A guide to setting up Let's Encrypt SSL on self-hosted WordPress sites
A lot of people are talking about the importance of SSL in the blogging world lately, and it's not hard to see why.
Google (the web overlords) have announced that their Chrome browser will soon start warning visitors to non secure sites with a scary red triangle and Not Secure label. They also weigh it as a factor in search results - giving a higher ranking to sites with SSL.
It is also important from a security standpoint, regardless of Google, as it encrypts & protects data as it "travels" between the browser and the server. WordPress have recently announced that 2017 is "going to be the year" that WordPress will have features which require hosts to have HTTPS available.
As a blogger, do you really need SSL on your WordPress site? It's not critical you do it immediately... but it should definitely be on your todo list.
Thankfully, it's not as expensive (or as scary!) as it used to be to enable HTTPS on your website, thanks to the increasingly widespread adoption of Let's Encrypt. Many popular hosts now have one click installs & auto renewal using the free Certificate Authority scheme, which was set up for the public's benefit to "create a more secure and privacy-respecting Web".
I'm going to be concentrating on setting up SSL on WordPress blogs hosted on TSOhost, but there is some info at the end of this guide about other hosts, and the steps once SSL is enabled are the same on any hosting platform so you can still follow the bulk of this guide for any WordPress site.
Step 1: Log into your TSOhost control panel and enable Let's Encrypt for your domain
Log in at https://control.gridhost.co.uk - if you don't know your username/password you can log into your TSOhost account at https://my.tsohost.com and go to My Products and Services, then click Manage next to your hosting package. You should then be able to see the login details, and change your password if need be.
Select the website you want to install Let's Encrypt on
Under Advanced Management Tools section, select Let's Encrypt and click "Check My Domains"
If any have any addresses with .gridhosted.co.uk at the end, go back to Manage Website & delete these from the Domain Aliases page - repeat step 3
The next page will show a table of all the domains that will get a certificate. If your sites are all OK, click Request Certificates. If they are "Not OK" take a look at the troubleshooting on this page
You should get a success message - congrats, you have SSL! It will take a few hours before the https:// version of your site works. When that starts working, move onto the next part of this guide.
CPanel TSOhost accounts: TSOhost only offer Let's Encrypt SSL on their Cloud hosting as CPanel is their legacy hosting offering - they do however have a tool in the Cloud hosting control panel to import a CPanel site so they've made it fairly easy to switch if need be.
Step 2: Set up https on your WordPress dashboard
Install the WordPress Force HTTPS plugin and activate. This will redirect each and every page, post, image etc on your site to the https address.
Take a backup of your database. I prefer to use Updraft Plus plugin for this.
Install the Better Search Replace plugin
Using Better Search Replace, enter the http:// version of your URL in the "Find" box, and the https:// URL in the "Replace with" box - i.e. Replace http://mamageek.co.uk with https://mamageek.co.uk
Check the "Case-Insensitive" box
Highlight all the tables listed
Run as a dry run to start with, to make sure that you get the search results you expect (there will likely be thousands of cells that will need changing), and to give you a chance to double check your URLs.
If everything looks right, un-click the dry run box and run the plugin again
Delete the Better Search Replace plugin
Please note: these instructions use plugins to make this easier, however for the more technically minded you can do the equivalent tasks by editing the .htaccess file to add Rewrite rules, and using the Interconnect IT Search and Replace tool for the database replacements.
Step 3: Check your site is secure
Visit your site in Google Chrome. You should have a green padlock in the address bar. If you have, congrats, you're done!
If you have a different colour padlock, a triangle, or another symbol, then you have mixed content on your website and it is not fully secure.
In Chrome, click the (i) symbol next to your URL, which will bring up a message explaining the site is not fully secure, with a small "Details" link
Click the link which will bring up a panel all about the SSL status of the site. Click the "View requests in Network Panel" link
Refresh the page
Use the panel to identify the insecure content of your page
Where third party images are insecure (e.g. the Britmums badge) you can download the image and host it in your own media gallery, as I have shown in the video
Some sites like Google Fonts, TOTS100, Font Awesome, have switched over to https for their hosted files. You can get new links from them to replace the old ones.
To get a new TOTS100, FOODIES100, HIBS100 badge, just log into your profile on the relevant site and grab a new badge code - it should now have https in the URL.
You may need to contact your theme developer or get third party help to solve all the problems, but it is usually fairly straightforward things like ads and badges.
You can also visit https://www.whynopadlock.com/ which will give you a report on why your site hasn't gained the elusive green padlock yet.
Once your site is all up and running, you'll want to go into your Google Search Console (formerly Webmaster Tools) and re-add it so that Google can crawl your site again. It's a good idea to submit a sitemap too, I use the one generated by Yoast SEO for my blogs.
A note about other hosts
Let's Encrypt is becoming more widespread and a number of hosting companies have now added support. Here is some information on the most popular/asked about hosts:
SiteGround - tutorial here
Vidahost - information here (but basically the same as TSOhost as they use the same control panel)
Evo Hosting - contact support to set it up
Let's Encrypt have a community maintained lists of hosts that support easy installation of their SSL - Make sure you check the comments as not all of the companies have been added to the main list yet.
For hosting companies not offering easy installation support at the moment, it can almost always be installed manually, or with the aid of the WP Encrypt plugin. Just google the name of your hosting company and "Let's Encrypt" - chances are you'll find a tutorial.
I hope this helps, enjoy your padlocks!