSTS Directive add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'

Once you have applied your HSTS directives as above then head over to the HSTS preload site and check your setup.

HSTS Implementation Errors

You may get some errors depending on the directives used:

Let’s address those. The first error you get relates to the MAX-AGE limit specified in the directive.

As discussed; we are aware of this. This should be fine for testing purposes and when you are happy that everything is running smoothly you can increase the limit to the minimum recommended or to a value equal to 2 years. Whichever you prefer.

The second error relates to the way we 301 redirected your HTTP version of the site to HTTPS. A requirement for HSTS to work properly is to first redirect to the base domain (https://domain.co.uk) before redirecting to the WWW version of the domain. This ensures that browsers which support HSTS record the HSTS directive for the top level domain first.

If you don’t use the WWW version of the domain then this won’t be an issue for you.

So lets slightly modify the 301 redirect that we took in step #5:

RewriteEngine On RewriteCond %HTTPS off RewriteRule ^(.*)$ https://example.co.uk/$1/ [L,R=301]

As you can see we simply removed the WWW from the code. That will fix the error mention on the HSTS preload check.

Then to 301 redirect to the WWW version of your site (if that’s what you are using) we would add the following directly below that code:

RewriteEngine On RewriteCond %HTTP_HOST !^www\. RewriteRule ^(.*)$ https://www.example.co.uk/$1 [L,R=301]

Now HSTS will be recorded first for the top level domain and then your sub-domain (WWW version). One thing to note here is that this way of implementing HSTS does create a chained redirect. So you will have 3+ 301 redirects in place to the correct version of your website.

This can sometimes be an issue when you have an aged website that has lots of inbound links pointing to it. Prior to 2016 Google’s, Matt Cutts confirmed that a 301 redirect lost approximately 15% of its power:

youtube

However, as Google wanted website owners to adopt the change to migrate to HTTPS in 2016 John Muller from the Google team announced that no power or PageRank (as they term it) is lost in a 301 redirection.

The following image represents the old and new rules for 301 redirections according to Google:

[IMAGE CREDIT]

Last but not least the third error in the yellow box:

This simply means that a header was being sent via the HTTP version of the website URL. To correct this we simply need to add the following at the end of the HSTS directive that we used above: env=HTTPS so your directive will now look like this:

Apache .htaccess Code Directive Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload" env=HTTPS

When you have corrected all the errors head back over to the HTST preload website to re-check your installation. If everything is good you should get a message as follows:

That means that you have a successful install of the HSTS directive. You will now be given the option to submit your site to be preloaded in browsers (which is why we included the preload command in the directive above as per point 6).

We would recommend that you don’t submit your site to the preload list until you are entirely satisfied with the results and recommend that you wait a minimum of 6 months before doing so. Have a look below at some of the disadvantages before proceeding even after 6 months!

HSTS potential disadvantages

Implementing HSTS does have some negative aspects to it. Some of the disadvantages are as follows:

Once implemented, SSL certificate errors can no longer be bypassed in a browser (not sure why you would want to!).

Moving back to HTTP (again once implemented why would you want too?) is very difficult. You could amend the above directives to reduce your MAX-AGE limit to say 0 but ultimately you would have to wait for a user to revisit your website.

You have potentially other sub-domains used in a corporate network that are based on HTTP. If the includeSubDomains command into the directive then this could potentially lead to a serious issue with HTTP setups. You may have an Intranet or DEV URLs for testing that will no longer be accessible via HTTP.

Data that is transmitted via HTTP will no longer work on an HSTS enabled site. Ensure that there is no data being transmitted via HTTP but only via HTTPS.

Once you are in the browser preload list it’s near enough impossible to get removed from the list. It takes approx 3 months to get removed from the chrome browser however that’s not even guaranteed.

Implementing HSTS is a good thing, however, make sure you understand all the risks involved and read up on it thoroughly. Make sure you are fully aware and happy with what HSTS is before implementing it. Test, test and test!

Advanced Step #3: PCI/DSS & SSL check

Now that you have installed SSL on your website head over to: https://www.ssllabs.com/ssltest/ and stick in your URL (use ether the WWW or non-WWW version of your site). That will show you an analysis of how well SSL is implemented on your website.

A bog standard site should get above the B rating. Ideally you want an A+ rating

If you’re falling short then you can further improve your rating but most importantly your SSL security by disabling a few items as directed to by the SSL check and information it provides.

Now you need access to your server for this and generally the settings that you need to update are not available on shared hosting. Most good hosting providers have already implemented this, so you should be good to go.

If not and you have access to your server then you need to ensure that your only using TLS 1.2 (1.1 is optional) and that you have strict rules set.

It takes a bit of faffing around to get the best result and can be a pain in the butt to do. We found the following to be a good working SSL configuration:

SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Add that code into your Apache configuration section which you can do via WHM or SSH. It needs to go into the pre_main_global.conf file for ALL versions.

The following can go into the ,em>pre_virtualhost_global.conf again for all versions:

<IfModule mod_fcgid.c> FcgidMaxRequestLen 1073741824 </IfModule> SSLProtocol +TLSv1.1 +TLSv1.2 SSLHonorCipherOrder on

Those 2 combined will allow you to pass any PCI DSS security that you may need for your merchant accounts and also give you an A (A+) rating on the SSL check.

Chapter 6Conclusion

Congratulations! If you have followed all the steps then you have successfully migrated your website from HTTP to HTTPS.

Your website will now benefit from secure SSL connections that will prevent hackers and eavesdroppers. You will have a much faster site compared to standard HTTP websites (and those still using http/1). Your website will now also be complaint for PCI/DSS which is a requirement for most ecommerce websites.

To top put ‘icing on the cake’ all your website URL’s will be intact and be correctly redirecting to the SSL version saving you any link juice you may have acquired over time!

Read on to see the result we achieved for a migration we completed (your results should be similar).

We implemented an SSL and migrated a big website from HTTP to HTTPS way back at the beginning of 2016 and kept a close eye on the organic traffic.

Many other websites and even agencies migrating clients to SSL experienced a drops in their organic traffic and search result positions.

However if you followed all the steps carefully above you should see something like this:

The SSL implementation we completed at the beginning of January 2016 for an ecommerce site which had well over 100,000 URLs and migrating from HTTP to HTTPS we didn’t lose any organic search traffic at all. In fact because we added an EV SSL certificate and ensured we 301 redirected all the URL’s properly and took the steps outlined above the organic search traffic, CTR and conversions actually increased. Job well done 🙂

We hope that this post has been helpful for you and allows you to easily implement your SSL and migrate your website to HTTPS effectively. We would love to hear your comments below and of course, this guide is for you — so please ask questions and leave feedback so that we can improve it!

#developer tips #Search Marketing

0 notes