In this session we talk about adding SSL to your website for Facebook, explain what an SSL certificate is and how it works. We talk about Facebook requirements and how the process to get the certificate installed is different with each hosting company. We recommend using the plugin Safe, Search and Replace afterwards find and replace all your links from http to https.
Rick: So you want to talk a little bit about installing SSL on an existing website?
Member: Right. I’ve been doing a little bit of research on this but what I’m heading towards is linking some pages on my website to Facebook and Facebook requires to have an SSL certificate to do that but everything I’m finding but SSL seems like I’m going to break something on the site.
Rick: Well, what Facebook requires is that your application have an SSL so if your website is actually your application then yes, you would have to do SSL but you wouldn’t do it on just a few pages, you would do it on the entire site and at that point, that’s complicated by who your host is.
Member: I’m with Hostgator.
Rick: Okay, and is this your primary domain?
Rick: Okay, so you have to talk to Hostgator about how they handle putting an SSL certificate on a domain that is not your primary domain. Now, GoDaddy requires you to have an entirely separate hosting account for an SSL certificate. BlueHost requires that the domain be the primary domain of account in order for it to have an SSL certificate and then some other places have what they call wildcard SSL certificates available where they can put it on secondary domains but it is a little bit complicated although once the certificate is installed, you don’t have to do anything really except for changing your website address from http to https and then if you’ve got any absolute links, any absolute URLs that are specified in the site, you just need to go change those from http to https but it’s not particularly difficult as long as you’ve got it actually on your site.
Member: Is there an easy way to find those links?
Rick: Probably the easiest thing to do would be to use that plugin called Safe Search and Replace and have it search your database for http or actually, have it searched for your address so http://www. whatever, have it searched for that and then replace it with https.
Rick: That’s a fairly straightforward process but really, the hardest part is figuring out what your host requires from you.
Rick: And making sure that you know, whatever they require is what you’ve got.
Member: Could you say the name of that plugin again?
Rick: Safe Search and Replace, it’s on the wordpress.org and I have some videos on the site where we use it from time to time.
Rick: For making that kind of change is an excellent plugin.
Member: So it can go to the whole database and find everything?
Rick: Yes. Now, the chances are, I mean the very first thing you’ll end up doing is changing your website address. For example on my site, where are my General Settings, you set this WordPress address URL and site address URL and you change those both to “s” and as soon as you do that, it’s going to kick you out so you’ll have to go back in and log in again. If you have one of them at “p” and one of them at “s”, you probably have to open your database to fix it. It’s easy to do but you have to do them both at the same time.
Member: Anybody who’s got an old link or just be http, will they ever get back to the site?
Rick: Well sure because it will redirect https automatically. That’s really not the problem, the problem is what the website itself calls itself not what somebody else tries to call it because http and https will resolve to the same URL.
Member: Okay, good that sounds fine. It’s just going to be the actual thing?
Rick: Yes. It’s just that you know, I mean what I’ll say is, if you leave it at http here but you’ve got an actual https certificate tied to the site, they will say that the site is in secure because what they are reading is reporting an http even though it’s supposed to be https, that’s what a spoofer will do, that’s the purpose for https, is to ensure that there’s no URL spoofing so the site itself has to report the information correctly.
Rick: But the very first place you start is by talking to Hostgator and then you know, there are people out there who talk about, well, we’ll just make these individual pages secure but not the rest of it, that just doesn’t work in WordPress even though people talk about it so I wouldn’t even consider it, I just make the whole site https.