Moving To a Fully Secure Website

Written by Nick Leffler | 2 Comments | 5 min read

This post is a bit outside the realm of WordPress and the WordPress difficulty level I usually write at. I still decided I wanted to write about the topic and document my process though.

This would be helpful for those that have purchased a secure certificate, have it working for portions of their website but want a fully secure website.

I decided to make my wife’s website fully secure (front and back-end) and not just payment pages and some log in pages (some did not switch over to SSL which concerned me).

My wife’s website is an eCommerce website that has a sign-up form and can exchange private information such as usernames, passwords, addresses, phone numbers, etc. If a website is transmitting anything private or personally identifiable information (PII) then it’s a must to secure that information as it traverses the Internet.

Rather than leaving it up to WordPress and 3rd party plugins to decide when it’s best to switch to SSL, I wanted it all to be SSL. I was having an issue with a 3rd party plugin that had a sign-up form and login form but didn’t switch to SSL so all that information was in the open, not good.

After failing to work with the developer to have the necessary parts of the website switch to SSL as WooCommerce does, I decided to go full SSL.

I already had the secure certificate in place and working for portions of the website. You don’t want to try this unless you’ve purchased an SSL certificate and have that working properly.

Going SSL

GoDaddy Solution

My first solutions to force the entire website into SSL had many failures. I searched the Internet for different codes and would end up with partial SSL, no SSL, or even worse complete server errors.

I gave up my search and contacted GoDaddy support (that’s who I’m using for hosting) who was helpful at helping me find a solution. The support guy I called fortunately had a solution he was using on his website successfully. At first glance it worked out great and seemed to solve the problem. The more I played with it though, the more I found that it didn’t meet the full SSL solution.

I wanted users no matter where they came from or how they typed the URL to always be redirected to the SSL version of my website.

It worked good if I typed in domainname.com but if I typed in www.domainname.com it failed to redirect and would stay in unsecured mode until I clicked a link. This wasn’t acceptable, I wanted a website that didn’t even have an unsecured version available.

All of these codes have to go into the .htaccess file in the root directory of your server (usually the public_html folder).

This is what GoDaddy provided as a solution:


# BEGIN GD-SSL
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_USER_AGENT} ^(.+)$
RewriteCond %{SERVER_NAME} ^yourdomain\.com$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Header add Strict-Transport-Security "max-age=300"
</IfModule>
# END GD-SSL

Almost There

I figured at this point I was on my own if GoDaddy couldn’t even figure out how to properly create a 100% secure website, so I went on another search. I feel after I was better equipped with what to search for, I was more successful at finding solutions that worked a little better, just not all the way.

The next solution I found in a forum that was quoted directly from the Apache documentation. This solution was much more successful for the root domain and forwarded with and without the www.

I was using this for at least a week without uncovered issues, but I eventually ran into a problem where it wasn’t directing users from unsecured content to secure content for certain folders. Specifically one of the products didn’t forward to the secure version.

This is the code from Apache that didn’t work:

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

This meant I had to go back to the drawing board.

Final Solution

My final solution is now what I have in place and has proved to be completely successful and I can’t make it fail. I can type in any URL in any way and it always redirects to the correct secure version. I also found this one on a forum but I don’t think it was pulled from any Apache documentation.

The successful solution:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

So, this is the best way to do it on a GoDaddy server. It may also be the best way on other servers but I’ve only tested it on one.

Success

It took Quite a while to arrive at a successful solution to get the entire website secure, but I’m glad I took the time and found the right one. I feel more comfortable having all traffic being redirected through a secure connection, and I hope visitors do too.

It requires a lot of testing to see if you found the best option, and some solutions are better than others. The first solution from GoDaddy was the weakest and didn’t forward many users from unsecure to secure while the second solution was harder to uncover the flaws, it worked well. Eventually, I was able to uncover a flaw and found the third option which has so far been bullet-proof.

This is posted in , and tagged ,

Ready to talk about your project?

We'd love to learn more about your business and website design project.