I recently converted SpearsMarketing.com (and several other client sites) over to HTTPS, and while the process wasn’t difficult, there are several involved steps, so I thought it a good idea to write up a tutorial on the process I used to secure these sites and convert them over.
First of all, let’s talk what the HTTPS protocol and an SSL certificate are and why it’s important to secure your site with them.
What is HTTPS & SSL?
HTTPS stands for Hyper Text Transfer Protocol Secured and is an application protocol created to secure website communication. It is designed to protect the privacy and integrity of data exchanged online. In order to enable this protocol, a Secure Sockets Layer Certificate (SSL) must be installed on your server.
Originally HTTPS was only used if you were selling items on your website, but Google and others have made a huge push of late to encrypt the entire web, both for security, site speed, and ranking factors.
It used to be fairly difficult to convert a website over to HTTPS if it was not originally installed, but thanks to initiatives such as HTTPS Everywhere and Let’s Encrypt, the process has become much simpler and less expensive.
How to Setup HTTPS on WordPress
Since all the websites I have personally converted over to HTTPS are built on WordPress, this tutorial will be geared towards that. The process will be similar for non-WP sites, but your milage may vary.
1. Install an SSL Certificate on Your Server
The first step in securing your website is to install an SSL certificate on your server. Depending on your web host and their user setup configuration, you may be able to do it yourself or have them install it for you. I recommend using Let’s Encrypt, because it’s super easy, many hosts have a one-click install for it, and best of all, it’s free!
Before Let’s Encrypt, an SSL certificate used to cost upwards of $100 per year. But now, the prices have come down quite a bit, as the companies charging those amounts can’t compete with free. 🙂
2. Update Your WordPress Address & Site Address (URL) to Use HTTPS
After your SSL certificate is installed, you’ll need to update your URLs to use the new HTTPS protocol instead of the old HTTP standard. To do this you’ll need to login to your website’s dashboard and navigate to Settings > General. Once their you’ll see option to change both your WordPress Address (URL) and your Site Address (URL). Update those to use HTTPS instead of HTTP. Save your changes. You will most likely be automatically logged out of your site and will have to re-login.
Guess what… your website is now secured! But, we’re not finished yet. There are still several other steps that must be taken so you don’t have any broken links and so everything redirects correctly.
3. Update Your Website Database to Use HTTPS
If you don’t mind getting your hands dirty in the database, login to your site’s phpMyAdmin and perform a search for all instances of your HTTP URL and replace it with HTTPS. But if you’re not comfortable editing your database, you should probably have your hosting provider handle this step for you.
Another do-it-yourself option is to install a plugin that can search for all instances of your URL using the HTTP protocol and replace it with the new HTTPS. A few plugins that can do this are:
I personally used the Search Regex plugin, but it did not find all instances of HTTP in use, as there were still mixed content warnings showing up on the front end of the site when inspecting via Chrome Dev Tools. You will probably need to double check and make sure that any hardcoded links are updated to HTTPS. These may include:
-media files
-menus
-widgets
-URL shorteners or tracking on site
Depending on how your WordPress theme is coded, you may also need to update your theme files to use your new secured URL. It’s always a good idea to check and see.
Once you’re sure all URLS on your site have been replaced to use HTTPS, it’s time setup redirects.
4. Setup 301 Redirects & Canonical for all Traffic to Use HTTPS
You definitely want to setup a 301 redirect for all incoming links and traffic using HTTP to redirect to the secured version, otherwise Google may see your site as duplicated since both versions (http & https) will be accessible and indexed.
The type of server you are on will determine how you do this. If your server is using Apache, you’ll create the redirect via the .htaccess file. If using Nginx, you’ll need to create a rewrite rule in your Nginx config file.
Unless you just love administering your own sever, I’ve found that it’s best to let your hosting provider handle this step for you.
5. Update Google Analytics & Google Search Console
When you move your site over to HTTPS, you’ll need to update your Google Analytics settings. To do this, login to your Google Analytics account and navigate to your admin settings. You’ll need to update your preferred URL in two places. The first is under Property > Property Settings > Default URL, and the second is under View > View Settings > Website’s URL. Change the URL to use HTTPS and save your settings.
Likewise, you’ll also need to update Google Search Console (formerly Google Webmaster Tools). Unfortunately, you can’t just change the preferred URL like you did in your Google Analytics settings, but instead need to add a new property that uses HTTPS instead of the original HTTP. You will set this up the same way you created your account originally. You will need to reverify ownership of this new property (preferably using your attached Google Analytics account). Make sure to submit your XML sitemap under Crawl > Sitemaps, then fetch and render it to make sure Google sees it correctly.
Once you have completed these steps, you can delete the old HTTP version of your site from Google’s Search Console.
Miscellaneous Steps to Complete
The previous 5 steps are essential for your website to function correctly when converting from HTTP to HTTPS, but there are still a few things you may or may not need to update, depending on how your website is configured.
CDN: If you are using a content delivery network (CDN) to help speed up your site, you’ll also need to install an SSL certificate over there and update the zone aliases.
DNS: If you have custom CNAME or DNS records for your site, you may need to update them to account for the URL change.
Caching Plugin: If you have a caching plugin like WP Rocket, then you’ll probably need to update it’s settings and purge the cache so it will update and display correctly.
Update External Links: You’ll want to update any off-site websites or backlinks to the new secured URL, such as social media, your email marketing provider, and links from any other websites or blogs that are under your control.
Update Scripts & Fonts to HTTPS: If you are running any ads, custom scripts or fonts, you’ll want to make sure they are aware of the change to your site. You may need to manually update these items or the company running them might have to do it for you.
Lastly, it’s probably a good idea to search for any broken links on your site. Hopefully there aren’t any, but it’s always better to be safe than sorry.
Final Thoughts on Using HTTPS
While not difficult to setup, converting over to HTTPS can be a tedious process. Once you’ve completed all the steps listed above, you might want to run your site through a service such as Security Headers to make sure that everything has been configured properly and your site is fully secure.
For some additional reading, Google employee John Mueller has some great tips on moving from HTTP to HTTPS. Key CDN has an excellent tutorial on HTTPS migration as well.
If you’re worried about losing your social media share counts when migrating over, this tutorial might offer some guidance.
Have you migrated your website over to HTTPS yet? If not, what are you waiting for?
Daniel says
Working on it. Trying to avoid paying someone to do it for me. Thanks for the post!
Daniel Dessinger says
Thanks again for this article, Seth. I did this with our website on Synthesis Hosting and it wasn’t as scary as I thought it would be. I was just about to pay a developer to do this for me, and he quoted me a minimum of $750 to do it. Thanks for saving us some money.
Seth Spears says
Glad you found it useful. I’ll send you a bill for $450 and you’ll still have saved $300 😉
Kim says
This was incredibly helpful! It took me all day but I’ve finally got padlocks. Thank you.
Seth Spears says
Glad to hear it! I took a look at your site and it looks like you might have some display issues on the homepage under the “Free Patterns” section. I don’t think it has anything to do with converting to https, but you’ll probably want to look into fixing it all the same.
TommyD says
OK, here is a weird one. I have a site with 70 WordPress pages and almost 1,300 PDFs which between then have almost 12,000 pages of historical info back to 1912. Half of the PDFs have 1 page, a few have over 100 pages, the rest are in between. Nearly all of the WordPress pages contain URLs pointing to the PDFs. I made the general setting changes, and then I manually changed the URLs on one (non-mission critical) WordPress page from HTTP to HTTPS [so that we had 4 URLs reading “HTTPS://domain/path/filename.PDF”]. The links to the PDFs broke. I reversed all changes and they are still broken. I have searched everywhere and no forum seems to know anything, nor does Adobe. Your thoughts Seth?
P.S. I went crawling through the WordPress file folders and I saw nothing that would have clued me in regard any change of path.
Seth Spears says
That is strange. I don’t actually recommend storing pdfs on the server. My preferred method is to use a third-party storage option like Amazon S3, Dropbox, or Google Drive. That way when a directory change like this happens, they links don’t change. But that obviously doesn’t help in this instance, unless you want to change all the links, which would be a lot of work in this instance…
TommyD says
I assumed I was going to have to change the links anyway. I will investigate those options, thanks.