Recently, the Internet has been ablaze with information about the impending compliance deadline with the European General Data Protection Regulation (GDPR). The GDPR is already in effect, however, the grace period for compliance ends on May 25, 2018. This means that all businesses processing data on EU citizens must comply with the GDPR by that date, regardless of whether they are located in the EU or not. This also means that you are likely impacted if you have a website that is visited by EU citizens and your website stores cookies and/or has a contact form and/or has means for visitors to leave comments and “likes” etc (which basically means any blog). The GDPR states that you need to “…implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects.”
In practice, in my opinion (I am not a lawyer!) this means among other things for your website that you probably need to
- Install an SSL certificate on your website, such that all web traffic is encrypted;
- Update your website to include a disclaimer on your cookie and data protection policy.
Now, ideally, one would install an SSL certificate first and then set up the website, but alas, this is not what I have done with this website, which is based on WordPress. So I had to go through a few extra steps to make the SSL certificate work.
Step 1: Install SSL Certificate
This was the easy part, since all I had to do was to purchase an SSL certificate from my hosting provider, and the installation of the certificate was up to them.
Step 2: Edit the Settings of your WordPress Installation
This step is necessary so that all your permalinks point to https:// instead of http://. This can be accomplished by going to Settings > General Settings and editing the WordPress and Site addresses to point to https, see the screenshot below.
https settings in WordPress
However, unfortunately, this was not the whole story, since my site contains quite a few pages and blog posts, complete with lots of images and uploads, which all still pointed to http:// instead of https:// internally. This meant that upon visiting my secured site (https://www.cfbtranslations.com instead of https://www.cfbtranslations.com), the browser didn’t show a nice (green) padlock in the address bar, but instead a broken lock, indicating partially insecure elements on the site.
Secure site indicated by padlock
A broken padlock means that portions of the site (links, images) still point to insecurely loaded elements, which means these images are for example loaded via http:// instead of https://.
Broken padlock indicating insecure elements on website
Step 3: Change All Internal Links to https
In my case, getting the aforementioned insecure elements to load securely turned out to be the most cumbersome part. There are a number of WordPress plug-ins which claim to accomplish the same task with the click of a button. Unfortunately, they all turned out incompatible with my theme or some of the numerous plug-ins I use. If you don’t use any elaborate plug-ins and your theme is compatible, I suggest you simply search for plug-ins related to “SSL” and install the plug-in of your choice. In any case, please make sure you have a back-up of your site in case things go awry and you need to restore the site to its original condition before installing the plug-in.
If, however, the plug-in of your choice does not accomplish the task, there is a second option. Install and activate the plug-in “Better Search Replace,” and then search for “http://www.yoursite.com” and replace it with “https://www.yoursite.com.” After this step, visiting your site via https:// should show a nice (green) intact padlock with no security warnings.
Step 4: Redirect http:// to https:// in Your .htaccess File
This step is necessary so that all visitors typing www.yoursite.com or yoursite.com without any of the prefixes are redirected automatically to the secure version of your site at https://www.yoursite.com. Now, every hosting provider has their own means to access and edit the .htaccess file in your home directory. Most hosting providers also have a recommended syntax for the https redirect, so please follow the instructions of your hosting provider.
In my case, I had to insert the following lines at the very top of the .htaccess file, before anything else:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
That did the trick, and all visitors are now redirected to a safe and secure site. The second step to make my website GDPR-compliant is to check which, if any, cookies my site uses (direct or third party), and update my existing cookie and privacy policy page accordingly. However, this is the topic of a future blog post.
Copyright secured by Digiprove © 2021 Carola F Berger