the_title();

HTTPSEVERYWHERE

@tiffanyakuchta

I’M TIFFANY @tiffanyakuchta

@tiffanyakuchta

@tiffanyakuchta

the_content();

Are you ready to reroute the encryption?

@tiffanyakuchta

WARNING: There will be several references to popular culture from the 80s, 90s and early 2000s in this talk...also dragons. I apologize in advance for the self-indulgence.

@tiffanyakuchta

These developers are using stand up desks in a coworking space.

WHY YOU SHOULD CARE

Security

Future facing

And, of course...

@tiffanyakuchta

@tiffanyakuchta

@tiffanyakuchta

REASONS WE DIDN’T JUST ALWAYS SSL

Speed

Complexity

IPv4 & lack of SNI support

Human error

@tiffanyakuchta

“Please turn your monitor in a direction where only you can see it.”

@tiffanyakuchta

NEW WORDPRESS PROJECTS

Implement a dev strategy that accounts for SSL.

Be mindful of SSL in code and content.

@tiffanyakuchta

EXISTING WORDPRESS PROJECTS

Our focus today.

@tiffanyakuchta

Transitioning a self-hosted WordPress install to HTTPS.

@tiffanyakuchta

BEGIN AT THE BEGINNING

You’ll need a certificate.

Through your host, or maybe through Let’s Encrypt.

@tiffanyakuchta

STEP 1: ADMIN CHANGES

define('FORCE_SSL_ADMIN', true);

@tiffanyakuchta

STEP 2: CHECK THE FRONTEND

Low user impact.

You can do this without forcing SSL.

@tiffanyakuchta

@tiffanyakuchta

Working title for this talk------------------->

Fixing mixed content.

@tiffanyakuchta

FIXING MIXED CONTENT

You’ll see images, javascript, fonts, AJAX calls.

//example.com/image.jpg || https://example.com/image.jpg

@tiffanyakuchta

//PROTOCOL.RELATIVE/URLS?

@tiffanyakuchta

@tiffanyakuchta

FIXING CONTENT: POSTS & META

Database

Code: Plugins & Filters

@tiffanyakuchta

@tiffanyakuchta

UPDATE wp_posts SET post_content = replace(post_content,'http://yourdomain.com','https://yourdomain.com');

/* * not applicable in all situations * */UPDATE wp_posts SET guid = replace(guid,'http://yourdomain.com','https://yourdomain.com');

Backup 1st!

PLUGINS FOR FIXING MIXED CONTENT

https://wordpress.org/plugins/search.php?q=mixed+content

@tiffanyakuchta

More later

FIXING CODE: THEMES & PLUGINS

grep -RIin “src=’http://” wp-content/themes/your-theme

grep -RIin “src=\”http://” wp-content/themes/your-theme

@tiffanyakuchta

SETTINGS > GENERAL

@tiffanyakuchta

FORCE SSL

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

@tiffanyakuchta

“Roads? Where we’re going, we don’t need roads.” To be clear, we’re going to October 21st of last year, but this------→sorta just happened.

@tiffanyakuchta

NEW CONTENT

After Content EntryFilter on content.

During Content Entry Build a plugin to warn users in real time when they’re creating

mixed content.

@tiffanyakuchta

Idea!

NEW/UPDATED PLUGINS

Wrapper for wp_head();

Automation to notify an admin of mixed content in recently upgraded plugins. (Complex, and probably not worth the effort in the evolving landscape.)

@tiffanyakuchta

And the Trogdor comes in the niiiiiiiiiiiiiight!

@tiffanyakuchta

BEWARE, DRAGONS

Load balancers, Reverse Proxy & CDN

is_ssl();

@tiffanyakuchta

BEWARE, DRAGONS

WTF!? Errors.

Deprecated cipher suite, bad certificate chain.

https://www.ssllabs.com/ssltest/analyze.html

@tiffanyakuchta

BEWARE, DRAGONS

Don’t forget to renew!

You are a human. Be less human...or automate.

@tiffanyakuchta

BEWARE, DRAGONS

Webmaster tools will also need to be updated.

@tiffanyakuchta

Working title for this talk------------------->

Yep. Still.

@tiffanyakuchta

MOAR DRAGONS

You’re probably going to want to make provisions for dev.

And for fallbacks.

@tiffanyakuchta

EVEN MOAR DRAGONS

Once you visit the site behind SSL, Chrome will do everything in its power to push you to the SSL version of the site on future visits.

Be aware while testing.

@tiffanyakuchta

Questions?

@tiffanyakuchta

Questions?

@tiffanyakuchta

THANKS!I’M STILL TIFFANY @tiffanyakuchta

@tiffanyakuchta

CREDITS

Trogdor images from hrwiki.org

Regex humor from xkcd.com

Scenes from the epic 1995 film, Hackers, from imdb.com

Assorted gifs from giphy.com

All logos (Apple, Google, Chrome, Let’s Encrypt) property of their respective owners.

@tiffanyakuchta