Moving WordPress to HTTPS with Let's Encrypt

Why move to HTTPS?

  • Google has plans to show the following “Not secure” alert in Chrome’s URL bar for all HTTP pages in the not too distant future. When it does happen you don’t want your visitors to see this on your website:
    Chrome HTTP Future Not Secure Warning Alert
  • Google uses HTTPS as a ranking signal, which means you get SEO benefits from moving to HTTPS
  • SSL (Secure Sockets Layer) connections encrypt data passed between your visitors and your web server. This prevents potentially malicious third parties from doing any harm with your visitors information, because they can’t read the information when it is encrypted.
  • Having that sweet, sweet green lock in the URL bar for your site is pretty sweet.
  • Let’s Encrypt allows you to do it easily and for free, so there’s no more excuse not to.

1. Install SSL with Let’s Encrypt

Let's Encrypt - Free SSL/TLS Certificates

What is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit by the Internet Security Research Group (ISRG). It makes it possible to obtain browser-trusted certificates for your domains at no cost that renew automatically.

To install an SSL with Let’s Encrypt simply login to your cPanel and find the following icon in the security section and click on it:

Let's Encrypt cPanel Icon

Now just select the domain you want to install an SSL certificate on, enter your email address and click “Install”.

One Click SSL Installation for Free in cPanel

As long as you don’t get an error message that’s it, it was that easy! Congrats you’ve installed an SSL certificate! You can thank Let’s Encrypt for being awesome now and if you’re really feeling generous feel free to give them a donation.

Now just verify that your HTTPS is working by visiting your home page using HTTPS in the URL instead of HTTP in Chrome. If your URL remains as HTTPS (without redirecting) and you don’t see the following “Your connection is not private” error your SSL appears to be working properly:

No SSL Chrome Error Message

2. Force SSL

Now that you have verified that HTTPS is working on your domain name you want to force WordPress to always use HTTPS. The easiest way to do this is to simply install and activate the WP Force SSL WordPress plugin.

WP Force SSL WordPress Plugin

Make sure to clear your WordPress and browser cache as needed until every URL to your WordPress site using HTTP redirects to HTTPS. If you run into any redirect issues httpstatus.io is an incredibly useful tool for debugging them and uncovering unwanted redirect chains.

3. Update Links

Search Regex makes it a breeze to adjust all your links simultaneously so they work with HTTPS. Simply install and activate the free Search Regex plugin, then in your WordPress admin control panel go to Tools > Search Regex and enter the following:

Make Links Relative with Search Regex

First click on “Replace” to see what the replacements are going to be made, then if it looks good hit “Replace & Save” to implement the changes.

4. Avoid Mixed Content Errors

Mixed content errors occur when pages on your site contain non-secure images, scripts and/or CSS files. When this happens a warning message occurs in your browser. Since you went through the trouble of moving to HTTPS you’ll want to make sure to remove these so you can get that sweet, sweet green icon in Chrome’s URL bar!

The icon in Chrome’s URL bar changes from a green padlock to a grey information icon like in the following screenshot:

Mixed Content Warning Chrome URL Icon Changes

If you click on the information icon it yields the following report:

Google Chrome Mixed Content Error Message

Scan your site for mixed content errors with JitBit’s free SSL-check tool and remove them all.

5. Move Your CDN to HTTPS

If you use a CDN (Cloudflare, MaxCDN, etc.) you will need to enable HTTPS on your CDN as well so when you include files from it you won’t get mixed content errors. Each CDN offers a different way to accomplish this so I won’t be going into detail on how to accomplish this here.

6. Verify HTTPS in Google Search Console

Since you are changing all of your sites URLs you will want Google to update their index of your website as fast as possible. So make sure your XML sitemap is updated with the new HTTPS URLs. Then verify ownership of your website with HTTPS in Google Search Console. First submit your updated XML sitemap index in Crawl > Sitemaps and then go to Crawl > Fetch as Google and “FETCH AND RENDER” your sites homepage. Wait a little bit for it to complete and click the “Request indexing” button once its available, then select “Crawl this URL and its direct links” and click “Go” to help speed up Google’s indexing of your new HTTPS website URLs.

After a week or two go incognito in Chrome and Google “site:yourdomain.com” and if you did everything correctly the majority if not all of the results you see for your domain should have HTTPS at the beginning of their URLs.

7. Keep It Fast

Enabling HTTPS has a very minor negative impact on load time. So if your website was already particularly slow, this will make it ever so slightly worse. If you have any concerns about this scan your website with GTmetrix (aim for a PageSpeed Grade of 90% or higher) and address all the reported issues you can to more than offset any negative impact on load time installing a SSL may have on your WordPress site.

Enjoy Encryption

Hopefully this guide was helpful to you. If I missed anything or if you need any further explanation please let me know about it in the comments!

11 COMMENTS

  1. A better, faster as well as a free option to encrypt would be to use Cloudflare’s universal SSL. Enabling HTTPS in WordPress using Cloudflare is a piece of cake whereas setting up and installing Let’s Encrypt is a PITA if you don’t have that option in your cPanel.

    • I agree Cloudflare is a spectacular option for many scenarios. It can be a hassle in some respects though. If you simply want to move to HTTPS and nothing else and you do have the option in your cPanel, using Let’s Encrypt is preferable. If you’re willing to update your nameservers to point to Cloudflare and you want or at least don’t mind having all of the add-on services Cloudflare comes bundled with it makes a lot of sense as an alternate option.

  2. Thank you for this tutorial. I’ve bookmarked it, as I’m planning to move my blog to HTTPS. So if I finally decide to move on, I will just follow this your guide. 🙂

  3. First, thank you very much, I wanted do that but I was not sure. Your post helped me a lot 🙂

    About mixed content error, you say: “Scan your site for mixed content errors with JitBit’s free SSL-check tool and remove them all.”
    But how can I remove this error?
    For example, there is an error for the logo of my website: http://mywebsite.com/files/logo.png

    Best Regards

LEAVE A REPLY

Please enter your comment!
Please enter your name here