Using an SSL certificate for https protection with OptimizePress

OptimizePress is fully compatible with using an SSL certificate. This will require that you already have an SSL Certificate installed on your domain through your web host provider or another 3rd party service.

If you are looking to secure pages for PayPal Pro integration, Embedding a page into a Facebook App, or protecting other pages of your site this is a great way to do that. Please do keep in mind that while this method has been tested on some of our own sites, if you do run into issues making this work, then you may have some incompatible plugins or server settings - or an improperly installed SSL.  

It should be noted that the best way to do this would be to either have your entire site setup for using an SSL, or not using an SSL. The reason is due to http and https urls are considered different sites, and in order to ensure that all elements of your OptimizePress installation are fully usable as our licensing system only picks up one or the other. 

Setting up your OptimizePress site to run on HTTPS:

Once you have your web host install your SSL certificate, you should be able to access a page on your site by going to https://yourdomainnamehere.com - if the site loads then the SSL is likely installed properly and you can proceed with this guide. If you get errors and the site won't load with https, then you may need to contact your web host to make sure they have the SSL Certificate installed properly. If you are using the free SSL from CloudFlare, plase see this guide: https://optimizepress.zendesk.com/hc/en-us/articles/218036688-Using-FREE-CloudFlare-SSL-with-OptimizePress

Note: Please be sure to backup any file you edit to ensure you can restore the site if a mistake is made during this process. OptimziePress is not liable if you mess up your site due to not taking backup files.

Step 1: Get SSL installed through web host and verify you can load site over https (you may get security warning but that is ok as this guide will help fix those).

Step 2: Change urls of site to start with https://

There are two ways to do this.

  1. You can change them in the WP Dashboard under "settings > General" - note that in most cases after you change these you'll be asked to login again which is normal.
  2. Or you can edit through the wp-config.php file - and adding this to wp-config.php file (either through FTP, cPanel, or other method of your choice that you use for file editing with your site):

define('WP_HOME', 'https://yoursite.com');
define('WP_SITEURL', 'https://yoursite.com');

This will lock the site urls and ensure that they won't accidentally get changed

** These codes should be placed after the opening ?php tag in the wp-config.php file on a new line.**

Step 3: Add another line in wp-config.php to force ssl for wp-admin (optional as WordPress https plugin does this as well - but is a good fallback and makes sure it doesn't get changed)

define('FORCE_SSL_ADMIN', true);

Note: It is important to have the admin run in https because if your pages are in https, when you go to edit these in the live editor, you may be promted to login again - this is due to http and https being two different urls - so we always suggest having all the pages as well as the admin area running https to avoid any login/logout loops.

The top 4 lines of your wp-config.php file should look like this when done:

Step 4: Add this to .htaccess file in same directory as wp-config.php - this makes all http requests use https - very important that this goes before any other rewrite rules or it won't work right.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yoursite.com/$1 [R,L]

Please note that the above code should go at the top of your .htaccess file before the OptimizeMember (if activated) and WordPress rewrite rules. We have seen some issues where this code may cause a "internal server error" message instead of loading the site if you put it in the wrong location. If you have a lot of other code in your .htaccess file, please use caution as there may be some other code that might need to go before this, so you may need to try a few different spots to ensure that it works properly (and as always, take a backup of the file first!).

Step 5 - Fixing Insecure Content Errors:

We previously recommended WordPress HTTPS plugin, however as that plugin has not been updated in a very long time, it has recently caused a lot of issues with some server configurations, although we do still see some sites that run that plugin without issue. 

In our search for a better plugin, we found "Insecure Content Fixer" plugin which in our testing has worked great. It is a free plugin that you can install right from the WP dashboard or can download from https://wordpress.org/plugins/ssl-insecure-content-fixer/

After installing "Insecure Content Fixer" plugin, you can test whether WP detects the SSL or not by going to "tools > SSL Tests" - If you find any issues please resolve them before making other changes.

After running the SSL tests, if everything is ok, then you can go to "Settings > SSL Insecure Content" and setup settings that will help fix the insecure content errors on your site. We recommend selecting the "Content" setting as you see in the following screen shot:

The sections for "Fixes for specific plugins and themes" we suggest leaving as is, and also HTTPS detection section shouldn't be changed.

NOTE: When using either of these plugins mentioned avoe, if you find that you can no longer access your website after activating the plugin, just login to cPanel or FTP and navigate to the wp-content/plugins folder, and manually remove that plugin and your site will load again. If you have to do this, please contact your web host to find out what they suggest to help with insecure content notices.

 

IMPORTANT steps needed to ensure OptimizePress will continue working without issues after changing to https:// (follow all necessary steps above, and then do these last steps).

Step 6: Install and activate velvet blues update urls plugin (link opens in new window) to update urls from http:// to https://

To do this, after the plugin is activated, go to "tools" and "update urls" and the only difference should be the http (for old domain) and https (for new domain). Be sure to put the correct domain down - good idea to copy from settings/general for the new domain.

Running this plugin will change all the standard WordPress tables and update page/post attachments in the media library to run under https.

Step 7: Install and Activate the OptmizePress Helper Tool: https://optimizepress.zendesk.com/hc/en-us/articles/203699826-Update-URL-References-after-moving-domain

To use the OptimizePress Helper Tools, go to "Tools > OP Helper Tools" and then click on the "Migrations" tab at the top and fill out the URL fields just like you did with the Velvet Blues plugin.

While the url updates in Velvet blues plugin will help with any standard WordPress URL updates, you should use both of these plugins. Velvet blues plugin will update a lot of things that the helper tool won't - because the helper tool is mostly designed to update OptimizePress data and not necessarily all WP data. It does not matter which one you run first.

VERY IMPORTANT STEP - Step 8: Since you changed the url of your site, you will need to refresh your API key. To do this, please login to http://members.optimizepress.com and then navigate to the "licensing page" and then click the "clear" link to the right of the url your site is currently licensed under.  

Then, log back into your site and go to "OptimizePress > Dashboard and then just go to the bottom and click the "green" update button. This will re-license your site with the https url.

 

Note: If you experience any issues after following all these steps, we would be happy to assist further if needed.

 

Extra Tips for sites/pages running https:

 

Using OptimizePress Pages within an iframe App:

If using an https page with Facebook Apps, please be sure that all links or opt-in thank you pages associated with that page are also protected. This is needed because Facebook requires all elements and links to be protected or they won't show or load correctly.

How does changing an existing site to https effect my SEO Ranking?

This is a great question. There really is no right or wrong answer here since Google uses a very complex algorithm to calculate rankings.

Since http and https are basically two different urls, then we would suggest looking into setting up some 301 redirects and also submitting a new sitemap through Google Webmaster Tools. During the process of Google updating the indexed urls, your SEO may be effected somewhat until all the new https urls are indexed. We can't really say for sure how this will effect your SEO rankings.

If done correctly through Google Webmaster Tools we see no reason why you wouldn't actually come out ahead of where you were since Google is now looking at where a site is https or not as part of its algorithm for rankings.

We obviously can never guarantee how Google will react, but having https will give your users better peace of mind and your site will be more secure. A slight fluctuation with SEO rankings is a small price to pay for building trust with your site visitors. Ultimately if you put out high quality content that Google loves, then there is no reason to be worried.

If you need help finding insecure items:

Sometimes it is difficult to find which items are causing the insecure warnings. Here is a website that can sometimes help with this: https://www.whynopadlock.com (opens in new window).