Why you should be using an SSL on every Craft + EE site you build

Secure Socket Layer’s (SSL’s) are nothing new. They were mainly used for E-Commerce sites in which credit card details had to be encrypted. This need for them still very much exists.

In August 2014, Google stated that using https would give sites a gentle nudge up the search rankings. It got a lot people thinking again about SSL’s!

Whenever you are sending a form over the web however, without https that form data is subject to man in the middle attacks.

Think about your Craft or ExpressionEngine logins… Those are forms like any other and without encryption you are open to attacks.

Problems with SSL’s

  • They can slow your site down. Although minimal effects.
  • They are an extra thing to do and worry about. As we will see with Let’s Encrypt it’s a lot easier than you think.
  • Once set up, can cause indexing problems with Google.

Let’s Encrypt

Let’s Encrypt is a free service for absolutely anyone and any website.

Let's Encrypt

It’s incredibly simple to use and you can have your site using https in less than 2 button clicks!

It’s available as a manual install or plugin for Plesk or CPanel.

I can’t emphasise how easy it is to get an live SSL up and running with Let’s Encrypt.

301 Redirects

Once you have your SSL in place, you are not finished. You want to set up redirects. This is no search engines and others navigate to the correct pages as the urls will change.

In the case of Media Surgery: We Decided to lose the ‘www’ at the same time going https.

To confirm you have set up everything correctly

Keep an eye on your Google Search Console (previously WebMaster Tools).

Google query “site:yourdomain.com” and see what’s been indexed.

Google Site Colon

ExpressionEngine config

In your EE config.php file set:

$config[‘site_url’] = “https://yourdomain.com”;

Craft CMS config

In your Craft CMS general.php file set:


return array(
    ‘yoursite.com’ => array(
        ‘siteUrl’ => ‘https://yoursite.com',
        ‘environmentVariables’ => array(
            ‘basePath’ => ‘path/to/files‘,
            ‘baseUrl’  => ‘https://yoursite.com/',
        )
    )
);

Weighing things up

Pros:

  • Adds Trust for users
  • More secure
  • Better search rankings
  • Feels like the right thing to do

Cons

  • Performance issues (small effect)
  • Can be tricky / time consuming to instal (With Let’s Encrypt very easy)
  • Search indexing issues (mainly on HUGE sites)

Conclusion

Use an SSL / https but key an eye on your site and make sure you have tested your redirects thoroughly!

What’s your experience with SSL’s?

Comments

Comment: 1
Jules , 20th October 16

Thanks for the video - I had not used Let’s Encrypt before. We installed the service on our servers… it’s awesome and so ridiculously easy now to give accounts SSL. Brilliant!

 

Comment: 2
John Macpherson , 22nd October 16

Hi Jules,

Thanks for the comment.

Let’s Encrypt is great isn’t it! Glad you are up and running.

Comment: 3
Greg Schudel , 31st October 16

Hello,

I am new to using encryption with SSL. Why would I need to use any additional third party software on my servers for SSL? Shouldn’t it apply it automatically is I purchase it for via my web host?

Furthermore, if I use a web host like Bluehost, A2hosting, etc, wouldn’t they have a tool already on their dashboard that I can use to encrypt my emails?

Comment: 4
John Macpherson , 1st November 16

Hi there Greg,

There are a few reasons why Let’s Encrypt is better than traditional SSL’s. 1 it’s free, nada no cost. 2. If you have a bunch of sites you can just literally click a button for each site and you have an valid working SSL up and running.

Email encryption is a different ball game altogether. That’s not covered in the above video. I’d highly recommended setting up Gmail for business though. You get all of Gmails advantages and only costs £3/ $4.50 per user per month.

Leave a comment

" What you do not want to happen to you, do not do it yourself either" Sextus the Pythagorean