Setting Up Encrypted Access (HTTPS)

Why Encrypt?

“As our dependency on the internet has grown, the risk to users’ privacy and safety has grown along with it. Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace. Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators. When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services. … By using private connections by default, changed expectations make everyone safer.” CIO.GOV

Though the content of your website is public, not every visitor wants everyone knowing what they’ve been reading. Perhaps even more relevant for Domain of One’s Own users, the content of your website is not the only information that is transmitted when someone visits your site. And it is easier to eavesdrop on those transmissions than many people realize.

Establishing an encrypted connection on your website is easy, and it protects your visitors from a variety of privacy invasions. 

Setting Up Your Security Certificate with Let's Encrypt

In cPanel, navigate to Lets Encrypt SSL under Security.

Screenshot of Let's Encrypt in cPanel

Under “Issue a new certificate,” check the boxes for the domains and subdomains you want to encrypt. (Be sure to include the main (sub)domain and the www alias.) Click “Issue Multiple.”
Screenshot of Let's Encrypt Issue Multiple

On the “Let’s Encrypt SSL” page that loads, keep the default boxes checked, and click “Issue.”

Screenshot of Let's Encrypt Click Issue

You should get a confirmation message when complete (it could take a few minutes) saying that Apache (your web server software) is restarting. If so, you’ve got your security certificate set up! Click “Go Back” to view the details, if you like.

Making Your Website Default to a Secure Connection

Adding a security certificate doesn’t mean all connections to your website will be secure. You need to tell your website(s) to default to secure HTTPS connections, rather than the standard and unencrypted HTTP connections. This is important for two reasons.

  1. When people type your URL into their browser, they rarely type out https:// beforehand, relying on their browser to add that. Browsers, however, still tend to add http:// automatically instead of the more secure https://. (If you’d like to make your browser default to HTTPS when available, install the HTTPS Everywhere plugin from the Electronic Frontier Foundation.)
  2. Links to your website from elsewhere on the internet will include the http:// that your website used to use, and you can’t update everyone’s links for them!

Telling WordPress Sites to go to HTTPS
When installing a new site in Installatron, simply choose https://yoursite.com instead of http://yoursite.com as the domain to install it into. That’s it! You’re ready to go!If you already have a WordPress site, login to your dashboard, go to General under Settings and change the WordPress Address and Site Address from http to https.

Telling Other Types of Sites to go to HTTPS
If you don’t use WordPress and can’t find an automated way to update your site’s default from http to https, you can do it manually with a text editor.

To make browsers default to a secure connection with your website, create a new text file on your computer using a text editor (not a word processor!) like TextEdit, TextMate, NotePad, etc. Put the following text and nothing else in that file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Then save the file with the name htaccess (not htaccess.txt). Then in cPanel, go to the File Manager. Make sure you are in your “public_html” folder. (If not, navigate to it.)

Screenshot of public_html in cPanel File Manager
Then click upload and drag your new file into the upload box that appears.

Screenshot of cPanel Upload Box

Go back to the File Manager and right-click (ctrl-click on a Mac) on the newly uploaded file, and in the menu that comes up, click “Rename.”Change the file name from “htaccess” to “.htaccess”. (This will make the file hidden. You will no longer see it in the File Manager.)If you don’t get an error message, you’re good! Now when you visit your domain, you should see the “https://” and the little padlock icon (varies by browser) automatically. Connections to your website are now secure and encrypted by default.

If .htaccess Already Exists…
You may get an error message saying that .htaccess already exists.If so, click on “Settings” in File Manager (upper right corner), and in the menu that pops up, check the box for “Show Hidden Files (dotfiles)”.

Screenshot of showing hidden files cPanel

Back in the File Manager, right-click on the .htaccess file that appears, and select “Code Edit”.

Screenshot of showing code editor cPanel

At the end of the file that appears, paste the following code into the file (same as above):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Then click “Save Changes” and close the editor.Now when you visit your domain, you should see the “https://” and the little padlock icon (varies by browser) automatically. Connections to your website are now secure and encrypted by default.