In this post we will learn how to enable HTTPS to secure our site using cPanel hosting platform. Having HTTPS enabled on your site is critical when dealing with credentials, personal information or sensitive user information. Otherwise, your credentials are sent in plain text from your computer to the hosting server when you submit the login form. Given that scenario, anybody “listening” or sniffing the conversation could steal credentials and hack the site.
HTTPS, also referred as HTTP over TLS/SSL or HTTP Secure, is a communications protocol for secure communication over a computer network or the Internet [Wikipedia – HTTPS]. HTTPS protects data integrity and confidentiality by providing three layers of protection: encryption, data integrity and authentication [Google Webmaster Tools – Secure your site with HTTPS]. It means that the data cannot be sniffed, modified, or corrupted during transfer.
SSL certificates are required to enable HTTPS. Certificates can be self-signed or trusted from an SSL Certificate Authority (CA). Self-signed certificates are easy for attackers to spoof, and they generate security warnings in a user’s web browser. You should only temporarily install this kind of certificate until a valid certificate authority issues a signed certificate to replace it. Currently you can get a certificate from a CA for less than $10/yr.
Here we will use a self-signed certificate because this blog stores no sensitive information and I am the only user able to log in.
How to enable HTTPS to secure your site step by step
1. Log into cPanel
Log in your cPanel account and navigate to the
Security area. Find a link to the
SSL/TLS Manager. From the four operations available, we will focus on the third and the fourth:
Certificates (CRT), to upload an existing certificate or create a self-signed one.
Install and Manage SSL for your site (HTTPS), to configure SSL for your domains and enable HTTPS.
2. Upload or generate a new certificate
Certificates (CRT) option to generate a new certificate or upload a certificate, both self-signed or trusted from a CA. A private key is required to generate a new certificate. Here you can also select to generate a new private key or use an existing one. The image below shows how to generate a private key and a certificate in just one step. Pay attention to the domains field since it supports both domain list and wildcard domains.
3. Install a SSL certficiate on your domain
Let’s enable HTTPS and secure your site. Go back to
SSL/TLS Manager, and then to
Manage SSL sites. Click
browse certificates and select the certificate and the domain to install the certificate on. Target domain must be found in the domain list which the certificate is created for.
Then, verify that HTTPS is successfully enabled. As I have used a self-signed certificate, the browser warns that identity is not verified.
Finally, keep in mind that SSL activation could take some time if you have any CDN (Content Delivery Network) enabled on your site. As of the writing of this post, CloudFlare‘s SSL activation time is instant for paid plans and could take up to 24 hours for the free one.