Find out how to redirect your website to https with a FREE ssl certificate
Isn’t it about time you redirected your website to a secure https domain?
Perhaps you thought an SSL certificate would be too expensive, or that it’d be too difficult to install?
Well, you’ll be glad to know… it’s not expensive and it’s not too difficult!
Check out “How to get a free SSL certificate – benefits of an https website” to understand the benefits of having a secure website and what “SSL Certificate” and “https” actually means.
You can easily install a free SSL certificate.
I’ll show you how to do it.
I used my web host, FastComet with Cloudflare to install Let’s Encrypt’s free SSL certificate on PeasOnToast.co.uk.
In this tutorial, you’ll learn how to install your free SSL Certificate using FastComet with Let’s Encrypt and Cloudflare, and how to quickly and easily redirect your website url to your new https domain, showing the padlock secure icon
Remember to check suitability
You can install an SSL certificate on any website to have a secure domain.
But, before installation, always check the SSL certificate provides the level of security your type of website requires in line with any regulations.
For instance, these types of website would require a high level of encryption: finance portal, e-commerce store, donation page, membership site or a previously hacked website.
A quick shout-out to FastComet web hosting
Check out my review and tutorial, for further information, or visit their website direct.
Before we start the tutorial, here’s a quick shout-out to FastComet to say “thank you” for being so helpful whilst I switched to https!
FastComet exceeded my expectations:
- great value pricing
- LiveChat and technical support amazingly helpful, fast and free 24/7
- worldwide servers
- automatic website back-up
- strong moral values (no websites allowed with child porn, spam, scams & exploits, viruses & malware, violence and racial/religious intolerance)
- capacity to host your website whatever its size
Now, on to the tutorial…
How to use FastComet and Cloudflare to install a free SSL certificate
1. join FastComet and Cloudflare
FastComet allows its own or third party SSL certificates with any web hosting package. Its e-commerce package includes a top level SSL certificate.
Cloudflare is a content delivery network provider (CDN). It gives your visitors reliable and speedy access to your website. It also works with SSL certificates, which means you your website’s secure whilst benefiting from the CDN speed!
2. log directly into FastComet cPanel
You would have been provided with cPanel login details when joining FastComet.
Alternatively, you can access cPanel by going to:
- FastComet.com, Client Login (top of header menu) and log into FastComet Client Area
- Products (menu on left hand side)
- My Products
- View Details on the right of the screen, and click “View Details” again in the dropdown menu
- scroll down and select the icon for “cPanel”
3. decide which SSL certificate to use
Decide whether to use an SSL certificate from a Certificate Authority via FastComet cPanel, or to obtain an SSL certificate directly from a Certificate Authority.
Either option is easy to install and will work when redirecting your website to https.
For this tutorial, we’ll install Let’s Encrypt’s SSL certificate via FastComet cPanel
Installing an SSL certificate via FastComet cPanel
4. in FastComet’s cPanel scroll down to the Security section
Select which SSL certificate you’d like. Remember there are different levels of security provided by each
5. select Let’s Encrypt SSL
Let’s Encrypt provides free domain-validated certificates that are renewed automatically and can be used with or without Cloudflare.
FastComet has an easy one-click install for Let’s Encrypt’s SSL certificate.
Scroll down and tick the domain variants of your website in the “Issue a new Certificate” list.
You should tick:
– www.[domain] and the [domain]
– and, if listed, the subdomains: www.[domain].[domain] and the [domain].[domain]
6. click “Issue Multiple”
7. click “Issue”
The Let’s Encrypt SSL certificate is now installed and you can go ahead and use https with your domain.
Now you can….
Either – scroll down to find out how to redirect your website url to your new https domain.
Or – if you also want to benefit from Cloudflare’s CDN speed and reliability whilst still having Full SSL certificate protection, then you should follow the next steps and link your website to Cloudflare.
Having CDN speed and SSL protection with Cloudflare
8. log-in to Cloudflare
Click “Cloudflare” and then select “Change” next to your domain, to login to your Cloudflare account
Either log in to Cloudflare‘s website or, as this tutorial’s already taken you to FastComet’s cPanel, scroll down to “Cloudflare – supercharge your website” in the cPanel
9. select Cloudflare Security
10. click “learn more at Cloudflare”
This takes you to Cloudflare’s website [EDIT: see above “TIP” green box for updated access to Cloudflare]
11. choose your Cloudflare SSL protection
Cloudflare includes Flexible, Full or Full (Strict) SSL protection in its free plan.
For the purposes of this tutorial, as you’ve already installed the Let’s Encrypt SSL certificate, I’d recommend you use Cloudflare’s Full or Full (Strict) SSL. You won’t need to install Cloudflare’s own SSL certificate.
Cloudflare offers three types of SSL protection.
Remember Cloudflare’s level of SSL protection is a separate choice to the type of SSL certificate you’ve already chosen.
credit source: Cloudflare free one-click SSL – https://www.cloudflare.com/features-security/
Flexible SSL – provides security to/from the visitor(s) pc and Cloudflare, but not to/from your website and Cloudflare (see image above). The visitor(s) traffic is secure and your website still uses https in its url, but it doesn’t require an SSL certificate (ie, you wouldn’t need to have installed the Let’s Encrypt or Cloudflare free certificates). I don’t recommend you use Flexible SSL as it doesn’t offer full security, albeit your website still has “https” in its url.
Full SSL – provides security to/from the visitor(s) pc and Cloudflare, as well as to/from your website and Cloudflare. Requires an SSL certificate (this can be Cloudflare’s own free SSL certificate or a third party’s SSL certificate, such as Let’s Encrypt). Your website isn’t authenticated by the Certificate Authority, but will have “https” in its url.
Full SSL (strict) – this is the same as the “Full SSL”, but includes authentication. It’s Cloudflare’s highest level of SSL protection as the certificate is authenticated by the Certificate Authority.
12. log-in to Cloudflare and view the Settings Summary in “Overview”
The SSL setting should be “Flexible” (if you’re not using a third party SSL Certificate) or “Full” (if you’re using Cloudflare’s or a third party SSL Certificate, such as Let’s Encrypt).
But, if not, you can easily add your domain to Cloudflare yourself via FastComet cPanel “Cloudflare”, or go to Cloudflare’s website direct:
Add Site, type in your website domain (eg, peasontoast.com), click “Begin Scan”. It’ll take about 30 seconds to scan your website, then you can “Continue Setup”.
If you’ve just purchased your domain, you may need to wait until propagation is complete (up to 48 hours) before Cloudflare recognises your domain, to complete the setup.
13. click on the Crypto tab at the top of the screen
14. select “SSL:Full” or “SSL:Full (Strict), as applicable
It’s literally a case of selecting “SSL:Full” or “SSL:Full(Strict)”. Cloudflare automatically links to your website’s Let’s Encrypt SSL certificate (or whichever SSL certificate you’ve installed).
Cloudflare is now providing your website with full CDN benefits and SSL protection.
These steps provide you with an SSL certificate, but they don’t rewrite your domain rules.
Your existing http website won’t automatically redirect your visitors to its https url – you’ll need to set up those rules yourself.
How to redirect your website url to your secure https url
You only need do this if your domain was previously an http website, ie your url was http://www…….
If you used the Let’s Encrypt SSL Certificate without Cloudflare
Note, you won’t need to add this snippet if you’re using Cloudflare and/or have decided to use the WordPress plugin(s) noted below
Manually add the three lines of “Rewrite” code shown below to the top of your .htaccess file (remember – .htaccess is a hidden file in the File Manager screen of your cPanel, so you’ll need to reveal the file first):
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain(dot)com/$1 [R=301,L]
Don’t forget to substitute the “domain(dot)com” with your actual domain name.
This code snippet tells your website to redirect your visitors to the https secure domain.
If you used Cloudflare’s Flexible SSL (without an SSL certificate)
First, install Cloudflare WordPress plugin to ensure your visitors’ IPs are restored back to WordPress level instead of showing Cloudflare’s IPs. This is useful in case your other plugins rely on these original visitor IPs.
Next, install the
- Cloudflare Flexible SSL plugin by iControlWP to your Wordpress website which will automatically deal with all the redirects; or
- WordPress HTTPS plugin
Either of these plugins should be sufficient to redirect your website and all its posts/pages to the secure https domain.
If not, read the section below to troubleshoot any errors.
If you used Cloudflare’s Full or Full (Strict) SSL with an SSL certificate
Either – use a WordPress plugin such as the Really Simple SSL plugin and/or SSL Insecure Content Fixer plugin (as mentioned in the troubleshooting section below)
Or – use Cloudflare’s Page Rules to re-direct all visitors to https/SSL. Using Cloudflare’s Page Rules results in a quicker response and reduced requests to your server.
Cloudflare suggests “the “Aways use HTTPS” action is the simplest option to redirect http requests to https.” For instance, by typing “http://*example.com/* in Cloudflare Page Rules, with “Always use HTTPS” selected, will redirect all requests for example.com to https.
Troubleshooting when your website shows a redirect error
Sometimes your website may show an error as there are too many redirects (aka infinite redirect loops) from http to https. I think this primarily happens if you use the Flexible SSL option.
Install one or both of these WordPress plugins to clear the error:
- Really Simple SSL plugin by Rogier Lankhorst. Select options to “Auto replace mixed content” and “Enable javascript redirection to SSL”. The Configuration tab will show you whether SSL is active on your website
- SSL Insecure Content Fixer plugin by WebAware. Go to the SSL Insecure Content in Settings and select the “Simple” level setting, tick for WooCommerce and Google Chrome, and select the “standard WordPress function” for the HTTPS detection
But, if you still have some urls that aren’t redirecting (ie, when you click some of your website pages, the url bar doesn’t show that it’s secure), check out this article by iControlWP for other steps to take, such as:
-
TIP: unless you need to force https, don’t use “http” or “https” anywhere, just use the two forward slashes “//” .
check that certain assets such as jpeg, javascript, css (including any custom css you’ve added to your theme) doesn’t have “http://”.
If it does, replace “http://” with just two forward slashes “//”.
This automatically adapts to load http or https depending on the current visitor.
- update your theme – this is a last resort that hopefully won’t be necessary
How to check if your website’s fully secure and using https
An easy way to immediately tell if your website is fully secure, is to check the url bar whenever you click one of your website posts or pages.
If you’re using internet browsers such as Internet Explorer, Firefox, Chrome or Opera – https websites have a padlock at the beginning of the url to show that the website has been successfully redirected.
Click the padlock to see the drop-down menu for privacy settings as well as cookies and permissions information.
The drop-down menu may state:”Your connection to this site is private, but someone on the network might be able to change the look of the page”.
If that’s the case, check the javascript and css coding for that post/page in WordPress and remove any instances of “http://” – see the above Troubleshooting section
If the website page or post you’re visiting is fully secure, the drop-down menu will state “Your connection to this site is private.
Select the “Details” link (next to where it has your website address in bold) to see the Security Overview.
A pop-up will appear on the right hand side of your screen to show whether your website uses a valid SSL certificate, has secure TLS connection and secure resources.
Whenever you publish a new post/page to your website, check that the url is fully secure. If it isn’t, it’s probably caused by your post/page having “http://”. Go back to the Text tab in your WordPress edit screen and change all “http://” instances to “//”.
To get the green lock icon, you need to make sure your images and javascript files, for example, are loaded specifically over https.
Now your https website is fully secure with an SSL certificate.
Note: this blog post is intended to be a general resource only.
- Monzo Bank review – 100% smartphone banking exceeds expectations - 16th October 2016
- Atom Bank review – the new player on the banking field - 4th September 2016
- How to use SendinBlue email automation – step-by-step guide - 19th August 2016