cPanel: Securing your CrossWinds hosted site with HTTPS
via force https redirection | .htaccess | wordpress plugin | mixed content
Your crosswinds hosted site automatically comes with a security certificate. But this does not mean that your site is automatically secure. You must enable HTTPS redirection.
In 2014, the search engine giant, Google, “working to make the Internet safer”, decreed that having HTTPS would help websites to get higher ranks in their search results. They called for “HTTPS everywhere” on the web.
To prevent your website visitors from seeing dreaded messages such as “Warning: Potential Security Risk Ahead” or “Your Connection to this site is not secure” instead of your innocuous content, make the switch to using a Secure Socket Layer (SSL).
It’s relatively easy to do, particularly with the help of cPanel. However, with older sites, there may be a few extras involved. But let’s start with the easy fix:
cPanel | Force https redirection
One of the most common support requests for both hosting providers and end-users is: once an SSL certificate is installed for your website, how do you redirect traffic to the “secure,” or HTTPS version of the URL?
(excerpt from https://blog.cpanel.com/force-https-redirection/)
Use the search box to quickly find things in CPanel.
- After logging into CPanel, type “Domains” in the field at the top to easily find the application. Select the link to Domains.
- On the page that appears, there will be a list of your domain(s). (There may or may not be a note beside a domain indicating that it is the “main domain”.) To enforce HTTPS, check the box for Enable Force HTTPS Redirect in the dropdown list at the top of the page. Then toggle the switch beside the chosen domain from “off” to “on”. It’s that simple.
A message will pop up to confirm the change you have made.
WordPress
WordPress makes things very easy for you. Even if there is mixed content on your WP site (more about that further down), there are WordPress plugins to force HTTPS redirect, including “Really Simple SSL”, “One Click SSL”, and “Easy HTTPS Redirection (SSL)” that will deal with those problems. When in your wordpress admin area, go to plugins and search “SSL”. For whichever plugin you choose, make sure that it has been tested with your version of WP (which, of course, should always be kept updated to the latest stable release).
.htaccess
To prevent the little padlock from appearing to be open or to eliminate the dreaded gold warning triangle, check that each .htaccess file is calling up HTTPS rather than HTTP. This is particularly true if, in the past, you have added coding to prevent hotlinking.
Alas, this is a task that must be completed manually by you. Go to the file manager in cPanel to view the .htaccess files that are your folders. (You may have to check the “show hidden files” box before accessing file manager.)
The following is an example of how to encode a hotlinking section of your .htaccess file:
In an .htaccess file, any line beginning with a hash-tag (#) is a comment that is ignored by Apache when it is reading the file. The hash-tag must be at the beginning of the line. Putting a hash-tag in the middle of a line can cause errors.
# ensure that site is calling HTTPS
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://([-a-zA-Z0-9_]+\.)?yourdomain.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://([-a-zA-Z0-9_]+\.)?other_allowed_site.com.*$ [NC]
RewriteRule \.(jpe?g|gif|bmp|png|ico)$ images/no_hotlinking.gif [L,NC]
Mixed Content
Your website consists of HTML, images, JavaScript and CSS files. When your site is loaded in the browser, the HTML that is loaded will contain links to the images, JavaScripts and CSS files: the resources of your website. If your HTML is loaded over https, and your resources load (partly) over http, the content is “mixed”: you have mixed content. There can also be other causes: for example, an image that loads over https, but gets redirected to http. Finding these insecure resources in the browser is usually not so difficult. Finding which plugin or which file in your theme uses the image is often the hard part.
– Really Simple SSL | How to track down mixed content or insecure content
Use cPanel’s file manager to
- Look for HTTP links in .css, .js, .html, .shtml, and .php files
- Some of these files contain HTTP links. Unless they are changed to HTTPS, they will cause mixed content warnings.
- If you an image from another domain is embedded in your file(s), and that domain does not have an SSL certificate, the image will be blocked by the browser.
- Any HTTP links within your site to images, JavaScript files or stylesheets in your domain or from other domains must be changed to HTTPS.
If you are uncertain why you still see that the padlock is open on your https site, try going to Why No Padlock, a free service provided by LexiConn Internet Services, Inc.
More Resources:
- Google Search Central | HTTPS as a ranking signal (7 August 2014)
- Google Search Central | Here’s to more HTTPS on the web! (4 November 2016)
- cPanel Blog | Force HTTPS Redirection
- cPanel Docs | Domains
- Really Simple SSL | How to track down mixed content or insecure content
- Really Simple SSL | Remove .htaccess redirect on site lockout
- HubSpot| A Simple Explanation of SSL Certificate Errors & How to Fix Them
+ + + + +
The lock icon appearing here and at the top of the page has been provided by Stockio.com, with the stipulation that it is free for personal and commercial use, but is “NOT for sale or redistribution“