Author: branden


GDPR: What Is It and How Does It Impact My WordPress Website?

The General Data Protection Regulation, or GDPR, changes how your business gathers information. In this article, we’ll look at how it affects your site and what steps you might take to comply.

 

Summary

  • The GDPR is a new set of EU regulations intended to provide greater control of personal data to website visitors and improve access to what is collected, why it is collected, and how it is used.
  • Regulations apply starting May 25, 2018
  • If you use analytics, lead generation forms, contact forms, comment systems, or other common marketing tools on your site, and an EU citizen visits your site, you could have compliance concerns.
  • Maximum fines for non-compliance are 4% of annual global turnover or €20 million.
  • You should perform an information audit on your site and determine what information you collect. If it is non-essential, the best option might be to stop collecting the information.
  • Otherwise, you must outline all information you collect in your privacy notice and provide options for users to request deletion of their data. In many cases, you’ll also need to get their consent to collect the information.
  • While details are scant as of the time of writing, WordPress plugins are available to address many of the common concerns.

DISCLAIMER: We’re not lawyers. With the complexity of both these new regulations and how they’ll impact the endless number of site configurations, marketing funnels, and businesses operating online, it would be impossible to cover every facet of the concerns surrounding GDPR compliance.

While we will cover what we can, and make our best effort to provide accurate, actionable information as of the time of writing, this is not to be construed as legal advice. Consulting with a legal expert familiar with GDPR regulations is encouraged before enacting major changes to your site or considering your site compliant with new regulations.

 

What Exactly is the GDPR?

The specifics of GDPR are still emerging as experts analyze the 90+ pages of the legislation.

But one thing is certain…

It will create ripples for sites and businesses around the world.

So what is this GDPR exactly and how does it affect you?

gdpr eu

We’ll be honest — the exact details are still a bit sketchy. The regulations cover so much ground and do so, in many areas, in a rather vague manner…

But in a nutshell, the GDPR is new EU legislation that establishes strict guidelines on how you can collect and use the personal information of your website visitors and customers.

It goes into effect on May 25, 2018.

Platforms such as WordPress and much of the web development community are still working hard to adapt to the upcoming changes.

Due to its ever growing popularity, we’ll be focusing on WordPress for this guide. However, if you use any modern CMS platform, there’s a good chance that regulations will still impact you.

Will the GDPR Apply to My Site?

Do you still have to worry about GDPR if you’re not in the EU?

The answer is “most likely”.

The new regulations won’t simply impact EU sites and businesses.

The GDPR impacts anyone doing business with EU residents and collecting or processing their personal data — even if only occasionally.

What is personal data exactly?

Regulations define it as:

“Any information relating to an identified or identifiable natural person”

In normal words, this includes names, email addresses, physical addresses, IP addresses, social security numbers, and other commonly recorded bits of data.

gdpr personal info

There’s also sensitive personal data.

This is a subset of personal data that includes demographics and analytics information such as race, health information, sexual orientation, religious preferences, and political beliefs.

But what uses personal data on your site?

Common features in WordPress that might use personal data include:

  • User registrations
  • Cookie notifications
  • Contact form entries
  • Mailing list subscription forms
  • Lead generation pages and forms
  • Analytics
  • Server and traffic logs
  • Security tools and plugins
  • Comments
  • CRM plugins
  • Event calendars and booking plugins
  • eCommerce plugins

Even if you only collect this information through a third-party service, it’s important to ensure that the vendors and services you use are also GDPR compliant.

Needless to say, the actual regulations are full of legalese and are not a light read. There are also still some grey areas — particularly surrounding cookies — that have yet to be clarified.

And, in some cases, there is intentional ambiguity to provide flexibility in how businesses deal with compliance concerns.

But with that ambiguity, it is hard to make exact recommendations on meeting requirements.

gdpr comic

We expect more concrete information will become available closer to the deadline as more third-party service providers and platforms work to comply with the new regulations.

For example, MailerLite, Drip, and MailChimp already offer posts to help explain how to use their tools in a GDPR-friendly way as far as email is concerned. They also outline steps they are taking on their end to ensure compliance.

 

So, Is GDPR Compliance a Serious Concern?

Yes

There is no transition period or phases. Once this goes live, you’re either in compliance or you’re not.

Technically, the regulations have been in the pipeline for some time now. They took more than 4 years to create.

But as the deadline looms closer, businesses are showing increased interest.

And for good reason…

Top tier offences carry a maximum fine of the greater of €20 million or 4% of the previous year’s global turnover…

Offenses involving sensitive personal data carry the stiffest penalties.

However, current coverage from experts at Digiday indicates that unless there is a serious violation or blatant disregard for the new regulations, most auditors will provide businesses time to adapt their existing sites and make allowances for businesses that show effort in meeting requirements before doling out major penalties.

So while it might not be the immediate “marketing armageddon” some coverage makes it out to be, we still feel that there is a lot that’s unknown about how the regulations will work once live.

gdpr compliance

Moreso, if things really are the worst case scenario some think it might be, there are major questions about viability for small businesses with an online presence and smaller eCommerce operations in meeting regulations.

Regardless of how things turn out, unless it is somehow halted, the regulations will impact a huge number of sites from around the world.

 

Alright, So What Do I Need to Do?

So how can you comply and avoid potential fines?

And what do you have to do to bring your sites in line with the regulations?

Regulations focus on four major principles:

  1. Control of personal data (Right to Be Forgotten)
  2. Greater transparency in personal data collection and usage (Right to Access)
  3. Improved consent on personal data collection and usage (Consent)
  4. Increased responsibility on personal data security and storage (Privacy by Design)

Each of these principles create unique concerns for various aspects of your site.

While flexible, the ambiguity of many GDPR requirements means there’s no single way to recommend reaching compliance goals.

Instead, most experts are recommending that you start approaching it from an overall compliance standpoint and then address individual elements as needed.

  • Audit the personal information you collect and how it’s used
  • Determine what information is actually needed and don’t collect low value information
  • Provide exact information on both what you collect and how you intend to use it
  • Make sure consent is explicitly granted
  • Give users control of their data
  • Develop security protocols and report issues promptly

Auditing your existing information collection practices and consent notifications is the best place to start.

This will give you an overall view of how much work you must do to comply with new regulations.

 

Okay, How Do I Accomplish This on My WordPress Site?

There’s no single WordPress plugin you can install or task you can perform that will instantly make a site GDPR compatible.

While exact answers on how to best approach GDPR compliance will differ based on the features on your site’s pages, plugins you use, and the information you collect, there’s a few universal things you can do to help ensure compliance.

Just remember, we’re not lawyers.

We can’t promise that following this list will make your site 100% compliant.

But we can promise that as of the time of writing, the information provided below is accurate and will work to at least start bringing your site into compliance with these new and complex regulations.

 

#1. Add Consent to the WordPress Core with Plugins

While likely to be addressed before the GDPR deadline, there are certain parts of WordPress that do not natively adhere to requirements.

A major example of this is the comment system.

Submitting a comment requires an IP address at a minimum. Though, in many cases, it can also include an email address and name.

All of this is personal data.

This means you need consent to store the information and must delete comments and user data upon request in a timely manner.

User registration is similar. In most cases, you’ll need at least an email address. From there, options can extend to everything from names to phone numbers and addresses depending on what you require.

All of this must be consented to by the user, stored securely, and monitored.

Should they wish to delete their account, you can either provide an option to do this themselves through a plugin or provide contact information to request deletion.

There’s already a market forming around WordPress plugins and services designed to address these specific concerns.

While most GDPR plugins are still in their early stages, the following options allow you to alter various aspects of WordPress to comply with the new regulations.

Some even work with other third-party plugins, such as Gravity Forms, WooCommerce, and Contact Form 7 for greater flexibility.

Just be sure to check WordPress updates after the May 25 deadline.

Some of these features may be rolled out in within WordPress itself by then.

If so, you can likely delete the plugins. But until then, they’re a simple way to boost your compliance.

 

#2. Audit Your WordPress Plugins

Many WordPress plugins set their own cookies, store information in your database, or transmit data to or from third-party servers.

It’s important to ensure that every plugin or service used on your site also complies with GDPR regulations.

Many plugin authors have already written blog posts to explain any potential compliance concerns regarding their plugins and provide a timeline of when (or if) you can expect them to be fully compliant.

If you can’t find any information on the developer’s site, sending an email to their support should yield more answers.

If you’re not sure if — or unable to find confirmation regarding if — a plugin you use is compliant before the deadline, it might be easier to replace a plugin instead of customize the existing plugin to comply.

In many cases, looking up the plugin by name in the WordPress Plugin Repository will yield alternatives.

Checking reviews and the number of active installations can further help you to narrow down your options.

gdpr wordpress plugins repository

 

#3. Overhaul (or Set Up) Cookie Notifications

Cookie notifications are already a fairly common feature to anyone conducting business in the EU.

But if you simply slapped a bar up that says “we use cookies” and an accept button, that will not cut it under new regulations.

As part of the GDPR’s emphasis on consent, you must state exactly what types of cookies you use and how you use them.

You also need to give visitors more than a default consent option. A link to your privacy policy for more details might help with this.

You also cannot imply consent. This means that using scrolling as a trigger for acceptance or loading cookies before visitors explicitly accept them is a compliance concern.

There are many cookie notification plugins available on the WordPress Plugin Directory. However, few allow for opt-in cookie consent.

Cookie Notice by dFactory appears to allow both opt-in cookie consent and blocking of cookies should users fail to opt in — both key elements of GDPR regulations. Better still, it’s free…

If you don’t mind digging into your site’s code, Cookie Consent by Insites offers similar features in a free and open source Javascript snippet. Just a few cuts and pastes and you should be good to go.

 

#4. Update Your Mailing Lists to Comply with GDPR

Most marketing gurus recommend keeping things as simple as possible regarding lead capture forms.

The less steps a visitor needs to take to complete your form, the better the chance they’ll bother doing so.

To help with this, many forms include pre-checked boxes for consent to contact for mailing lists or other marketing means.

This will no longer work.

GDPR requires explicit, informed consent.

That means that not only will pre-checking the box create a violation, but you must also explain what you plan to do with the information.

gpdr compliance newsletter optin

Your Marketing Department’s worst nightmare? Maybe.

Plus, you may need to periodically renew the consent on your mailing list should you shift the focus of your campaigns.

Changing mailing list providers, business partners, or who has access to the data you collect might also require updating consent.

Many sites are also recommending ensuring that you’re using the double opt-in method to easily record consent.

However, if you’re in Canada, this was already a requirement of the Canada Anti-Spam Legislation (CASL).

 

#5. Adjust Your Contact Forms to Meet Compliance

If you’re using contact forms to collect information, you’ll also need to explain why you need the information you request.

This means that a trend toward simpler forms is likely.

The less information you collect, the less you need to worry about explaining.

And, as with your mailing list sign ups, don’t forget to be transparent about consent and outline how you’ll use the data if you’re also using the information for marketing purposes.

contact consent

Whether you’ll be sending out emails, SMS messages, using information in testimonials, or storing it for future use, you need to be specific and — if possible — provide granular consent options so that users can pick what they agree with.

Most popular mailing services, such as MailChimp, allow you to include a preferences button in your emails to allow users to easily opt in and out of your various campaigns and lists.

You’ll also want to make it easy for people to completely unsubscribe from lists and remove their information from your databases.

If they do ask to be removed, you cannot just stop emailing, messaging, or calling them.

You must remove their data completely.

Failing to do so could result in fines.

 

#6. Add Data Control to User Accounts

Adding website features such as community forums or user reviews are popular ways to boost conversions and drive sales.

However, most of these features would require users to submit an email address or name in order to create an account. This is considered personal information under GDPR.

That means you must both notify users of how you plan use the data they provide and get their consent to do so.

Regulations also require that users must be able to delete their information or have it deleted promptly upon request.

So whether your site is using basic WordPress features, such as blog comments, or a more complex plugin such as WooCommerce or BuddyPress, compliance requires that you are familiar with the way the features you use store information and where you can remove a user’s personal information should they make that request.

We expect that many big plugins and the WordPress core will eventually offer this as a baked in feature.

However, until that time, unless you can find a third-party plugin or service that will do it for you, you’re stuck manually digging through your various databases.

For basic data deletion, Delete Me is a third-party plugin designed to delete user accounts within WordPress — and any blog posts or comments attached to them.

 

#7. Update Your Privacy Policies

While already a questionable practice for all but the most basic of sites, the days of boilerplate privacy policies are likely dead with the onset of GDPR.

Much like with cookie notifications, it’s no longer enough to state you collect information for analytics, marketing, or other uses.

You need to break down the exact information you collect, the services you use to process or store said data, and provide a means for users to access or delete the data you have stored that is associated with them.

For some good examples of privacy policies created with GDPR in mind, check out:

While a lawyer experienced with both your business type and online privacy policies in regards to the GDPR is your best option for ensuring a comprehensive, effective set of legal policies, you can also use third-party sites to help you generate something more valid that the typical boilerplate option.

We recommend Iubenda.

With both free and paid options, they can likely handle the concerns of even complex sites and provide a privacy policy that will ensure compliance without all the back and forth of consulting with a legal expert.

 

#8. Talk to A Lawyer or GDPR Expert

With the potential penalties at stake, assuming your efforts to comply with the GDPR are good enough could be a costly mistake.

Especially if you are a bigger business collecting lots of data…

Then there’s the off-site considerations, such as the third-party services processing and storing data for you.

Once you have an idea of how to proceed, we recommend consulting with an expert to ensure that you’ve covered all the requirements and that the changes you put in place — or plan to put in place — will cover any possible liabilities.

 

Any Other Options?

The vague wording of many requirements leave many businesses questioning the liabilities involved.

Because of this, some are considering if it wouldn’t be wiser to simply not service EU visitors instead.

Establishing geoblocking through a CDN like Cloudflare, or using this script (created specifically for the purpose) may be options for this.

On the marketing side, Drip wrote up a guide that walks you through excluding EU residents from their mailing list platform.

However, blocking still doesn’t completely eliminate the risk of contact or transmission of personal data from EU residents.

So, if you’d rather try to comply, this guide offers a solid starting point for achieving compliance.

 

Final Thoughts

Overall, the concepts behind the regulations make sense given the increased number of breaches and questionable information gathering stories in the news.

However, many of the new regulations conflict with the popular trends and best practices currently used by website owners and marketers.

This may pose a serious headache for website operators — particularly if all the interpretations of the new regulations turn out true and the EU is aggressive in enforcing them.

Regardless of what changes are made to the WordPress software to help with compliance, companies and organizations will need to assume responsibility for their own compliance, as these regulations extend far beyond the core of WordPress.

Because of this, we’d still recommend consulting a legal expert familiar with the GDPR before considering your efforts complete and your site compliant.

“Everyone needs to be working in implementations for their own businesses and sites in any case ahead of deadline day, in addition to any changes that need to be made in the WP code,” Burns said. “It’s important to remember that GDPR compliance is not a tick box you can squeeze in next April. This is about your processes, your workflows, and your systems of accountability. Start now.” ~ Heather Burns

 

Helpful Tools

We’ve said it before and we’ll say it again, these new regulations are complex.

How people are interpreting them and frequent updates to both website software and plugins makes for a somewhat fluid situation.

If you’re looking for additional resources on meeting GDPR compliance, you can also consult the official EU GDPR portal for full copies of all regulations, handy summaries, and additional resources. They also list partners available to help businesses meet GDPR requirements.

Don’t feel like sorting through pages of complex legal speak and confusing phrasing?

Check out The Ultimate GDPR Quiz.

With just a few clicks, you can find out what impact these new regulations might have on your site, where to focus your efforts, and some basic actionable tips.

 


 

Additional Resources

For additional takes on what these regulations mean, extra resources, and some alternative suggestions, check the resources list below.

How and Why to Move Your WordPress Website to HTTPS

If your website collects ANY personal information, such as email addresses, login information or credit cards, then you NEED to secure your site.

One of the best ways to do that is to encrypt any information going to and from your server using HTTPS.

But what if your website doesn’t do e-commerce or collect any sensitive information?

Do you still need to move to HTTPS?

The short answer is…

YES! You want every advantage you can get.

The benefits of HTTPS go beyond basic security. You’ll also get:

  • Increased conversion rates
  • Increased viewer trust
  • Faster load times
  • Improved search engine rankings

Hard to argue with those benefits?

We agree.

So, if you haven’t done so already, now’s the time to move your site to HTTPS.

In this guide, we’ll cover everything you need to know. We’ll start with the basics of how encryption works. By the time you’re done, you’ll be ready to implement HTTPS on your site.

Let’s get started!

1. What is HTTPS?

HTTPS uses unique keys to encrypt the information going to and from your website.

It’s kind of like a secret decoder ring.

No one can read what’s said without decoding it first.

This means no hackers snooping on or logging your sensitive information.

How does this all work you ask?

  1. You request a Secure Socket Layer (SSL) certificate that verifies your identity.
  2. The certificate sits on your hosting server.
  3. When visitors use a URL starting with “https://” the certificate is verified and encryption established.

Depending on your certificate type, visitors will see a green padlock in their URL bar or a green padlock followed by the organization name assigned to your certificate.

It’s that simple!

Even a year ago, setting all of this up was kind of a pain.

But thanks to one-click installers, improved hosting support and more awareness from the public about Internet security, HTTPS use is taking off!

2. Why Use HTTPS?

Recent data from both Mozilla and Google show that at the end of 2016 more than 50% of the page views collected by their tools used HTTPS.

These numbers continue to increase every month.

Still don’t think you need HTTPS?

Mozilla Firefox and Google Chrome are about to make a significant change that makes HTTPS a must-have for all businesses…

They’re adding notifications that show when a site is not secured.

We’re not talking some little bit of text in the corner of your site. It’s going to be a red warning badge right next to your site’s URL.

What does this mean for you?

Soon, not having HTTPS could be the difference between online success and disappearing from the front of the rankings.

It’s no longer a fancy feature for the tech-savvy, it’s the cornerstone of a professional web presence.

Security-Savvy Shoppers in the Digital Era

Stop and think for a second how often you send bank account information, personal messages, images of your life or other personal information across the internet.

How often do you log-in to social media or email?

Without encryption, these are all opportunities for anyone with the right knowledge to grab your information as it zips off to its destination.

Data breaches are increasingly common.

While these are no fun for anyone whose personal information is stolen, they’re making people more aware of the importance of data security.

This impacts where they choose to conduct business online.

SSL.com highlights how implementing SSL and displaying a secured seal on your site can boost conversion rates by up to 87%. More than 60% of respondents in a 2011 Actual Insights study said they abandoned a cart over lack of security.

HTTPS: Benefits Beyond Security

Enabling HTTPS also allows you to use the new HTTP/2 protocol.

What’s that mean?

While the specifics are very technical, HTTP/2 is a new way for browsers and your web hosting to communicate.

It uses compression, multiple connections and a bunch of other fancy tech improvements to improve speeds and reduce loading times.

Why’s that important? means decreased loading times, better potential for converting visitors and lower bounce rates due to delays.

Consider these statistics from Kissmetrics:

  • 47% of consumers expect a web page to load in 2 seconds or less.
  • 40% of people abandon a website that takes more than 3 seconds to load.
  • A 1 second delay in page response can result in a 7% reduction in conversions.

Decreased load times mean a lot more than less waiting. They mean increased conversion potential and lowered bounce rates too!

Off-Site HTTPS Benefits

Using HTTPS also helps improve things off your site.

Most importantly, Google has labelled HTTPS as a ranking signal.

They’ve made it clear they like HTTPS and want sites to use it.

As they continue to make changes in Chrome to highlight non-secure sites, this impact of HTTPS on site visibility and ranking is likely to increase.

And let’s face it, in the competitive world of search engine rankings, every edge you can find counts.

3. How Do You Set Up HTTPS?

Specifics will depend on the software used by your site, the site’s complexity, your hosting provider and a number of other factors.

For this guide, we’ll be focusing on WordPress.

Step 1: Choose a Certificate Type

All certificates are issued by Certificate Authorities. These authorities essentially use their reputation to provide proof to visitors that you are who you say you are.

Picking the best Certificate Authority is mostly about cost.

However, there’s three other things to consider when choosing a certificate type.

Consideration #1: Encryption Strength

The strength of encryption is usually measured in bits.

The higher the number, the less chance that someone can figure out your secret code or fake having the code themselves.

Bigger is better, but the current standard is 2048-bit for keys and 128- or 256-bit for data

Consideration #2: Certificate Validation Level

Certificates also come in different validation levels.

While an increased validation level won’t necessarily improve security, the higher options make your security more obvious to visitors. However, this comes with increased costs, waiting times and documentation.

Common validation levels include:

  1. Domain Validation (DV) – Available for free via Let’s Encrypt, CACert, Comodo, Symantec and some hosting providers. While you can pay for a DV certificate, this doesn’t make much sense with quality free options available. Most DV certificates take only a few minutes to obtain and provide the same level of security as other certificate types.
  2. Organization Validation (OV) – Can be purchased through certificate providers and adds your organization information to the certificate. Can take several days to complete the issuing process.
  3. Extended Validation (EV) – Purchasable through certificate providers. Typically the most expensive option. It adds your organization to the URL bar and certificate for increased visibility. Can take up to one week to complete the issuing process.

In most cases, a DV certificate is ideal.

All validation levels offer the same level of security.

Sure–The OV and EV certificates will add additional ways for viewers to verify security and show your commitment to keeping the data provided by site visitors safe.

However, they can cost 2 to 3 times what a DV certificate costs and require a lot more documentation to obtain.

While you can deploy a DV certificate with many hosting providers for free, an EV certificate will likely cost around $80 to $100 per year.

Consideration #3: Domain Coverage

You can’t always use a certificate on more that one site.

There are different types certificates for use with multiple domains or subdomains. These go by a few different names, include:

  • Wildcard Certificates
  • UCC (Unified Communications Certificates)
  • SAN (Subject Alternative Name) Certificates

The number of domains you can use with the certificate will depend on the certificate authority you use. In most cases, it starts around 5 sites per certificate.

If you’re investing in an OV or EV certificate, a multi-domain certificate, will offer substantial savings.

However, this isn’t as important if you’re using free DV certificates.

Our Recommendation:

For most readers, we think the free Let’s Encrypt DV certificates offer a great mix of value and easy installation.

Want to know how to get your free certificates?

Keep reading! We’ll get to the steps soon!

Step 2: Acquire and Install Your Certificate

For this guide, we’ll obtain and install a certificate using the Let’s Encrypt service. If you want an OV or EV certificate, you can probably use your hosting provider.

But if you want to shop around for the best price, you’ll can check out these third-party options:

One benefit with going through a hosting provider or third-party certificate service is that they’ll usually do the setup for you.

Since the steps will differ by provider or certificate authority, so we won’t cover specific steps for those services here. Just keep in mind, they might charge extra for the assistance.

Before you fork over your hard-earned money, check your hosting panel to see if they offer a one-click installer.

Hosting Company Website URL Free SSL Cert Paid SSL Option
1and1 https://www.1and1.com/
A2 Hosting https://a2hosting.com
A Small Orange https://asmallorange.com/
Bluehost https://www.bluehost.com/
Cloudways https://www.cloudways.com
Dreamhost https://www.dreamhost.com/
FatCow http://www.fatcow.com/
Flywheel https://getflywheel.com/
GoDaddy https://www.godaddy.com/
GreenGeeks https://www.greengeeks.com/
HostGator https://www.hostgator.com
Inmotion Hosting http://www.inmotionhosting.com/
Kinsta https://kinsta.com/
Laughing Squid https://laughingsquid.us/
Liquid Web https://www.liquidweb.com/
MediaTemple https://mediatemple.net/
Pantheon https://pantheon.io/
Pagely https://pagely.com/
Pressable https://pressable.com/
SiteGround https://www.siteground.com/
WP Engine https://wpengine.com/

In general, obtaining a certificate goes something like this:

  • You’ll generate a Certificate Signing Request (CSR) with your hosting provider
  • You’ll submit the CSR to a certificate service
  • They will verify the information and issue a certificate
  • You’ll upload the certificate to your hosting account using FTP or a hosting dashboard

If this sounds too complicated, DON’T WORRY!

With Let’s Encrypt, the majority of this is automated. You’ll click a few buttons and be ready to go!

For supporting providers, you’ll find an option in cPanel or Plesk.

All you need to do is:

  • Click the Let’s Encrypt icon in your hosting dashboard

letsencrypt cpanel

  • Choose your domain from the dropdown at the bottom of the screen.
  • Enter the email address associated with the domain at your name registrar.

add lets encrypt

  • Click Install

NOTE: If you’ve recently changed domain names or try to install your certificate on a staged testing server, you might run into issues with validation. Just wait a few hours for the changes to update around the Internet and try again.

If you have shell access for your hosting environment, the Electronic Frontier Foundation’s CertBot offers step-by-step instructions for getting your free certificate through Let’s Encrypt.

Just choose the hosting software and OS and follow the steps listed.

Step 3: Verify Your Certificate

The certificate is installed! We’re finished right?!

Not quite…

While Let’s Encrypt takes the hassle out of installing certificates, you’ll still need to be sure you’ve configured your WordPress install to actually use the certificate.

The first step is to be sure the certificate is working.

Simply head to a page on your site and instead of using “http://” use “https://” in the URL bar.

If everything loads okay, we know the certificate is good.

If you see a mixed content warning, don’t worry! We’ll be fixing those shortly.

If you get a full-screen error or encounter major problems with the loading of your site, the Qualys SSL Labs tool is great for finding out the next step to troubleshoot your issues.

Step 4: Implementing HTTPS in WordPress

Before going through these steps, check with your hosting provider to see if they offer any tools to assist you.

Many hosts offer one-click site optimizers that will enable HTTPS as well.

If so, you can just skip this section and cruise on down to Step 5.

If your provider doesn’t have a dedicated plugin or setting, you still have a few options.

To Implement HTTPS Using a WordPress Plugin:

One of the great things about WordPress is the bounty of plugins to add features to your site.

Just install a plugin and BAM! new features on your site.

We recommend “Really Simple SSL“. really simple ssl wordpress plugin

The free version will work for most sites.

If you have further issues, the Pro version is great for tracking down mixed content issues or enabling advanced features and it has a fair price.

To install the plugin:

  • Login to your WordPress Dashboard
  • Hover over Plugins on the sidebar
  • Click “Add New”

WordPress Dashboard - Plugins

  • Search for “Really Simple SSL” in the Search Plugins box

WordPress Plugins - Search

  • Click “Install Now” in the box for the plugin

WordPress Really Simple SSL Install

  • Wait for the installation to finish
  • Click “Activate” in the box for the plugin

WordPress Really Simple SSL Activate

Now we need to configure the plugin itself:

  • Go to Settings > SSL in the WordPress Dashboard

Really Simple SSL Settings

  • Click the Settings tab

Really Simple SSL Settings Tab

  • Check “Auto replace mixed content”
  • Check “Enable 301 .htaccess redirect”
  • Check “Enable javascript redirection to SSL”
  • Click Save

Really Simple SSL Settings Tab Recommended

Let’s see if it’s working!

Clear any caching plugins installed through WordPress (such as W3 Total Cache, WP Rocket, WordFence or WP Super Cache) or your hosting and refresh your page.

Now look in the URL bar.

Secure URL Bar Chrome

Secure URL Bar Firefox

You see a lovely green padlock?

Score! We’ve got the basics in place!

To implement HTTPS in WordPress without a Plugin:

Without a plugin, things get a bit geekier.

NOTE: This is digging into a major piece of your site. Doing things wrong can break things. If you’re not comfortable with these steps, as your web developer to help!

You’ll need to edit the .htaccess for your WordPress install.

  1. Connect to your hosting provider via FTP and open the .htaccess file for editing
  2. Paste the following code into the blank space at the bottom of the file

# Force HTTPS
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Step 5: Updating On-Site Links to Work with HTTPS

If you used the plugin method, you won’t have much to worry about.

However, doing these steps can shave a little off your loading times by removing the need for your site to change any links its finds.

For manual HTTPS implementations, this is essential to getting that little green padlock we’re after.

Even with HTTPS running on your site, anything on your site that uses an HTTP link could result in a mixed content warning.

What’s that mean?

Essentially, the browser is just warning browsers that while the site is secure, some parts of the page are not.

It also gets ride of your shiny green padlock.

We don’t want to leave visitors guessing which parts of your site are secure. So let’s fix that!

Tracking down mixed content issues can be time consuming.

You’ll want to load each page and check the URL bar once the page if fully loaded.

If it’s secure you’re good to go!

If there’s a mixed content error, open your browser console.

  • In Chrome, the shortcut is Ctrl-Shift-I (Cmd-Shift-I on Mac).
  • In Firefox, the shortcut is Ctrl-Shift-J (Cmd-Shift-J on Mac).

Then check the Security Tab.

It will show the exact items on each page causing the mixed content issue.

This can be everything from scripts to images and anything in between.

In short, if you can link to it, it can cause you problems.

NOTE: The best way to avoid this is to use relative linking whenever possible on your site. Instead of linking to “https://www.yourdomain.com/awesome-image.jpg” just link to “/awesome-image.jpg” then you’ll never have to worry about this again!

You’ll also want to be sure to change your WordPress site setting to point to the HTTPS version of the site as well.

  • Click Settings > General in the WordPress Dashboard sidebar menu

WordPress Dashboard Settings General

  • Enter the root HTTPS address to your site (the URL that people would type in to land on your homepage) in the “WordPress Address (URL)” and “Site Address (URL)” boxes

WordPress URL Settings

  • Click Save Changes

With these changes in place, your site is now pointing to HTTPS wherever possible and hopefully serving up a secured version of your website to viewers.

Step 6: Purge Your Caches

With most of the settings finalized, you’ll want to purge any caching plugins, such as W3 Total Cache, WP Rocket, WordFence or WP Super Cache to ensure that all new requests to the site use the latest HTTPS configuration.

If you’re using a CDN such as Cloudflare, you may need to clear your cache there as well.

Step 7: Update Your Analytics and External Services

While visitors won’t see any major differences between your HTTP and HTTPS sites, most popular analytics providers (i.e. Google Analytics, Google Merchant Services and Google Search Console) see them as two different sites.

This means that unless you update your settings with your analytics providers, you won’t get any data once you’ve switched to HTTPS.

In most cases, you can add the HTTPS property to the list and group them to avoid confusion or clutter on the interface.

Updating your Google Analytics is easy!

  1. Load your Google Analytics Admin page

  1. Click the dropdown in Property column
  2. Choose “Create New Property”

add new property analytics

  1. Put the name you wish to use in the Website Name field
  2. Click the dropdown under Website URL and choose HTTPS://
  3. Enter the URL to your site in the box
  4. Choose your Industry Category
  5. Choose your Reporting Time Zone
  6. Click “Get Tracking ID”
  7. Add the tracking code to your site

Google Search Console is just as simple!

  1. Load your Google Search Console Dashboard
  2. Click “Add a Property”
  3. Enter your URL starting with “https://” into the box
  4. Click “Add”
  5. Follow the Verification instructions

To make viewing your sites easier, you can add your HTTP and HTTPS sites to a set on your Dashboard.

  1. Click “Create a Set”
  2. Enter a set name
  3. Choose your HTTP URL from the Members in Set dropdown menu
  4. Choose your HTTPS URL from the Members in Set dropdown menu
  5. Click “Save Changes”

If you use any other tracking tools, a quick search in the support documentation will likely show the steps needed to ensure your HTTPS traffic is tracked properly.

Step 8: Update Your Backlinks

You’ve probably spent a fair bit of time linking back to your site on forums, emails or social.

While existing links will redirect to HTTPS at your site, that adds a tiny delay that you can avoid by updating the links used in your signatures across the web and on your social media accounts.

You’ll also want to be sure to adjust the links used in your advertising campaigns across the internet.

If you work with other businesses to build links or other sites that regularly link back to your site, be sure to notify them of your switch to HTTPS and request that they update their links accordingly.

Step 9: Configuring HTTP Strict Transport Security

WARNING: This step SHOULD NOT be completed until you know your site’s HTTPS features are functioning properly.

Once you know that your HTTPS site is loading properly and you’ve fixed your mixed content issues, you can enable a setting known as HTTP Strict Transport Security (HSTS).

Essentially, even with HTTPS, your site’s traffic is still vulnerable to man-in-the-middle attacks until the redirect to your HTTPS site kicks in.

Then there’s the added delay (we’re talking milliseconds here) of the redirect from HTTP to HTTPS.

If you’re looking to optimize things to their fullest, add the following line to the .htaccess file of your site:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

This not only defaults your site to HTTPS, it adds your site to something known as the HSTS Preload List.

This list is updated periodically with major browsers to automatically load included sites via HTTPS, even on the first visit.

No more worries about delays or snooping hackers!

4. How Can I be Sure HTTPS is Running Properly?

At this point, the bulk of the changes are completed!

Congratulations! Your site is now secure!

Time to kick back and relax with a frosty beverage and a big ‘ol steak right?

Not just yet…

How can you be sure everything is actually working?

Here’s a few ways to check that you haven’t missed anything implementing HTTPS for your site.

  • Crawl your site manually: If you have a smaller site, manually crawling your site is the most straight-forward way to ensuring that all pages are error free. Simply make a list of your pages, load each one in your browser and check to be sure that you are seeing a green padlock for each one.
  • Google Search Console: If you’re using Google Search Console, you should add the HTTPS version of your site to your properties and upload a new site map. This will allow you to ensure that Google can crawl your site properly and index pages accordingly.

Google Search Console

  • SSL Labs Server Test: This online tool from Qualys checks your HTTPS implementation and issues a letter grade based on best practices. With the steps listed in this guide, you should see that your site earns an A. If not, the tool’s report card will offer actionable steps for improving your score.

Qualys SSL Labs

  • HTTP Security Report: As an alternative to the SSL Labs tool, the HTTP Security Report digs a little deeper to find more ways to optimize your site security. However, it focuses on more advanced features that you might not need to worry about as much. If your site scores a 40 or higher, you’re officially more secure than the average site in their database. While most of the features toward the end of their report card are outside the scope of this guide, they’re a great starting point for creating an enterprise-grade HTTPS/SSL plan and learning more about the future of HTTPS.

HTTP Security Report

5. Anything I Need to Worry About Once It’s Running?

With your certificates verified and installed and your site redirecting traffic to HTTPS, the only thing left to worry about is certificate expirations.

This will depend on the method that you used to verify and install your certificate.

  • If you’re using a host-supported Let’s Encrypt system, renewal is often automatic every 90 days.
  • For host-supplied SSL certificates, they’ll typically take care of renewal when you pay your annual certificate fee.
  • If you installed your certificate manually, or used Certbot through the shell, you will need to complete the process again at each expiration to renew your certificate.

Most hosts will send reminders when certificates are set to expire.

However, it is best to set a reminder as an expired certificate often results in a very intimidating warning page when visitors browse your site.

The Future of HTTPS and SSL

As more people continue to store and transmit more data online, the need for security will grow.

This means, the tools and techniques for offering exceptional site security will change as well.

We’ll keep this guide up to date on the latest best practices, trends and recommendations to ensure you always know how to secure and protect your site’s traffic and data.

Be sure to check back every few months for new developments!

Next Steps

Implementing HTTPS is just one part of your overall site security.

While it adds an effective layer of protection to any data transmitted to or from your website, it does nothing to stop hackers from using other methods.

This makes it essential to continue to use strong passwords, keep your WordPress site and plugins up to date, scan for malware and use a firewall to help repel attacks.

Your site is only secure as its weakest point.

If you’re not sure where to start, consider the WordFence WordPress plugin.

Wordfence Security

It offers an easy-to-use interface for boosting site security.

There’s also a free option cover basic needs. The paid tiers offer faster updates and protection for a small monthly fee. Given the cost of recovering a hacked site and the PR hit that comes with a data breach, we consider the fee a fair price to pay.

Want More Tips?

Our WordPress Security Course offers simple to follow instructions and tips for locking down your WordPress site and keeping your data secure. Sign up to stay up to date on the latest security trends from the comfort of your inbox!

No spam, no fluff. Just great guides to help you make the most of your WordPress site!

WordPress Migration

Looking to move your WordPress site to a new home — maybe a new or faster host?

Migrating can be a bit of a headache.

These plugins will help make the move easier:

Duplicator

WordPress Move

All-In-One WP Migration

Super Backup & Clone

BackupBuddy

WP Migrate DB

UpDraft Plus

VaultPress

WP Clone

 

Productized Services

Want to improve your business and do so quickly, at a price that’s transparent upfront?

Enter…”Productized Consulting”.

You’ll see exactly what you’re buying… just like at the store.

Here’s a collection of productized services that might help your business.

Design

Kapa99
Unlimited graphic design subscription service. Easily request the graphics that you need without compromising quality and turnaround time. Free 15 days trial, no contracts.

Draft Revise
Design strategy and A/B testing.

Design Pickle
Unlimited graphic design subscription service.

Undullify
Unlimited graphic design from simple tweaks to creating something brand new.

RockingBookCovers
Book cover design.

Feedback

ThisUserIsMyMom
Your website reviewed… by a guy’s mom.

ThisUserIsDrunk
Your website reviewed… by a drunk person.

Support

HelpFlow
Done for you live chat service. Chats directly with your website visitors and answer their questions.

HelpSquad
24/7 live chat sales and support agents for your website.

Accounting

Julie Elster
Bill collection done for you. Get paid on overdue client invoices.

3 Wise Bears
Outsource your bookkeeping. 3 Wise Bears specializes in small businesses. (UK)

Bench
Bench manages your bookkeeping each month. (CA / US)

Zenkeep
Takes care of your books.

Copywriting

Snap
SNAP is your expert on-demand copywriting team.

Philip Morgan
Produce quality content that speaks to your customers.

Podcasting

PodcastMotor
Podcast editing and production.

CashFlowPodcasting
A podcast done for you or production and editing done for you.

SweetFish
Produces podcasts for B2B companies.

FreedomPodcasting
Editing and production services for your podcast.

CastingWords
Transcription.

YouTube / Video

ContentCreatorsLounge
Video production and editing.

Scribie
Transcription.

PR

Publicize
Offers a done-for-you PR solution to entrepreneurs.

How to translate a WordPress theme (.po file) using Poedit

Want to translate a PixelPress theme or any other WordPress theme to your language?
Below is a brief, step-by-step overview of how to do just that using Poedit.
Poedit makes it easier for translators to translate a theme’s text into the language of choice.

Step 1

Download and install Poedit on your computer.

Step 2

Download a copy of your theme’s .po file to your computer using your FTP program of choice. This file is usually located inside the “languages” folder. (yoursite.com/wp-content/themes/yourtheme/languages)

Step 3

Open the .po file using the Poedit program.

Step 4

Click on a text row in Poedit and translate each line as required.

Step 5

Once you’ve translated all the text you’d like translated, click on the “save” button to overwrite the previous .po file on your computer and generate a .mo file which is the one that WordPress will use to translate your theme.

Step 6

Upload the newly translated .po and .mo files back to your theme, overwriting the previous versions.

Not clear? Want some further explanation? Stefan Wallin has produced a great video how-to.

Hope that helps!
Bonne chance! Hodně štěstí! Held og lykke! Succes Veel geluk! Edu! Onnea!