Beginning July 2018, Google Chrome will start warning all visitors to HTTP sites that the site doesn’t have SSL encryption and is “not secure.” Do you know if you have SSL encryption on your website? Do you have a little padlock before your website URL in your browser? Does your URL start with httpS? (Emphasis on the s!) If not, keep reading for a tutorial to easily move your WordPress website from HTTP to HTTPS and preserve SEO. And make Google and your visitors happy!
What is SSL?
Why do you need SSL?
SSL (Secure Sockets Layer) improves web site’s security with encryption and authentication. Secure sites will begin with https:// (instead of http://). Most web browsers will also display a little lock icon.
Why you need SSL, regardless of the type of website you have
It used to be that you only needed SSL if your website collected information, like payment information and passwords. But now Google has decided to favor websites that have it regardless of whether or not they collect information.
Still not sure you need the green lock icon on your website or why?
Let Google Chrome Developers explain why HTTPS is not only baseline security on the web, but also benefits site business by unlocking powerful capabilities. The first 10 minutes explain what https is, and the benefits. Then if you jump ahead to minute 32:30, she explains Google Chrome’s strategy to inform users on the risks of non-secure http, and the plan they are starting to roll out for favoring https sites.
What enabling SSL on your website means
To enable SSL on your website for all access, you’re going to have to move your website from “http://yourwebsite.com” to “https://yourwebsite.com.” And you’re going to have to make sure everything is redirected properly.
What a hassle! But if you’ve been affected by some of the big security breaches, like the Equifax security breach, you’ve got to be on board with improving security on the web!
Moving from http to https. Is it hard?
The problem is that the tech gurus running hosting sites and giving WordPress advice don’t realize how clueless most of us are. On top of that, most professional website developers moved their sites to https long ago. Moving to https is now easier.
The upside to procrastinating? It’s now easier, with more free options! The downside? The best tutorials were written when moving from http to https was more complicated. By tech gurus.
And did I mention they don’t speak the same language as the rest of us mortals?
I’ve put together a tutorial for moving your WordPress website for http to https by combining information from the BEST tutorials with the MOST TECHNICAL and complete tutorials. If you want to read more about SSL, and see the 19 tutorials and other informational posts I used to construct this tutorial, see the resources section below.
After you move your website to https, make sure your website’s running with PHP 7.0 or higher for better website security and speed.
How to move your WordPress website from http to https
In this tutorial I will cover:
- what to do before you do ANYTHING!
- how to figure out if your web host provides a free SSL Certificate (and what that is)
- how to redirect your traffic from http:// to https:// with a plugin (and why to use a plugin)
- what to do after you redirect your traffic so your search rankings won’t be affected
- reminders to change your links on social media
- additional resources, including the 19 articles and tutorials I read to prepare this step-by-step tutorial
Before you move your WordPress Site to https://
- Make sure you have your login information, your username and password, recorded. Because your login url is going to change. This means all your normally saved data to your browser might not automatically enter itself. (Because if you’re like me and broke your wrist two years ago, 2 surgeries and one cast later you may have, um, somehow misplaced your passwaords. Ack! I followed these directions to reset my password: WordPress.org Resetting your password WordPress will generate a new one for you. Be sure you record it somewhere before you click Update Profile!)
- Make sure you backup your site. I backup using the free Updraft plugin to free storage on DropBox. You can also backup to external file storage.
- Make sure you have updated WordPress and all your plugins.
Move your WordPress website from http to https – does your website have an SSL Certificate?
- You need an SSL certificate from a Certificate Authority. See if your host provides it for free. (Not sure what a website host is? Read Domains and Host Part 1.)
- Most hosts seem to provide SSL Certificates through Let’s Encrypt. Let’s Encrypt is a Certificate Authority. There is more than one type of Certificate. This type of Certificate should be good for most types of webpages that you are likely to have if you are doing website upkeep yourself.
- How to find out if your host provides a certificate from a Certificate Authority.
- Check you host’s web page, or contact support to see if they provide a certificate from a Certificate authority. I called my host provider support, A2 Hosting (affiliate link]), and found out the answer in minutes!
- If a SSL certificate is installed, you will be able to view a secure version of your site by going to https://”yoursite.com” Go ahead and try it and see if anything comes up. If it does, then you have a certificate. (Note: If you do this while you’re logged in to admin, it seems to get confused. So go ahead and go back to your http:// site after you check this.)
- If your host doesn’t provide SSL.
- Let’s Encrypt is free, so you can add it yourself. Unfortunately, doing this adds another step. Let’s Encrypt has information on their website, which for once reads like it was written by someone who understands that there are some of us that need some really basic help. You can get started at Let’s Encrypt: Getting Started
- If your host doesn’t provide it for free, it might be time to look for another hosting option. I use A2 Hosting [affiliate link] and they do!
More About Let’s Encrypt and free SSL Certificates
Let’s Encrypt is a free, automated, and open certificate authority by the non-profit Internet Security Research Group (ISRG). I think it is wonderful how software engineers foster sharing and volunteer help all over the web. My husband and son are software engineers, and the number of free resources for code and support they use and contribute to are amazing!
Let’s Encrypt provides free of charge certificates to anyone who owns a URL, in any country, simply to make internet security available to everyone – for the benefit of EVERYONE ON THE WEB.
As a business, I assume my hosting provider, A2 Hosting, is supporting Let’s Encrypt in some way. But because I believe Let’s Encrypt’s mission for a secure internet is so important, I also made a donation. You can donate to Let’s Encrypt here. (There’s even a Paypal option if that makes it easier.)
Redirecting your WordPress website traffic from http to https
Now that you have certificate, you want all traffic to only be able to access your website through this secure connection. AND you need all the old links around the web to still be able to find your pages.
You could do this manually with 301 redirects. (Oh dear. Yuck!)
Or you can use Apache rewrite rules in a custom .htaccess file. (Um no. Not unless I absolutely have to and have a software engineer watch me do it.)
Again, I’m grateful for the generosity of software engineers!
This plugin does the changes dynamically. It does not change any database files. Translation: You’re going to have to leave this plugin installed.
I looked for another option. But unless you’re a super coder, it looks like this is the best way. Even some of the ways I found that involved changing code directly said if there are complications the best way to fix them is by using using the Really Simple SSL plugin. So why not start there?
If you run into any issues, or maybe you had a website developer in the past and have a complicated website, there is also a paid version of Really Simple SSL that can help you find errors.
In short, the way that is most likely to be successful redirecting your WordPress blog from http to https – even if you know what you’re doing – is to use the Really Simple SSL plugin.
Install and activate the Really Simple Plugin to direct your traffic to https
- From your WordPress dashboard choose Plugins>Add New and search for “Really Simple SSL”
- Click “Activate.”
- It takes you to a page where give you some information to keep in mind if you run into problems. Here is what you see:
Almost ready to migreate to SSL!
Some things can’t be done automatically. Before you migrate, please check for:
- Http references in your .css and .js files: change any http:// into //
- Images, stylesheets or scripts from a domain without an ssl certificate: remove them or move to your own server.
You can also let the automatic scan of the pro version handle this for you, and get premium support, increased security with HSTS and more! Check out Really Simple SSL Premium
If you have maintained your website yourself, and not touched the code directly, this probably won’t apply to you. I didn’t have any problems and the tutorials I read breezed right past this consideration. So, let’s keep going.
- > Go ahead, activate SSL. When you do this, it’s going to kick you out of your WordPress admin.
- It might take a few seconds to kick you out. If it doesn’t, reload the page and it will kick you out.
- Login again.
- You will now see the green padlock and Secure next to your domain!
Check your website after moving your WordPress website from http to https
- You can scan your site for non-secure content at JitBit, Check for SSL Errors
What to do after after moving your website to https://
Tell Google about the move from http to https
1. Follow Google’s instructions to Add a website property to your search console.
- In the Search Console home page, > Add a property
- type your new https:// URL.
- > Add
- It did not take me to the site verification page, nor did I get an email. It appears to be already verified, maybe because I use SEO Yoast.
2. Submit a sitemap to Google
From the same dashboard
- > Crawl
- > Sitemaps
- > Add/test Sitemap
- Your sitemap is probably https://yourwebsite.com/sitemap_index.xml. If you have SEO Yoast, to find your sitemap
- On your WordPress dashboard >SEO > XML Sitemaps
- You can find your XML Sitemap here: XML Sitemap, click on XML Sitemap
- Copy the end of the address of the page you’re taken to.
- Put it at the end of the address that opened with > Add/test Sitemap
- > Submit
- > Refresh the page
- Sitemap will show pending
- Check in the next day or two. I checked the next day later and mine had gone through. I just left the page up in my browser and reloaded it the next day. Success!
- You might want to repeat this process for www and non-www names.
3. Have Google crawl your website
- Select your new https website
- Leave the box blank, selecting your homepage
- > Fetch
- > Request indexing
- Select Crawl this URL and its direct links, > Go
- It will show “Pending.” Mark to check back later.
- The next day, for me the request status was updated to Complete.
- Under > Crawl > Crawl Errors and > Crawl > Crawl Stats, there wasn’t any data yet. (No data under other headings as well. It hadn’t been crawled yet. It took 36 hours to be crawled.)
Tell Bing about the move from http to https
- Go to Bing Webmaster Tools.
- Under My Sites, click on your site URL.
- Under Sitemaps, > Submit a Sitemap
- Enter the full sitemap (not just the end) that you found in SEO Yoast for Google.
Reconnect to Google analytics after moving from http to https
The Google analytics console is going to change soon, but hopefully you can still find these steps.
- > Gear icon in the lower left hand corner for Settings
- You will get three columns. The middle column is property. Make sure you are on the property you want to change. (I have three webpages, so I do this by changing the account in the first Account column.)
- > Property settings
- Flip the default URL to the https:// version
- > Save
- Also under Property settings, scroll down to Search Console. > Adjust Search Console
- (You may have to scroll back up.) Under Search Console Settings, Search Console Site, > Edit
- It will bring up a new window in Webmaster tools.
- If you are already connected you may have to delete that connection before going back to add another one.
- Choose your new https site. > Save, > OK
- It will take you to Webmaster Tools when you do this successfully.
Tell Social Media sites about the move from http to https
Now you want to change your links on some other accounts. Especially Youtube, apparently. Other accounts you may need to change: Pinterest (for help, see resource below), Twitter, Instagram, Facebook, and Snapchat.
Tell Affiliates about your move to HTTPS
You may need to tell your affiliates about your move to https
How to change your website on Amazon Affiliates
- Go to your account name/email address on the top right, from the dropdown menu choose >Account Settings
- > Edit your website information OR > Edit Your Website And Mobile App List.
- Mine show up with no http ot https, so they seem fine. But check yours!
Congratulations! You have now moved your website from http to https!
That’s finally it! You have now moved your website from http to https! At least it worked for me. I will admit I was relieved to wake up the next morning and find my websites still working. It took a couple of days for Google to crawl my sites. But I did that several weeks ago and my traffic and search traffic have been unaffected.
Next website security step, what version of PHP is on your website?
After you move your website to https, make sure your website’s running with PHP 7.0 or higher for better website security and speed.
Check redirect links
One last thing. I have three domains, and a few years ago I changed my main URL from ESIvy.com to this site, MomBehindtheCurtain.com, leaving only author related posts on ESIvy.com. To redirect existing links on the web, like on Pinterest, to the general posts I published first there, I used the plugin Quick Page/Post Redirect Plugin. Because of the change to https://, some of my redirects quit working.
I’m not sure why this happened, because in theory it should have just redirected twice. But my software engineer has taught me that sometimes when you have complicated software, the reasons things happened can be buried deeper in the code than you can figure out. It was easy to go in and just add some new redirects, but you have to know to do it!
So if you have any redirects to or from the sites you move to https, check your redirect links after moving your website from http to https!
Resources for SSL and moving your website from http to https
How to backup your WordPress website and other basic website tutorials referenced in this tutorial
Introduction to SSL
Good information about https
Other tutorials on how to move http:// to https://. I found different pieces to the process in the tutorial above on all of them.
- How to Migrate from HTTP to HTTPS – Complete Tutorial
- Moving WordPress to HTTPS with Let’s Encrypt
- How to Get a Free SSL Certificate (and Why Google is Forcing You To)
- How to Fix Mixed Content Errors in WordPress after adding SSL Certificate
- How to Use HTTPS on WordPress
- How to configure WordPress to always use SSL[A2 affiliate link]
- 5 Plugins to Easily Add SSL and HTTPS in WordPress
- New Guide on How to Implement HTTPS / SSL Certificate
- How to Install an SSL Certificate
- How to redirect users to SSL-enabled connections [A2 affiliate link]
- How to setup Google Analytics and Google Search Console/Webmaster Tools
- Submit Website to Google – How to Use Google Search Console
Further Reading on HSTS
If you collect sensitive information on your site, you consider adding HSTS to your site. You can also do this with the paid premium version of Really Simple SSL.
- Why you should be using HTTP Strict Transport Security (HSTS) on your website
- What Is HSTS and How Do I Implement It?
- HTTP Strict Transport Security Cheat Sheet
Fixing errors when moving from http to https
These tutorials on how to fix errors after you move from http to https helped me decide to use a plugin. They might help you if you are getting errors and mixed content messages.
- Mixing secure and insecure content on a web page [A2 affiliate link]
- How to Fix Mixed Content Error in WordPress After Adding SSL Certificate
For tips on changing your website from http to https on Pinterest
How to Create and Verify Your Pinterest Business Page Bonus Tip: After following those directions, in the past I ran into a glitch. Maybe because I have WordPress installed on a subdomain (best practice.) In any case, going to Rich Pins Validator and validating a recent post got my site confirmed instantly!