In this tutorial, I’ll explain why you need to secure your campaign website with HTTPS (and soon) and how to generate the SSL certificate (for free) you need.
There’s a chance your website or one of your client’s is not on HTTPS. I did a brief audit of some of the most competitive congressional races in the country and found that half of them were not using HTTPS.
There are a number of different methods to secure your website with HTTPS, but I’ve chosen this one because it’s free, easy, and quick!
Experience Level: Novice
Prerequisites: Login to domain registrar (example: GoDaddy)
Time: 15 minutes
Cost: Free (with paid options)
Notes: There is no down time for your website.
What is HTTPS?
For our purposes, you just need to know that HTTPS means that a website is secured by a cryptographic protocol that prevents hackers from inserting malicious code into or extracting private data from your website.
Go to the top of the browser you’re reading this in right now and you’ll see that the URL is https://learntestoptimize.com. This means the site is secured with a SSL certificate. A site using just “http://…” is not secure.
Why does it matter?
Search engines and web browsers put a premium on websites using HTTPS. Google, for example, will give your website a slight boost in search rankings if it is secured with SSL. They even announced recently that in July 2018, the Chrome web browser will “mark all http websites as ‘not secure.'”
But I thought my campaign website was already secure?
It probably was at one point. Advances in technology mean that the older methods for securing websites are no longer valid. In fact, in my brief audit of websites, I found that elected officials who have been in office for 4+ years were more likely to have unsecured political websites.
Set up your free Cloudflare account
Cloudflare is a web performance and security service that I install on all of my websites. In addition to the security benefits we’ll discuss here, it offers a number of free features like helping your website stay up during heavy traffic loads from a crush of visitors.
Next, add your website.
While that’s loading, go to your domain registrar and open the DNS settings.
I’ll use GoDaddy as the example here since it’s the most common, but every registrar will have a section for DNS settings.
Back to Cloudflare, compare the two DNS records.
You’ll want to make sure that all of the addresses, letters, and numbers shown on Cloudflare match those on GoDaddy. It’s rare that they wouldn’t. Then confirm.
Now, you’re given the option of choosing plans. A free plan is fine in this case, but the $20/month Pro plan comes with some nice features.
Back at GoDaddy, update your name servers to the values provided to you by Cloudflare.
You’re now done with GoDaddy for this tutorial and any future edits you or a vendor need to make to DNS records will be done through Cloudflare. You’ll still need to renew your domain registration through GoDaddy.
In Cloudflare, click the blue “Crypto” icon at the top of your screen.
Now, select “Full” from the SSL drop down and a certificate will be applied.
You also have the option to get a “dedicated certificate,” but in most cases the shared certificate will be fine. Wait for the status to change to “Active Certificate” and check your website. You’ll now see your website has https in the URL, indicating that it’s secure:
You’ll note that I’m still getting a warning that says some parts of my website are “not secure.” This simply means that I’ve got some elements, like embedded forms or images that aren’t being served over https and this is usually an easy fix by adding “s” to the http in the URL of the item embedded.
Questions? Let me know in the comments.