Why move to HTTPS?
- Google has plans to show the following “Not secure” alert in Chrome’s URL bar for all HTTP pages in the not too distant future. When it does happen you don’t want your visitors to see this on your website:
- Google uses HTTPS as a ranking signal, which means you get SEO benefits from moving to HTTPS
- SSL (Secure Sockets Layer) connections encrypt data passed between your visitors and your web server. This prevents potentially malicious third parties from doing any harm with your visitors information, because they can’t read the information when it is encrypted.
- Having that sweet, sweet green lock in the URL bar for your site is pretty sweet.
- Let’s Encrypt allows you to do it easily and for free, so there’s no more excuse not to.
1. Install SSL with Let’s Encrypt
What is Let’s Encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit by the Internet Security Research Group (ISRG). It makes it possible to obtain browser-trusted certificates for your domains at no cost that renew automatically.
To install an SSL with Let’s Encrypt simply login to your cPanel and find the following icon in the security section and click on it:
Now just select the domain you want to install an SSL certificate on, enter your email address and click “Install”.
As long as you don’t get an error message that’s it, it was that easy! Congrats you’ve installed an SSL certificate! You can thank Let’s Encrypt for being awesome now and if you’re really feeling generous feel free to give them a donation.
Now just verify that your HTTPS is working by visiting your home page using HTTPS in the URL instead of HTTP in Chrome. If your URL remains as HTTPS (without redirecting) and you don’t see the following “Your connection is not private” error your SSL appears to be working properly:
2. Force SSL
Now that you have verified that HTTPS is working on your domain name you want to force WordPress to always use HTTPS. The easiest way to do this is to simply install and activate the WP Force SSL WordPress plugin.
Make sure to clear your WordPress and browser cache as needed until every URL to your WordPress site using HTTP redirects to HTTPS. If you run into any redirect issues httpstatus.io is an incredibly useful tool for debugging them and uncovering unwanted redirect chains.
3. Update Links
Search Regex makes it a breeze to adjust all your links simultaneously so they work with HTTPS. Simply install and activate the free Search Regex plugin, then in your WordPress admin control panel go to Tools > Search Regex and enter the following:
First click on “Replace” to see what the replacements are going to be made, then if it looks good hit “Replace & Save” to implement the changes.
4. Avoid Mixed Content Errors
Mixed content errors occur when pages on your site contain non-secure images, scripts and/or CSS files. When this happens a warning message occurs in your browser. Since you went through the trouble of moving to HTTPS you’ll want to make sure to remove these so you can get that sweet, sweet green icon in Chrome’s URL bar!
The icon in Chrome’s URL bar changes from a green padlock to a grey information icon like in the following screenshot:
If you click on the information icon it yields the following report:
Scan your site for mixed content errors with JitBit’s free SSL-check tool and remove them all.
5. Move Your CDN to HTTPS
If you use a CDN (Cloudflare, MaxCDN, etc.) you will need to enable HTTPS on your CDN as well so when you include files from it you won’t get mixed content errors. Each CDN offers a different way to accomplish this so I won’t be going into detail on how to accomplish this here.
6. Verify HTTPS in Google Search Console
Since you are changing all of your sites URLs you will want Google to update their index of your website as fast as possible. So make sure your XML sitemap is updated with the new HTTPS URLs. Then verify ownership of your website with HTTPS in Google Search Console. First submit your updated XML sitemap index in Crawl > Sitemaps and then go to Crawl > Fetch as Google and “FETCH AND RENDER” your sites homepage. Wait a little bit for it to complete and click the “Request indexing” button once its available, then select “Crawl this URL and its direct links” and click “Go” to help speed up Google’s indexing of your new HTTPS website URLs.
After a week or two go incognito in Chrome and Google “site:yourdomain.com” and if you did everything correctly the majority if not all of the results you see for your domain should have HTTPS at the beginning of their URLs.
7. Keep It Fast
Enabling HTTPS has a very minor negative impact on load time. So if your website was already particularly slow, this will make it ever so slightly worse. If you have any concerns about this scan your website with GTmetrix (aim for a PageSpeed Grade of 90% or higher) and address all the reported issues you can to more than offset any negative impact on load time installing a SSL may have on your WordPress site.
Hopefully this guide was helpful to you. If I missed anything or if you need any further explanation please let me know about it in the comments!