So here’s the bottom line: you must have a consistent, working SSL implementation on your website. Failure to do so will result in punishment by Google and the inability to function with PayPal and Stripe.
In this post, I’m not going to go into how to set up a SSL for your site. Instead, I’m going to show you what I look at when trying to diagnose SSL problems on a site that’s already supposed to be up to speed with SSL.
How SSL are you?
The first thing I like to do is use an outside tool to diagnose how SSL compliant a given site is. There’s a great tool from SSL Labs that will tell you the tale.
The way you use it is click the link here and enter your full site URL into the test field. Hit Submit and wait a few minutes. What you want to see are all green bars. But, specifically, what you’re looking for is whether your site is TLS 1.2 compliant. If it’s not, PayPal and Stripe won’t work. Period.
If it turns out your site has SSL errors, see your hosting provider. You’ll need to get those fixed before you can move on.
Is your donation page behaving?
Next up is a tool that can help determine if your page assets are properly using https. One way to know if you need to check into this is if your donation form reports “This form is not secure. Autofill has been turned off.”
When you get this notice, it means your browser has determined that you’re mixing secure and insecure assets (often because you’re intermixing https and http URLs).
A good way to find out what resources are causing these issues (or, at least, what resources are triggering the error) is Why No Padlock? Just click the link, and paste in your donation page URL. Make sure to tell the tool you’re no robot, and hit Test Page.
How mixed are you?
This next trick is easy, but might seem scary. What you’ll need to do is navigate to your donation page, right click, and select View Page Source. This will open up a very busy page with a lot of HTML code.
Don’t worry. You’re not expected to read the code.
But what you should do is choose Find on Page (or just Find — but not Find on Web), and search for http://. Just toggle your way down the search and you’ll see how many links might be problematic. In particular, you want to see whether or not links to your site (the site you’re checking) has http links instead of https links.
Now, while you’re here, open that same Find option and paste in the following (exactly as I’ve written it below):
Right after that, you’ll see action= and the URL to your donation page. If that URL does not begin with https, you’ve discovered a key piece puzzle why you’re getting those error messages.
Go ahead and close the source window or tab. We’re done there.
Backup or cry
So far you’ve just been investigating. Now you’re about to make changes to your site. Trust me on this. Everything could go to hell.
You must backup your site first. In fact, back it up a few times. In fact, if you’re not regularly backing up your site, you’re flirting with disaster.
But here’s the thing: the changes you’re about to make could nuke things. Make a backup so you have a chance of recovery.
Don’t say I didn’t warn you.
Easy fix: did you set your site to be https?
This one is easy, at least in execution. In the WordPress dashboard, click on Settings (not the Seamless Donations settings, but the main WordPress Settings on the dashboard). Then click General.
Right at the top, you’ll see the following fields:
- WordPress Address (URL)
- Site Address (URL)
Make sure these both begin with https. Scroll down, Save Changes, and hopefully you haven’t nuked your site.
Go ahead and retry the donation form. Maybe it’ll work.
The next tool is a plugin you can install on your site. Sadly, it hasn’t been updated for two years. But even so, it generally works well.
Go ahead and install WordPress Force HTTPS.
What this thing does is exactly what it says on the label: it forces your WordPress to be HTTPS. Sometimes it works. Sometimes it doesn’t.
May the Force be with you. And go ahead and retry the donation form.
Search and replace http with https
Next up is a tool called Better Search and Replace, from the brains at Delicious Brains. I can’t say enough good about those guys. They know their stuff, especially when it comes to migration and WordPress site internals. I’ve been a customer of their WP Migrate DB Pro for years.
Before we get into brain surgery on your site, go ahead and visit the Delicious Brains blog. It is a wealth of WordPress site management information. At the bottom of that page, they have a signup form and it’s worth it. I’ve learned a lot from the email updates that show up every week or so.
While you’re at it, look up at the upper-right portion of this page. There’s a Lab Notes subscription section. It’s a very good idea to sign up for my updates as well.
So now it’s time to search out all the http and replace it with https. Once you’ve installed Better Search and Replace, you’re going to want to replace anything that’s “http://yoursitedomain.com” with “https://yoursitedomain.com” (without the quotes, ‘natch).
In the tables area, you’ll want to select (at minimum) wp_postmeta and wp_posts. Don’t forget that things like pages and custom post types are all stored in the wp_posts table.
Go ahead and do your search (or do a dry run). You’ll also probably want to search for the www variants and clean those up as well.
Hopefully all went well. Test your site extensively here. Restore from those backups if it melted into a pile of goo.
If some or all of these steps resolved your SSL problems, life is good. If not, you’ve now passed into professional IT admin territory. There’s not much more I can teach you. If you’re still experiencing issues at this point, it’s time to hire a WordPress pro to help you out.
Good luck. I hope this helped.