Why move to HTTPS?
- Google has plans to show the following “Not secure” alert in Chrome’s URL bar for all HTTP pages in the not too distant future. When it does happen you don’t want your visitors to see this on your website:
- Google uses HTTPS as a ranking signal, which means you get SEO benefits from moving to HTTPS
- SSL (Secure Sockets Layer) connections encrypt data passed between your visitors and your web server. This prevents potentially malicious third parties from doing any harm with your visitors information, because they can’t read the information when it is encrypted.
- Having that sweet, sweet green lock in the URL bar for your site is pretty sweet.
- Let’s Encrypt allows you to do it easily and for free, so there’s no more excuse not to.
1. Install SSL with Let’s Encrypt
What is Let’s Encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit by the Internet Security Research Group (ISRG). It makes it possible to obtain browser-trusted certificates for your domains at no cost that renew automatically.
To install an SSL with Let’s Encrypt simply login to your cPanel and find the following icon in the security section and click on it:
Now just select the domain you want to install an SSL certificate on, enter your email address and click “Install”.
As long as you don’t get an error message that’s it, it was that easy! Congrats you’ve installed an SSL certificate! You can thank Let’s Encrypt for being awesome now and if you’re really feeling generous feel free to give them a donation.
Now just verify that your HTTPS is working by visiting your home page using HTTPS in the URL instead of HTTP in Chrome. If your URL remains as HTTPS (without redirecting) and you don’t see the following “Your connection is not private” error your SSL appears to be working properly:
2. Force SSL
Now that you have verified that HTTPS is working on your domain name you want to force WordPress to always use HTTPS. The easiest way to do this is to simply install and activate the WP Force SSL WordPress plugin.
Make sure to clear your WordPress and browser cache as needed until every URL to your WordPress site using HTTP redirects to HTTPS. If you run into any redirect issues httpstatus.io is an incredibly useful tool for debugging them and uncovering unwanted redirect chains.
3. Update Links
Search Regex makes it a breeze to adjust all your links simultaneously so they work with HTTPS. Simply install and activate the free Search Regex plugin, then in your WordPress admin control panel go to Tools > Search Regex and enter the following:
First click on “Replace” to see what the replacements are going to be made, then if it looks good hit “Replace & Save” to implement the changes.
4. Avoid Mixed Content Errors
Mixed content errors occur when pages on your site contain non-secure images, scripts and/or CSS files. When this happens a warning message occurs in your browser. Since you went through the trouble of moving to HTTPS you’ll want to make sure to remove these so you can get that sweet, sweet green icon in Chrome’s URL bar!
The icon in Chrome’s URL bar changes from a green padlock to a grey information icon like in the following screenshot:
If you click on the information icon it yields the following report:
Scan your site for mixed content errors with JitBit’s free SSL-check tool and remove them all.
5. Move Your CDN to HTTPS
If you use a CDN (Cloudflare, MaxCDN, etc.) you will need to enable HTTPS on your CDN as well so when you include files from it you won’t get mixed content errors. Each CDN offers a different way to accomplish this so I won’t be going into detail on how to accomplish this here.
6. Verify HTTPS in Google Search Console
Since you are changing all of your sites URLs you will want Google to update their index of your website as fast as possible. So make sure your XML sitemap is updated with the new HTTPS URLs. Then verify ownership of your website with HTTPS in Google Search Console. First submit your updated XML sitemap index in Crawl > Sitemaps and then go to Crawl > Fetch as Google and “FETCH AND RENDER” your sites homepage. Wait a little bit for it to complete and click the “Request indexing” button once its available, then select “Crawl this URL and its direct links” and click “Go” to help speed up Google’s indexing of your new HTTPS website URLs.
After a week or two go incognito in Chrome and Google “site:yourdomain.com” and if you did everything correctly the majority if not all of the results you see for your domain should have HTTPS at the beginning of their URLs.
7. Keep It Fast
Enabling HTTPS has a very minor negative impact on load time. So if your website was already particularly slow, this will make it ever so slightly worse. If you have any concerns about this scan your website with GTmetrix (aim for a PageSpeed Grade of 90% or higher) and address all the reported issues you can to more than offset any negative impact on load time installing a SSL may have on your WordPress site.
Enjoy Encryption
Hopefully this guide was helpful to you. If I missed anything or if you need any further explanation please let me know about it in the comments!
A better, faster as well as a free option to encrypt would be to use Cloudflare’s universal SSL. Enabling HTTPS in WordPress using Cloudflare is a piece of cake whereas setting up and installing Let’s Encrypt is a PITA if you don’t have that option in your cPanel.
I agree Cloudflare is a spectacular option for many scenarios. It can be a hassle in some respects though. If you simply want to move to HTTPS and nothing else and you do have the option in your cPanel, using Let’s Encrypt is preferable. If you’re willing to update your nameservers to point to Cloudflare and you want or at least don’t mind having all of the add-on services Cloudflare comes bundled with it makes a lot of sense as an alternate option.
Thank you so much for this post. The information is very timely, useful and easy to understand. 🙂
You’re welcome, I’m glad to hear it!
Hi Andy,
Thanks for the sharing this precious information.
Thank you for this tutorial. I’ve bookmarked it, as I’m planning to move my blog to HTTPS. So if I finally decide to move on, I will just follow this your guide. 🙂
First, thank you very much, I wanted do that but I was not sure. Your post helped me a lot 🙂
About mixed content error, you say: “Scan your site for mixed content errors with JitBit’s free SSL-check tool and remove them all.”
But how can I remove this error?
For example, there is an error for the logo of my website: http://mywebsite.com/files/logo.png
Best Regards
You’re welcome Ben, glad to hear it helped you out!
To fix that you simply need to reference the logo via https instead of http, so it would be https://mywebsite.com/files/logo.png instead of http://mywebsite.com/files/logo.png and that would prevent the mixed content error from happening. A mixed content error is the result of loading insecure files on an otherwise secure page.
Andy is right. Amazing so many webmasters don’t know that CloudFlare will not encrypt connection from origin server to CloudFlare edge location. So, it’s fake SSL and hackable if dont have SSL in your server. You can use new Force HTTPS plugin for with CloudFlare, and support image srcset and internal links too, try if you will: https://wordpress.org/plugins/force-https-littlebizzy/
Hello! Does it work properly for wp multisites too?
I assume you mean Let’s Encrypt? If so, yes but you will have to set it up for each unique domain individually.
Hello, I went into settings and changes http to https and now I am locked out of wordpress completely. Do you have a solution to this as it is a clients website and I am concerned I have lost everything completely. Nick