Let’s Encrypt SSL and WordPress

This site doesn’t have anything particularly gripping on it.  But that’s no reason for me not to add SSL encryption for people who visit.  Sure, you may not be buying anything or even using authentication but the Electronic Frontier Foundation’s Let’s Encrypt project has lowered the bar so far that it seems wrong not to participate.  Especially if, as they’ve indicated, Google considers HTTPS as a ranking signal for sites.

I used SSL for awhile when I ran my own server but dropped it, for complexity’s sake as well as because I migrated all of my sites to Siteground.  I was delighted when, earlier this year, they indicated they were supporting Let’s Encrypt.

It’s easy to add a certificate to your account.  Siteground’s tutorial will create the certificate and you can then activate SSL.  That ended up being the more difficult part of the process.  If you look at your folders after the certificate is created, Siteground’s auto configuration leaves behind traces, including a folder called .well-known.  It appears to be common in Web hosting approaches and is a bug.

This was perhaps more complex because I am running multisite (MU) WordPress and needed to use a couple of tweaks to get HTTPS working.   This was a great tutorial on getting it done.  I was already using the Domain Mapping plugin and looked at the WordPress HTTPS one.

In the end, I decided against WordPress HTTPS for a couple of reasons.  First, I don’t like using any more plugins than I need.  Second, it is out of date.  Lastly, it was an optional tweak.  As the author of that post did, I used phpMyAdmin to edit the wp_options and site_meta tables so that the URLs were https://ofaolain.com and not http://ofaolain.com.

By editing my .htaccess file – specifically the WordPress part, so that the URL always defaulted to https – I was able to achieve manually what the plugin offered.

RewriteCond %{HTTP_REFERER} !.*ofaolain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]

# END WordPress

So far, so good.  However, not everything went smoothly:

  • Jetpack, the WordPress plugin, broke on a couple (but not all of the sites).  After seeing various accounts suggesting that the fix when Jetpack couldn’t connect was to delete and manually reinstall, I disconnected, deactivated, and reactivated it.  When I reconnected, it was fine again.
  • My Siteground service went into CPU overload.  It’s unclear to me why, but the CPU overload (of about 1000x normal usage) was contemporaneous with this change.When they unlocked my account, I deactivated what plugins I could, turned off the Cloudflare CDN, and IP blocked an address that appeared to have been pinging my site pretty egregiously.  However, as I added one after another back on and watched the CPU load, nothing changed.What I don’t know is whether it was caused (a) by Siteground’s certificate creation script, (b) the manual changes I made to the database and/or testing out the WordPress HTTPS plugin, (c) something else like that Jetpack connectivity, or (d) a combination.  In any event, Siteground cut me off and when I came back online, the CPU was back to normal.
  • I had a deactivated version of SSL Insecure Content Fixer installed, from my previous run at SSL.  Once I activated it, it eliminated the mixed secure/insecure content message in Google Chrome and Microsoft Internet Explorer.  I still get a mixed message from Firefox, although I can’t see any mixed content when I view source.  It’s odd.
  • Although my Domain Mappings were correct, the URL is listed in 3 places.  On the Info tab (uneditable) and twice under the Settings tab (home, site url).  When I edited the database table, the two entries on the Settings tab updated.  The one on the Info tab has not, and I can’t find where it’s coming from.  It doesn’t appear to have any impact but I’m still going to try to hunt it down because I don’t like loose ends.snip_20160414141018

I edited my .htaccess file to make sure the site automatically forces any visitor over to HTTPS, so hopefully you’re seeing that in your browser as well.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.ofaolain.com [NC]
RewriteRule ^(.*)$ https://ofaolain.com/$1 [L,R=301]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://ofaolain.com/$1 [R,L]

Except for the CPU issue, it couldn’t have been more straightforward.  Even with the fiddling around and bringing up two different multisite … sites with HTTPS, I was done in less than 90 minutes.  I’m not entirely sure why I had the CPU problem  – in the last 10 months, it’s happened one other time, also for no apparent reason – so I’ll be watching the CPU monitor closely over the next day or so.

If you’ve been toying with the idea of SSL on your Web site, and you have access to Let’s Encrypt, you might give it a try.  All told it was free to acquire the certificate and activate the settings for WordPress to support it.