Buying an SSL/TLS certificate (or using a free one) is just one of a few steps to secure your WordPress website over HTTPS. Learn how to activate SSL on WordPress and benefit from serving a secure website to visitors. In this article, the process of activating SSL/TLS is broken down into three steps, including how to fix mixed content warnings in WordPress and showing the green lock icon in your browser.
Before you begin any other step, you need to have a valid certificate installed on your web host, whether it's free or one you bought from a certificate authority (CA) like Comodo SSL. Without a valid CA-signed certificate installed (self-signed certificates aren't considered secure in production), visitors will get the red lock icon and/or see a security warning in their browser.
Cyberia Technologies web hosting integrates with Let's Encrypt SSL, a free certificate authority (CA) with backing by major companies like Google, Mozilla, and Cisco. The installation is simple and can be done in a matter of seconds. Your domain must be live (DNS records must be pointing to your host) before Let's Encrypt will issue an SSL certificate. Each web host is different and the interface will differ as a result. For example, a cPanel host might allow you to install an SSL certificate through an interface like this:
Contact support at your hosting provider find out if they offer Let's Encrypt SSL/TLS certificates. If you are a Cyberia Technologies customer and have any questions or trouble, you can email support.
The next step in how to activate SSL on WordPress is to configure or "tell" your WordPress installation to use it. This is done by adding the 's' in the URL (http:// to https://) in the fields marked 'WordPress Address' and 'Site Address'. Click 'Save' after making the changes to both fields.
WordPress will log you out automatically—this is normal. Simply log back in again with your administrator username & password, and you're for the next step!
This step ensures your WordPress site uses HTTPS consistently instead of HTTPS for only some links and HTTP for the rest. Though this step is key to fix WordPress mixed content warnings, it requires some level of technical competence. To accomplish this, we'll need to find and replace the links in the database pointing to images, attachments, or theme files that are still using the non-secure protocol.
From your WordPress Dashboard, select 'Add New Plugin' and type 'Better Search Replace' into the search box. Click 'Install' and then 'Activate'. Next, go to Dashboard > Tools and select 'Better Search Replace'.
Referencing the screenshot above, the first field is for the old, non-secure domain (take note of the absence of 's' in 'http'). The second field is for the new secure domain protocol (https). The correct settings to be used are highlighted in purple.
Remember to take extreme care not to mistype or misspell anything in either field. Double check protocols, the placement of the colon, if the double forward slashes are present, etc. Making a backup of your database might not be a bad idea either, since a mistake here can potentially break your website.
Next, select all the tables (SHIFT + L Mouse click on PC) or select them one by one (CTRL + L Mouse click). Tick the GUID checkbox if your site is new or is a test site. The dry run checkbox must be unchecked in order to run the operation.
To finish, simply Click 'RUN Search/Replace' at the bottom. If successful, you will see a notice at the top of the page with the number of non-secure URLs the plugin was able to find and secure.
You've learned how to activate SSL on WordPress and your site will be served to visitors with a green lock icon. If you don't see a lock icon yet, refresh the page or try another browser.
Note 1: This secures your WordPress site and everything hosted inside it. If you have external pictures, content, or third party scripts, i.e. hotlinked content or embedded iframes, they must still be secured on their own host.
Note 2: It's a good idea to review your Google Analytics and Google Search Console properties to the newly secured URL (https://).
Note 3: To be thorough, we also recommend you setup a 301 redirect from the old, non-secure URL to your secure domain. This way visitors and search engines trying to reach your site will seamlessly arrive on the secure domain. This can be done either by your host or from inside WordPress.
Note 4: Your website SEO rankings or "link juice" may take some time to settle, though this is necessary in order to activate SSL on WordPress correctly.
If you use WordPress, you might have noticed a seemingly endless supply of plugins claiming to speed up your WordPress site and boost your page speed score. And, for those of you who've tested them against measuring tools like Pingdom or GTMetrix, you might agree with us if we said most caching plugins don't live up to their expectations. That being said, there are some effective ways to speed up your WordPress site without investing too much time and effort. In this article we cover 3 quick ways to speed up WordPress and boost your page speed score without going into premium plugins or CDN services.
Optimizing all your images is a strong first step in order to speed up WordPress. Install an image optimization plugin like TinyPNG, EWWW Image Optimizer, or reSmush.it to begin without too much setup. These usually work the same way by removing redundant color data, a process known as quantization, and clearing the metadata from your photos, graphics, icons, etc. This technique in general does not create any noticeable degradation of image quality. Though the default settings are good enough for most, you might be able to shave off a few more kilobytes by tweaking compression settings.
Remember to use your best judgement when it comes to image optimization suggestions. As an example, even Google's Page Speed Insights tool isn't gospel and will sometimes make impractical recommendations (as with all page speed testing tools).
Next, let's configure browser caching on your host. Please note we recommend this step only if you're not using a caching plugin in order to avoid potential conflicts. If your web host provides cPanel or a server powered by Apache, simply insert this snippet inside the <IfModule mod_expires.c> block in either your webroot .htaccess file or server's apache .conf file:
ExpiresActive On ExpiresByType image/jpg "access 1 week" ExpiresByType image/jpeg "access 1 week" ExpiresByType image/gif "access 1 week" ExpiresByType image/png "access 1 week" ExpiresByType text/css "access 1 week" ExpiresByType application/pdf "access 1 week" ExpiresByType text/x-javascript "access 1 week" ExpiresByType application/x-shockwave-flash "access 1 week" ExpiresByType image/x-icon "access 1 week" ExpiresDefault "access 1 week"Alternatively, if your host is powered by NginX or sports a dual server configuration (e.g. Plesk Panel), you should not use the above code. Instead, reach out to your host to add this snippet to the server's nginx .conf file (not .htaccess).
location ~* \.(js|css|png|jpg|jpeg|gif|ico|mp4|webm)$ { expires 7d; add_header Cache-Control "public, no-transform"; } gzip on; gzip_proxied any; gzip_min_length 1100; gzip_comp_level 1; gzip_types application/x-javascript application/javascript text/javascript text/css text/plain text/xml application/xml image/gif image/jpeg image/png image/x-icon image/bmp image/svg+xml application/x-httpd-php video/mp4 video/webm; gzip_vary on;Notice how we recommend setting the cache validity period for 7 days or 1 week. We find this duration strikes a good balance between browser caching and fresh downloads from your host and is also the minimum accepted duration in most page speed scoring tools.
If you're not sure where to put the code or don't feel comfortable modifying .htaccess, reach out to your host for some support. It is always best to err on the side of caution when modifying .htaccess or .conf files.
3. Remove Query Strings from Static Resources
This step is optional but strongly recommended in order to fully unlock the benefits of configuring browser caching. Removing query strings from static resources ensures web browsers can cache everything on your site they need to. Without this step, any improvements to your page speed score from step #2 might be limited. Simply paste this PHP snippet into the functions.php file of your child theme or into a snippets plugin.
function _remove_query_string( $src ){ $parts = explode( '?ver', $src ); return $parts[0]; } add_filter( 'script_loader_src', '_remove_query_string', 15, 1 ); add_filter( 'style_loader_src', '_remove_query_string', 15, 1 );Please note you can also paste the above snippet into the functions.php file of your theme and have success, though this isn't recommended. If you don't have a child theme and don't want to use a snippets plugin, here's a great child theme generator plugin to get you squared away.
So there you have it. If you invest 15-20 minutes to implement one or more of these steps, your WordPress site will be in much better shape. If you have questions or want to switch hosts, please reach out to Cyberia Technologies and we'll do our best to help.
Optimizing images on your website is important, not only because it reduces the site footprint or file size, but doing this one step will net you the greatest gains in pagespeed. Even creating backups of a website with web-optimized images is much faster and takes up less storage space. Let's dive into how to optimize images on your website for performance by sharing with you a basic understanding of a few concepts:
- The differences between JPG vs. PNG image file formats
- Why it's important to resize images before using them (pixels)
- Why it's important to take notice of image file sizes (kilobytes)
How to Choose the Right File Formats When Optimizing Images
Both .jpg and .png file formats have their strong and weak points and its important to know when it's appropriate to use each. Using the correct file type in the right scenario will ensure your website performs the best throughout its lifespan. Here is a breakdown of each common file type:
*These are ballpark estimates and require common sense. If you have a small product photo that takes up 800KB of space for example, you need to go back and look at things.
In this day and age, your business website needs safeguards in place to protect against cyber attacks. Though our managed WordPress hosting customers benefit from several security measures, many web hosting providers don't offer any mitigation against website hacks/data loss. No matter which web host you use, we'll share with you 5 easy steps to secure WordPress and protect from hackers. These should be easy to implement and won't involve any coding.
Wrong. Indeed, the public does see headlines about their personal data being dumped on the dark web from a big corporate hack every year or so. Yahoo, Sony, and Equifax are some of the (in)famous data breaches you may have heard of. But if you think only enterprise businesses are in a hacker's crosshairs, you're being misled. Without mitigation, you may be choosing to put your business (and customers) at risk.
Use a security plugin for WordPress, like Wordfence or iThemes Security, to shut down the most common attack vectors without much setup. Many critically important features are included even with the free version of Wordfence. When you visit the Wordfence Options tab inside the Dashboard, you can customize the thoroughness of scans and log keeping. Within just minutes, you will enjoy significantly greater protection.
Creating backups is important, not only in the event of an infection you can't clean, but also in case your website breaks (i.e. after a bad update). We recommend a regular schedule of weekly or monthly WordPress backups by default. If you need to run a different backup schedule, you might want to factor in the following:
Luckily, there is no shortage of both free and premium backup tools, so you only need to be aware of what's needed as a minimum. A complete WordPress backup consists of two parts: the standard PHP files, images, etc.—and the database (a specially exported .SQL file). You need both parts to have a working backup—if you try to restore an old backup without the database, your backup is worthless.
We recommend UpdraftPlus or Duplicator to create a restore point or snapshot. The backups can be stored on your web host or externally in Google Drive, Dropbox, or AWS. If you're a Cyberia Technologies hosting customer, you're already benefiting from server-side automatic backups, meaning there is no need a third party solution. Server-side WordPress backups can be restored by logging into the control panel.
Cloudflare is a DNS (domain name service) provider built on a philosophy of security and speed. The free plan from Cloudflare even includes DDoS protection, a global content delivery network (CDN), zero-trust access protection for 5 users, & more.
It's well known by the WordPress community that you can visit the default login page for any WordPress site by going to www.thewebsite.com/wp-login.php. Given how popular WordPress is, this means anyone can try to gain entry to your website through this very predictable login slug. Changing it to something unique enough that an outsider can't guess will remove this potential attack vector.
By default all WordPress database tables start with "wp_" as a prefix, meaning any hacker can easily predict your database structure. MySQL injections and other database vulnerabilities become much easier from that point onward. Use a tool to customize your WordPress table prefixes to something completely unique/random, i.e. "w2ZbEq_". If you're a Cyberia Technologies customer, you can randomize the database prefix via the 1-click security tab in WordPress Toolkit. Otherwise you can search for a plugin in the WordPress repository to automatically do this.
Your business and your customers rely on the safety and security of your website. Although none of the above 5 steps will guarantee you won't be hacked, you'll avoid becoming low-hanging fruit for hackers. Since most small businesses don't recover from security breaches, it's worth it to review our 5 easy steps to secure WordPress and protect from hackers every so often.
