How to switch your site in WordPress from HTTP to HTTPS?
The complete guide step by step to make the change according to the rules of art.
This tutorial is also the most complete on the right method to adopt to properly pass a site from HTTP to HTTPS. Almost all of the information available on this subject is currently erroneous or partially complete even though the technical consequences can be catastrophic and in particular for your referencing.
Also note that the method described here is standardized for WordPress, it does not rely on an extension that would do the job for you. I strongly recommend the use of an extension to perform this type of manipulation and in particular for questions of performance.
Table of Contents
What Is An SSL Certificate For?
This is probably the question that I am asked most often when we talk about this transition to HTTPS. We can count 3 major reasons: security, SEO and technical prerequisites for WordPress.
SSL Certificate Strengthens Your Security
An SSL certificate is nothing more than a data file that activates the HTTPS protocol on a server. This protocol ensures a secure connection by encrypting exchanges between the Internet user and the server. For example, on your back-office connection page, a classic site without encryption exposes the password in clear over the Internet. You, therefore, understand the importance of such a passage in terms of security.
All certificates have a satisfactory level of security, the difference between a free and paid certificate is related to insurance issues (useful for e-commerce sites) and the reputation delivered by them.
The Presence Of An SSL Certificate Indirectly Improves Your SEO
It is also an official recommendation from Google, which now displays a warning in its Chrome browser for unsafe sites. Having an HTTPS site does not directly improve SEO but the general perception that your visitors may have of it with the presence of a padlock at the browser’s address bar.
WordPress Needs An SSL Certificate
The presence of an SSL certificate constitutes a technical prerequisite for the proper functioning of WordPress. Ultimately, you will no longer be able to use WordPress without this technology, so you might as well switch to it without delay.
To learn more, we recommend reading this article on the interest of having an SSL certificate and how to choose it .
What Steps to Go to HTTPS?
After theory, make way for practice!
All of the steps described below are mandatory, none are optional. It takes about an hour of work to complete them while being comfortable with the technique.
1 – Back Up Your Database
Before even going further, it is strongly recommended to make a backup of your MySQL or MariaDB database. It will be necessary in the event of restoration.
2 – Deploy an SSL Certificate
Go to your host who will provide you with a free Let’s Encrypt type certificate. For an e-commerce site, I recommend buying a certificate that will carry insurance and a lifespan of at least one year – Let’s Encrypt certificates are automatically renewed every 3 months.
Typically, generating free SSL is done by a single click. Check that the latter is not already active as is the case with OVH which activates Let’s Encrypt and therefore HTTPS on all sites. This can have the effect of duplicating your site on search engines if you do not proceed to the following steps. A textbook case noted many times during audits of WordPress sites that I carry out regularly.
Once the certificate is active, enter the URL of your site in your favorite browser by adding https: // just in front of the domain name. A green padlock should appear, it is likely to be yellow in the presence of mixed content, which we will see later.
3 – Redirect Traffic to HTTPS
For now, we, therefore, have a site accessible in 2 ways: in HTTP or in HTTPS. We need to keep only one variant so that visitors and Google robots are directed to the correct secure version.
We are going to use the traditional 301 redirects, which allow us to indicate in an SEO-friendly way the permanent URL of new content. It goes without saying that we will not ask as many 301 as there are content on your site, it would be endless and counterproductive.
Just open your .htaccess file and add the following lines:
# BEGIN Redirect HTTP to HTTPS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://wpchannel.com/$1 [R=301,L]
</IfModule>
# END Redirect HTTP to HTTPS
Take care to replace the domain name with your own. There is an alternative to automatically detect the domain but it seems more reliable and efficient to indicate it directly.
Now return to your web browser and refresh the page: you will be automatically redirected to the HTTPS version. This is valid for all the URLs of this domain, so take the test by opening a page of your site. Replace https: // with HTTP: // and note the redirection to the HTTPS equivalent. Magic isn’t it?
Using this technique, it will only take a few hours for Google and the search engines to update its index.
4 – Rewrite the URLs in the Database
WordPress stores the URLs present in your content in an absolute path. Simply put, if you link in the body of a page to another page, the URL of the link is complete. So we have to modify them in bulk so that Http: // is replaced by https: // using a specialized script like Search Replace DataBase.
Manual techniques of finding / replacing URLs directly in a code editor are to be avoided because you cannot manage serialized data. This type of data is widely used in page builders for example.
This free script is generally used to change the address of a site and is also useful for switching to HTTPS.
Download it using the link below, unzip the archive then send the folder to the webroot of your server:
This script was designed to ease the process of migrating websites based on PHP and MySQL. It has additional functionality for WordPress and Drupal but works for most other similar CMS. Size : 95.3 KB • Hits : 850
Run the script in the browser by entering the name of the folder after your domain. For my part, I named it srdb which gives example.com/srdb to reach the page of the script.
In the replace field, enter the URL in the form http://example.com and https://example.com in the with the field . Remember the following: we only replace the part that changes. So there is no question of whether or not there is a slash at the end.
Then click on dry run to perform a test. A list of elements will then be available table by table allowing you to verify that everything is working perfectly.
If the tests are successful, then do a live run and then proceed to the replacements. Once the changes have been made, click on delete me to delete the script from the server or do it manually using your favorite FTP client. You should never leave this kind of script on your server for security reasons.
This step should resolve almost all of the issues with mixed content on your pages.
5 – Edit the WP-Config.php File
This configuration file is generated during the installation of your WordPress. It links your installation to your database but offers many other configuration options.
We are going to add the following line which forces the use of HTTPS in back-office:
define ('FORCE_SSL_ADMIN' , true);
Also, verify that the installation URLs are not specified in hard in this file. This technique offers the advantage of blocking this adjustment in the back office and avoids a handling error which would be linked to an accidental change of URL. Here is an example for this site:
/** Définir l'URL par défaut */
define('WP_HOME', 'https://wpchannel.com');
define('WP_SITEURL', 'https://wpchannel.com');
6 – Check the Presence of Mixed Content
This step is probably the most complicated because it requires Web development skills for WordPress. Some pages of your site will probably combine URLs in HTTP and other HTTPS, despite the rewriting done in the database. This is often the case for URLs entered into the code of a theme, extension or mu-plugins. In theory, this should not be the case in a perfect world where developments are well done.
To identify such cases, browse the main pages of your site which uses different templates, that is to say, using different PHP files from the theme. If the green padlock turns yellow as it does in Firefox, it means that some resources are still loading in HTTP. A quick search in the source code or via the Media tab in the Information window on the page will give you the wrong URLs.
7 – Edit GOOGLE Analytics Properties
For each of your Google Analytics properties and views, you will have to modify HTTP by HTTPS in the drop-down lists provided for this purpose like this:
8 – Add the GOOGLE Search Console Properties
Like the two properties in HTTP which should be ready already present, you should add https://example.com and https://www.example.com and tell Google your preferred version. In this way, there will only be one variant visible in the search results.
You can then configure these new properties, notably by sending the new sitemaps to Google. However, this is optional because a well-built and already optimized site will be quickly updated in the search results.
9 – Edit the Robot.txt File
The robots.txt file, found at the root of all sites developed under WordPress, contains instructions relating to indexing by search engines. If you are using SEOPress PRO, you can modify it directly from your back office. So remember to update the URL of the site map that is often inserted in the first line.
10 – Update Incoming Links
It goes without saying that you cannot contact each webmaster one by one to ask them to update the incoming links – the famous backlinks, to pass them over HTTPS. However, you have control over your various social media profiles (Facebook, LinkedIn, Instagram, etc.) or even Google My Business.
What Tools to Check the Quality of Your SSL Certificate?
Many tools are available to verify the correct implementation of an SSL certificate.
With Let’s Encrypt, the deployment is provided by your host so that you should not have any problems. On a paid certificate, it’s a whole other story and you have to make sure everything is ok.
I, therefore, advise you to test your sites with SSL Labs or even SSL Checker.
For advanced users, you can also check the security level of your headers using Security Headers. Some optimizations in your .htaccess file will give you the grade of A but be careful not to break everything!
In summary, switching to HTTPS is no longer an option but a necessity for many aspects: entrust this mission to us!
Long time reader, first time commenter — so,
thought I’d drop a comment.. — and at the same time ask for a favor.
Your wordpress site is very simplistic – hope you don’t mind me asking what theme
you’re using? (and don’t mind if I steal it?
:P)
I just launched my small businesses site –also built in wordpress
like yours– but the theme slows (!) the site down quite a bit.
In case you have a minute, you can find it by searching for “royal cbd” on Google (would appreciate any feedback)
Keep up the good work– and take care of yourself during the
coronavirus scare!
~Justin
I enjoy this website – its so usefull and helpfull.