How to Secure Magento 1 or 2 eCommerce Site in 2017?

Ron Peled 4:06 pm

If you are running an eCommerce site, you must read this now: very soon in February 2017 any non secure page will produce a nasty warning for users! The warning will say Your connection to this site is not fully secure and soon will actually show a warning in browsers, starting with Google Chrome.

What do I need to do in order to avoid this? Simple actually, change all your http pages to https – which represent the secure pages of your site. The good news is if you are an eCommerce site, you are more likely to have SSL enabled on your server since you must use it for checkout. The only change will be that you now need to use this type of secure connection on every page and on every file served from your server in order to avoid the warning.

How can I secure all pages for Magento 1 or Magento 2 sites?

Notice it is very similar process to secure your site for both Magento 1 and Magento 2, so I will discuss this once but know it applies to both versions. The reason it is so similar is that the secure connection is more an issue with how your server is setup and Magento just sends content in the secure or non secure channels, but we control that.

The first thing you want to do is head over to your system configuration area and set the https version of your URL in both base_url unsecure and base_url secure versions. Both of them should point to the secure version of your site.

Now you’ll want to head to your home page and check if the alert is gone. In most cases it will still be there and the reason for that is because in most cases the home page is using a content block or banner manager etc. Which will then include an image file in a non secure way (http). So what you want to do at this point is go and edit your pages and blocks under the CMS menu in the admin panel of your Magento 1 or under the Content menu in the admin panel of Magento 2. When you edit the pages, make sure that every image and every file include is using the https prefix, something like Another way to allow the right protocol to be used is by starting the includes with // like so: // but it is way safer and covers a lot more browser versions if you simply use the full prefix. You will need to visit most of your pages and make sure they are all using those secure file includes.

The next step is to check with your CSS: make sure that all your image includes for backgrounds or image sprites are using the secure connection to the file. This can be done easily by searching for the string ‘http:’ in all of your CSS files. Replace any such instance with ‘https:’ and you should be good to go. Obviously this step may require manual checking and proper testing but you get the idea.

Once all of your pages emerge with the new green ‘secure’ alert you are good to go and ready for a great 2017.


See also:

Related Posts:

Ron Peled

About Ron Peled

Builder of things. Builder of teams. Passion: eCommerce & Marketplaces. Magento expert. CTO Mentor.