Upgrade http to https for security

In the process of creating new software and websites, I thought it might be a good idea to improve this site by changing from http to https.
This is what I found I needed to do:

First make sure my hosting account had the necessary security certificate – D9 Hosting were on the ball and made their necessary changes within minutes after I raised a low priority ticket asking for help.

Next I added a few lines of code to the root directory ‘.htaccess’ file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Not sure whether this was needed or not – but wanted to make sure that all http requests were routed as https secure versions

Firefox and Microsoft Edge still weren’t at all happy – saying website was insecure. So my third step was installing the WordPress plug-in Search and Replace This allowed me to change all instances of ‘http://’ to ‘https://’ for all of my posts and pages. There were hundreds of these – one for each image.

Still not enough – browsers weren’t at all happy yet. So then I installed the String Locator plugin to search for all instances of ‘http:’ This discovered hundreds of instances throughout my theme and installed plugins.

Finally I gave in and decided to remove the plugins and edit each of the theme files one by one (after a FTP download in case things went wrong). Changing each instance of ‘http’ to ‘https’ took surprisingly little time.
Now browsers seem to be quite happy.

Good luck if you need to sort the same problem – and improve your Google rating.


Ideas to Improve Your WordPress Site

I create software for web users and am always on the look-out for ideas.
What I really want to find out is what people want – even though they may not know themselves.

One great place to look is the WordPress Plugin Directory
This lists all the great, freely available, wordpress plugins.
As usual, this got me sidetracked into wondering just how useful some of these plugins are.
One that really caught my attention was Shortcodes Ultimate
Short-codes allow your website to run proven pieces of software simply by entering a short name that replaces a function. So for example, a few letters in your code could create tabs, buttons or sliders – all fully tested and functional.

I’m particularly interested in checking out the upgrade that enables me to create my own short-codes.

Like all new toys, there will be a learning curve, but I’m hoping that in the long run it could save a lot of time and effort?

How to Protect your WordPress Login

Not having posted to for quite a while, I found that I was locked out of the WordPress Login Page.
That was a really good refresher for me, having to check all the things I might have done to protect this site from getting hacked – so far as practicable.

wp-admin-not-found

First stop was to check where the Nameservers for this domain were pointing.
After digging out the user name and password for domaincheapsters.com I checked the nameservers stevemackay.com was point to – in one of my hosting accounts.
Next I needed to check which of my hosting accounts at d9hosting.com uses the nameservers.

Then open up FireFTP and download a copy of my website.
So far so good, but still no joy.
The information I really wanted was in a MySQL database file.
This meant going digging out another user name and password to get into the cpanel of my hosting account.
The information was there – but I had no idea, which of 193 MySQL data bases, was used for this site.
Unfortunately WordPress give MySQL databases names automatically, unless they are edited.
Although I checked a few, I really don’t have the patience to go through files in wrdp1 all the way to wrdp193 to find the one I was looking for.
Instead I checked the contents of a few php files – nothing there to cause a problem

Finally I checked the .htaccess file
This is a hidden file – so you need to check the option in any FTP program to even see the file exists.
.htaccess is where I had added protection to make it more difficults for others to log in.
I had added code so that only a PC having my IP address could open the log-in screen.

A quick google check of my IP address showed it had changed.

My-IP-Address
Updating my IP address then using FireFTP to over-write the old copy of .htaccess – and suddenly I could log in to my blog again.

wp-login-page
.htaccess a critically important file – so I was careful to use my trusted copy of notepad++ for the editing

The code to protect any wordpress site from displaying the login screen from …/wp-admin is:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

<Files ~ “^wp-login.php”>
Order deny,allow
Deny from all
Allow from 10.20.200.180 *** replace with your IP Address

</Files>

 

You can repeat the line ‘Allow from ….’ as many times as you need with as many IP addresses as you use.
This code must be saved in a .htaccess file then uploaded and stored to the root of your domain name folder on your server.
Make sure you keep any existing code in the file before adding this extra code.
Don’t forget that your IP Address is likely to change every time you switch your router off then on again.