WordPress Bloggers: Here’s How to Move from HTTP to HTTPS

DiggRedditPrintShare

Moving from HTTP to HTTPS is a highly-recommend move that can ultimately help with your organic rank and lends a level of security to your readers.

WordPress Bloggers- Here's How to Move from HTTP to HTTPS

SSL/HTTPS are encryption methods that will keep any connection between your server and the visitor’s browser secure, ensuring that no one can “eavesdrop” on the conversation so to speak. This is important to ensure your visitors are safely submitting information or leaving comments.

The details below are for self-hosted WordPress websites that are using Apache servers (which should be most WordPress websites). While this is a general overview of how to move to https:// you may need more or less than what is shown here based on your server and settings.

Where To Get SSL Certificates

First, you should see if your host has Let’s Encrypt as an option. Let’s Encrypt is a free Certificate Authority that is used by many of the more highly-recommended hosting companies and just requires them to set it up on the server for you.

If your host does not offer Let’s Encrypt, then you will need to purchase a certificate; you can check if your host sells third party SSL certificates. Purchasing the certificate through your host can help with the installation process.

If your host does not offer SSL certificates then you can purchase one from GoDaddy or some other provider. Once purchased, you will then have to install it on your server to get it to work.

Setting Up WordPress To Be Secure

Once your SSL certificate has been installed, you will then need to make your WordPress secure.

Below are a few steps and tips for making sure you get the secure warnings in all browsers.

  1. Go to Settings > General in your WP Admin to update your website URL to reflect https.

https-settings-ssl

  1. Next is a redirection that is needed to tell the browsers that all pages should redirect to the https version of the website. At this time, many of your pages are indexed in the search results as http:// so if someone clicks on a page from the search engine they will hit the http:// version of the page. This is basically like having two separate version of your website.

To make https:// the default, you need to add some code to a file that is called .htaccess, which you can access via your FTP or in your Files Manager area in your hosting account.

If you have Yoast SEO installed you can also access it there as well in the TOOLS > FILE EDITOR area.

Below is simple line of code that you can add to your .htaccess file that will automatically redirect your website to the https:// version of your website.

The .htaccess is a very important file! Please make sure you have a backup of the file before making any edits!

This code SHOULD work on most hosts, but if you find after adding this code your website is not working, you should restore the original version of your .htaccess file and contact your host for the proper code to use.

The code you that can be added to your .htaccess is:

RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Now, your website should be secure!

TEST: Now when you enter your URL either with http:// or https:// you should be redirected to the https://version.

Confirming Your Website Is Secure

Now if you type in your URL you should see a secure sign in the URL bar like in the example below

firefox-secure

We do recommend browsing some pages on your website to make sure they are all secure, especially pages with forms.

If you see that your website is secure then you are done!

Insecure Website Warnings

In the below image you can see that the URL bar is telling us there is an insecure issue on the website. Now we have to figure out how to find the problem! Typically, it is issues with images.

We like to use Firefox for this for the ease of use.

firefox-notsecure

In Firefox when you see the insecure warning, you can click on the little i in the circle and a box will pop out.  In that box you will see a warning that “this website is insecure” and next to it is an arrow – click on that arrow.

insecure-popoutOn the next pop out box you will see a More Information button – click that. Now you will see information about the website that will help us determine where the non-secure issue is coming from. At the top are labels including General, Media, Feeds, Permissions and Security.

Click on Media – you will then see a list of different media items on the page and the URL structures for them. As shown in the image below, you can see that there is an image that has http:// in the URL. That is our issue that is keeping the website from being secure.

media-notsecureWhen Your Images Are All Secure & You Still Have A Warning

If you did the above and all of your images are showing https:// but the browser is still showing an issue, we may need to dig a little further. The easiest, least technical way to find what may be triggering the error is as follows:

  • Go to your web page
  • Right click on the page
  • Click VIEW SOURCE (The terminology may be different depending on your browser and settings, but basically you want to see the source code for the insecure page.)
  • Do a search in the source code for “http://“ – this will help you see any insecure items that may exist then you can address those issues.

Other items that sometimes cause insecure warnings can include plugins, javascript files, fonts and ad networks. All of these items should be reviewed when trying to diagnose security issues.

Easiest Way To Make WordPress Secure

We do not recommend plugins for something like this but If the above scares you, there is an option to use the Really Simple SSL plugin.

Once the SSL certificate is installed on your server, you will still need to change the URL in the Settings > General but then you can install the plugin. Once you activate it it will automatically update everything it needs to to make your website secure.

Final Things To Do Once Your Website Is Secure

If you got this far and have a secure website – congratulations! The final things you should do are as follows:

  • Google Analytics – Make sure your settings are changed so that the https:// version of the page is being tracked. You do this in the ADMIN area in analytics.
  • Search Console – You should now also add the https:// version of your website to the search console as well. If you have an http:// version of your website in there you will see the data plummet because of the change to https:// – do not freak! It is OK and expected.

Finally, you might see some traffic fluctuations while the search engines remove the http:// version and add the https:// version of your web pages, and this is OK. You should wind up right where you were before the change – if not higher!

Jill Caren is the top dog at 2 Dogs Media, LLC – a digital agency that focus on WordPress web development and organic SEO for nonprofits and small businesses. In her spare time she enjoys photographing shelter dogs and writing at her personal rescue blog at CharityPaws.com.

Image: ArthurStock/Shutterstock.com