HTTPS implementation for Apache


by - posted

httpsIn the article HTTPS implementation for Apache I will show you the way down to a simple HTTPS realization for a Website and a blog based on WordPress.
HTTPS means Hyper Text Transfer Protocol Secure. HTTPS gives you a secure, encrypted communication between the server and the browser. This is done by a so called certificate. It is usually delivered by your hosting- or an external-provider. Let’s Encrypt for example is an open source solution for HTTPS and it’s for free.

Some keywords

  • SSL stands for Secure Sockets Layer and in short, it’s the standard technology for keeping an Internet connection secure
  • TLS (Transport Layer Security) is just an updated, more secure version of SSL. Usually, people still refer to security certificates as SSL because it is the more commonly used term
  • HTTPS appears in the URL when a website is secured by an SSL certificate

Test Tools

If you are not sure if your HTTPS is working correctly, use the following tools to detect possible errors.

  • This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. Global Sign
  • The HTTPS Lookup and SSL Certificate Checker will query a website URL and tell you if it responds securely with SSL encryption. Mx toolbox
  • Comodo SSL analyzer. Comodo

Enforce SSL on the entire Website

Add the following lines to the htaccess file in order to enforce SSL :

RewriteEngine on
# – This checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on
# – This rule will redirect users from their original location to the same location, but using HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Don’t forget to define the Websites basic URL like https://www or only https:// and redirect the homepage to basic URL. This is more SEO relevant than security.

Check list for Websites

  • buy and activate the SSL certificate for your Website
  • enforce SSL as described before in the htaccess file
  • change all http URLs on your pages to https. Use the Mozilla Firebug console to detect the insecure resources
  • update the robots.txt file accordingly
  • add the “new” https Website to the Google Search Console
  • send the new sitemap to the Google Search Console
  • change the http to https in Google Analytics
  • add the new Analytics tracking code to your Webpages
    For the pages on your Website/blog that are secured by an SSL certificate, you need to place a different piece of code for Google Analytics. You can get the correct piece of code for your account by logging in to your Google Analytics account, and selecting “edit” next to the Website/blog profile that you want to use. Choose to edit the URL at the top of that page, and replace the “http://” with “https://”, which will tell Analytics your Website/blog is secure. Save the changes and click “account status” for that Website/blog profile to get the new JavaScript code to install on secure pages only.
  • use the test tools mentioned above to check if HTTPS is working correctly

Check list for a blog based on WordPress

  • change the two URLs in the wp-config.php file from “http://”to “https://”
  • force the admin login to HTTPS : change the constant FORCE_SSL_ADMIN to “true” in the wp-config.php file as follows : define ( ‘FORCE_SSL_ADMIN’ , true);
  • force the general login to HTTPS : change the constant FORCE_SSL_LOGIN to “true” in the wp-config.php file as follows : define(‘FORCE_SSL_LOGIN’, true);
  • if you are using a CDN and the URLs are still on http, clear the cache
  • enforce SSL as described before in the htaccess file
  • change all http URLs on your pages to https. Use the Mozilla Firebug console to detect the insecure resources
    Examples of possible non secure resources : child files, social media logos, RSS image, etc
  • force the canonical URLs to https with the Yoast SEO plugin
  • update the robots.txt file accordingly
  • add the “new” https blog to the Google Search Console
  • enable and disable the sitemap in the Yoast SEO plugin. This will generate a new sitemap
  • change the http to https in Google Analytics
  • add the new Analytics tracking code to your blog
    For the pages on your Website/blog that are secured by an SSL certificate, you need to place a different piece of code for Google Analytics. You can get the correct piece of code for your account by logging in to your Google Analytics account, and selecting “edit” next to the Website/blog profile that you want to use. Choose to edit the URL at the top of that page, and replace the “http://” with “https://”, which will tell Analytics your Website/blog is secure. Save the changes and click “account status” for that Website/blog profile to get the new JavaScript code to install on secure pages only.
  • use the test tools mentioned above to check if HTTPS is working correctly

If you enjoyed this article, you can :
– get post updates by connecting to our RSS feed
– get post updates by subscribing to our e-mail list
– share on social media :