Migrating your Wordpress website to HTTPS

by Remy Pereira on 10th November 2017

HTTPS is a secure version of HTTP protocol in which all communication between browser and the website are encrypted. The advantage of this is that nobody can eavesdrop and steal important information even if you are connecting to an insecure network like public WiFi. Google has started using HTTPS as one of the ranking criteria, right now switiching to HTTPS gives you a slight advantage interms of ranking, but clearly it could be a more important ranking signal in the future.

Getting a valid SSL certificate for your domain

To switch to HTTPS, the first thing you need is a valid SSL certificate for your domain. Some of the most trusted providers are Verisign, GeoTrust, Comodo, GoDaddy, SSL.com, You can buy a certificate from one of these authorities at a price. SSL2BUY is an authorized reseller of leading certificate authorities and offers wide-range of SSLs at low cost. Lets Encrypt provides SSL certificates for free, but these certificates are only valid for a year after which you have to generate one again.

Your SSL certificate can cover your domain as well as subdomains and a wild card SSL certificate can cover all the subdomains. If your main domain is example.com, you can either have an SSL certificate that covers example.com, www.example.com, mail.example.com, subdomain.example.com and so on or you can get a wild card SSL for *.example.com

If you are using a hosting provider, you can purchase an SSL certificate from your hosting provider. The free Lets Encrypt certificates are also available at many hosting providers, please check with your hosting provider for available options. You can also generate your own Lets Encrypt SSL certificate at ZeroSSL

Installing the SSL certificate

If you are on shared hosting, your Cpanel has a section called SSL/TLS usually under Security. You can manage your certificates here (install new certificate, remove an existing certificate etc). If you are buying your certificates from hosting provider or using free Let Encrypt certificates provided by them, this is just a one click install. If you decide to buy it from a third party you need to install it manually from cpanel or ask your hosting provider to install it for you.

Lets Encrypt Certificates are free and you can install them on your server in many ways. If you have SSH access you can install the lets encrypt application on your server (git clone) and then run the application to generate a certificate on your server. But this may need root access and not possible on a shared hosting account. Another method is generate a free certificate at ZeroSSL website. This is a simple procedure, no commands involved. Just follow the instructions at the site. Fill in the domain names that you need certificates for. They will ask you to autheticate by putting 2 files in a special location at your web root folder (public_html/.well-known/acme-challenge). You can upload them via cpanel file manager. They will generate key and certificate which then you can copy to clipboard or download (These are plain text). At your cpanel account, under the SSL/TLS section you can install the key and certificate by copy pasting them.

cPanel SSL
cPanel → SSL

Migrate to HTTPS from Wordpress Backend

  • Login to your Wordpress Admin Dashboard and go to Settings → General
  • Update the fields Wordpress Address (URL) and Site Address (URL). Change http://sitename.com to https://sitename.com
  • Logout and log back in again, you can see the admin area is now https. Now navigate to https://sitename.com and you can see the https version of your site.
SSL Settings
SSL Settings

Remove mixed content warnings

Eventhough you have migrated to https, some content on your website like images, CSS backgrounds, stylesheets, scripts, fonts, external links etc are being loaded over http. Non https content on https websites generate mixed content warnings from browsers and instead of the https green padlock, you may see grey padlock with amber warning (connection is not secure) that parts of this page are not secure such as images. You can see these warnings in the Chrome console. Contents loaded by relative paths do not cause any problems when you migrate, but if some absolute path for resources are there in your page, they will not automatically change. In the case of wordpress some themes, plugins or pagebuilders may have absolute paths hardcoded in them. There are 2 ways to resolve mixed content warnings.

a) Manually

Inspect the source code, or console warnings to find out which contents are giving the warnings. In the case of page builders you may need to flush cache or reload images so that the paths are changed. Any hardcoded external links in posts or pages can be changed by editing them. Harcoded CSS background images can only be changed in the stylesheets.

b) Using a plugin

There are many wordpress plugins out there that can force every http link on the page to https, however use with caution because some third party links may not have an https version and this can cause slow page loads. After you have removed or changed all http content to https you will see the green padlock in any browser indicating that your page is secure.

Strict HTTPS (Optional)

You can force your page to load only over HTTPS, by setting htaccess rules. Edit the .htaccess file in your home directory and add this to the top.

# Redirect http requests to https
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This will redirect http requests to https. So even if someone tries to access the http version of your website, they will still be presented with the https version.

Final Words

Once you have migrated to https, remember to add the https profile to your Google Analytics or other tracking because https version is treated as seperate. Change your domain to https in GA so that GA can start registering your hits again. If you continue to use both http and https versions, add all variants to your google search console and also set a preferred variant. If you are redirecting all traffic to https then you only need the https profile in your GA account. Also try visting your site with http://yourdomain.com/?abc=123 , this should redirect to https://yourdomain.com/?abc=123. If it does, then you have implemented the redirection properly and you wont lose any referral information in your GA tracking.

Post a comment


sonja | December 6, 2017 3:15 PM |

Should i migrate all pages to https, or only login forms

Hardik Patel | January 23, 2018 6:04 AM |

you should migrate all pages to https because now a day https become important google ranking factor.

elhoist | December 6, 2017 4:22 PM |

What about HSTS?

elvin | December 6, 2017 6:02 PM |

What is the correct way to implement HSTS?

remy | December 6, 2017 4:26 PM |

Why force the browser when you can do it at server side using htaccess rules

avram | December 6, 2017 3:18 PM |

does it really make a big difference to page ranking?

esther | December 6, 2017 3:19 PM |

i am only doing strict https for pages that require login