Stitcher for Podcasts

Get the App Open App
Bummer! You're not a
Stitcher Premium subscriber yet.
Learn More
Start Free Trial
$4.99/Month after free trial

Show Info

Episode Info

Episode Info: e and it’s, you know— I don’t know— it might be your logo file is hard-coded into a widget, and you put it there, and you know how to do it. It’s as simple as changing the call. But if you—  so say you use things like WordPress, and you’ve had the site for a few years, and you’ve got some posts and pages. This is where I would probably say get your web dev involved, or your hosting company involved. I run a script – it’s called search and replace, and if you go to the— you Google search and replace, you know, on Google. The— and I’m not sure we’ll link it directly, like I don’t want everyone to go there. If you read the warnings, this is actually a dangerous script for your site. So if you installed it on your site, ran it yourself, you could break could be used to do nefarious things on your site. So yeah. It’s something to be used with extreme caution. But, if you know what you’re doing, these types of scripts allow you to process across the database and say – “find every instance of HTTP:// and replace it with HTTPS://”, and you do exact thing. You run a dry run of it, then you say – “yep, that found stuff”, run a live run, and it literally goes through the databases and changes things. Now believe you—  believe you me, you can really mess things up by putting the wrong slashes in the wrong place, or doing it inadvertently, you know, and you can make a bit of a mess. So, I would suggest you get someone else to look at it. The key thing is – identify the pages that have problems, so when you go back to your developer, you could say – “you know. I found four pages that appear to have mixed content, or have an SSL warning. Could you please resolve these?”. Edmund: yep I’ve just been looking, as we’ve been talking, I’ve been looking at a few sites and I’ve noticed that, you know, one implementation is the home page is secure, and then I go to some of the internal pages, and there’s a tiny little link to an old icon or something like that, which is showing the mixed-signal. And it’s just one of those small things you want to just address, you know, sooner than later. Not that your— the world will end, but it’s worth cleaning them up, right? Because it’s… Darryl: Yeah, and look, it sends errors and—  when you look at, you know, like if you look under the hood, you— look it’s common. I mean the people have hard-coded calls to analytics type things or, you know, other JavaScript libraries that were hard-coded into the theme. So if you have a child theme in WordPress, or you have custom code site. You know, in the header includes there’s these hard code references because that’s how you do it. Edmund: Hmm Darryl: and those need to be corrected, but I guess the key thing about this is being observant and knowing what it means. You don’t want your site to come up to say “not secure” to people. Like you just—  that’s not good from trust signal, it sends the wrong message, and it’s super important you resolve that. I mean that’s, you know, that’s a key thing. So, [sic]that the other common problem is – that people don’t have a global server-side redirect from non HTTPS to HTTPS. So, what I mean by that is – if I typed in a URL on your site with HTTP, for a lot of sites it renders as HTTP. But, if I type HTTPS, that renders as well. So, technically we now have duplicate content, we have two iterations of the other content. Edmund: yep Darryl: And, if you set it up correctly, you—  and, this is something that, if you are a little bit ok with editing stuff on your website, you can do. And that is in the HTaccess file on your site. You can put a couple of lines of code Edmund: Hmm Darryl: that say – “hey any URL that’s non-HTPPS, make it redirect to HTTPS”. So, if you’ve got the odd thing [sic] page that, you know, is a bit like, you know, duplicitous like that. It just takes that out of the equation. It handles it for you [sic]at on the server side, so that the user just gets it. Now, in theory you want to resolve any links that go to HTTP, and, you know, so they’re not hops in the whole equation, but the cool thing is to make sure that the site is set up. And, I had someone fixing a site with this two days ago. Edmund: Yep Darryl: and it was actually commented out in the htaccess file. They had actually implemented it. It was commented out, and that could be because the development environment didn’t have a HTTPS. So, the developers commented it out while I were working on it so I didn’t keep getting all these browser warnings. And then when they would put that file back live it wasn’t un-commented. So you really have to keep your eye on it, because it’s not like – “Oh, I fixed it in July, 2018. It’s done. I never have to worry about it again”. Edmund: That’s right. And I was just— I should say [sic]to the simplest way to do this, if you want to see that there are in fact—  you know, if you want to find out what URL or what link is causing the issue— it’s like if you see a page and it’s not secure, you can just right click on it and view the source, the HTML code, and then just do a find function, and search for “HTTP:”. And then it’ll just flag up the URL, and then you’ll be able to say to your web developer – “hey, here’s the link to an image or a resource, that is not HTTPS. Can we fix it up?”. Darryl: And, if you’re using say Chrome for example, how we talked about it, and you do the right-click around the page, and use “inspect”. And you can actually go into the console, and it will actually show you which files are being called in securely. And so then you can actually search for the file. So the—  you know, like you can act— if you go to those sites, you can actually see quite clearly. So, your developer knows how to do those things. So, it’s not hard to find it. Edmund: Yep Darryl: I will say, though, that I have found instances of themes, where it’s a clusterfuck, [Edmund laughing] like, it’s just the way that it’s thought. Like, you know, like without an update from the theme developer, it’s just a mess. And I actually had to recommend to someone, to say – “unless you’re prepared to invest in the premium support from this theme and hit them up and see if they’ve done a fix. You’ve actually—”  you know, it’s not an easy fix. It’s, you know, this was baked into their framework. It was very cumbersome, and they had these ridiculous calls out that should have been updated already. And, you know, there was no update showing for the theme, you know sometimes they don’t show. So, it was like, you know, it wasn’t just a simple fix, and the problem with that too is that, you know, you rolled out some version of the theme that might be five iterations later, because these guys haven’t been keeping it up to date, it might make more fundamental changes to the site. So, it’s not always simple if you leave things long. So, I think that goes to if your plugins are up to date, your WordPress is up to date, or your Drupal is up to date or you—  whatever it is that, if you’re using open source software. If they’re totally up to date – you’re okay. Now, if you’re using some hosted and things, like Shopify or, you know, BigCommerce or things like that, in most cases you’re not going to have to think about this as much if you’ve implemented HTTPS. They tend to have that covered for you, but don’t assume that everyone’s got it covered. This is another check that you periodically need to do – pay attention to what you see in the URL line. You’d be surprised what shows up there and, you know, learn from it and just check it, and don’t just check your homepage. Edmund: hmm, I’d suggest that if anyone is interested and wants to chat to someone. Why don’t they reach out to Darryl. His contact details are on the “about us” section of the website. You know Darryl: Yeah sure. Facebook page, you know, ask a question, put it on there. We’ll find ways to do it. I’ll put the code that goes into the HTaccess file in the resources section. It’s really simple to cut and paste, and put a couple notes there just to instruct it, but it’s the sort of thing, if you get a bit of blowback from your developer, you know, – “oh, I’m not really sure how to do that. That’s a server thing you guys do”. Alright. This here, here’s the notes Edmund: Yeah Darryl: and potentially even link it. I might link with it out to Stack Overflow article, or something like that, that just shows— you know, has a bit of a Q&A around it so people understand. But, that’s for that one. But as far as, you know, just checking at secure, anyone can do that and Edmund: Easy Darryl: pretty straightforward. What about anything else that you’ve seen with security you had, you know, bowsers. Edmund: I think that’s it for the—  I would consider this episode a community service announcement, and a reminder to check this out. It’s something simple to check, and it’s relatively easy to fix. So get to it. Darryl: Yep, Excellent. Edmund: What do you reckon Darryl? Is at it for today? Darryl: I reckon. Edmund: excellent; alright, thanks for listening to this episode of The My Bloody Website Podcast. For everything about my bloody website, check out – And when you get there, make sure you click on the “subscribe by email” button on the top right, so you don’t miss anything bloody website related. If you’d like to check out the show notes for this episode, or any past episode, all of that information can be found at If you’d like to reach out to Darryl or myself, as I said, you can find ways to talk to us on the “about us” page of the website. And lastly, if you want to support the show you can do that by telling another website owner about the show, and by visiting Apple podcasts, and leaving an awesome review. It’s goodbye from me Darryl: and it’s goodbye from him .........
Read more »

Discover more stories like this.

Like Stitcher On Facebook


Episode Options

Listen Whenever

Similar Episodes

Related Episodes