July 2017


How and Why to Move Your WordPress Website to HTTPS

If your website collects ANY personal information, such as email addresses, login information or credit cards, then you NEED to secure your site.

One of the best ways to do that is to encrypt any information going to and from your server using HTTPS.

But what if your website doesn’t do e-commerce or collect any sensitive information?

Do you still need to move to HTTPS?

The short answer is…

YES! You want every advantage you can get.

The benefits of HTTPS go beyond basic security. You’ll also get:

  • Increased conversion rates
  • Increased viewer trust
  • Faster load times
  • Improved search engine rankings

Hard to argue with those benefits?

We agree.

So, if you haven’t done so already, now’s the time to move your site to HTTPS.

In this guide, we’ll cover everything you need to know. We’ll start with the basics of how encryption works. By the time you’re done, you’ll be ready to implement HTTPS on your site.

Let’s get started!

1. What is HTTPS?

HTTPS uses unique keys to encrypt the information going to and from your website.

It’s kind of like a secret decoder ring.

No one can read what’s said without decoding it first.

This means no hackers snooping on or logging your sensitive information.

How does this all work you ask?

  1. You request a Secure Socket Layer (SSL) certificate that verifies your identity.
  2. The certificate sits on your hosting server.
  3. When visitors use a URL starting with “https://” the certificate is verified and encryption established.

Depending on your certificate type, visitors will see a green padlock in their URL bar or a green padlock followed by the organization name assigned to your certificate.

It’s that simple!

Even a year ago, setting all of this up was kind of a pain.

But thanks to one-click installers, improved hosting support and more awareness from the public about Internet security, HTTPS use is taking off!

2. Why Use HTTPS?

Recent data from both Mozilla and Google show that at the end of 2016 more than 50% of the page views collected by their tools used HTTPS.

These numbers continue to increase every month.

Still don’t think you need HTTPS?

Mozilla Firefox and Google Chrome are about to make a significant change that makes HTTPS a must-have for all businesses…

They’re adding notifications that show when a site is not secured.

We’re not talking some little bit of text in the corner of your site. It’s going to be a red warning badge right next to your site’s URL.

What does this mean for you?

Soon, not having HTTPS could be the difference between online success and disappearing from the front of the rankings.

It’s no longer a fancy feature for the tech-savvy, it’s the cornerstone of a professional web presence.

Security-Savvy Shoppers in the Digital Era

Stop and think for a second how often you send bank account information, personal messages, images of your life or other personal information across the internet.

How often do you log-in to social media or email?

Without encryption, these are all opportunities for anyone with the right knowledge to grab your information as it zips off to its destination.

Data breaches are increasingly common.

While these are no fun for anyone whose personal information is stolen, they’re making people more aware of the importance of data security.

This impacts where they choose to conduct business online.

SSL.com highlights how implementing SSL and displaying a secured seal on your site can boost conversion rates by up to 87%. More than 60% of respondents in a 2011 Actual Insights study said they abandoned a cart over lack of security.

HTTPS: Benefits Beyond Security

Enabling HTTPS also allows you to use the new HTTP/2 protocol.

What’s that mean?

While the specifics are very technical, HTTP/2 is a new way for browsers and your web hosting to communicate.

It uses compression, multiple connections and a bunch of other fancy tech improvements to improve speeds and reduce loading times.

Why’s that important? means decreased loading times, better potential for converting visitors and lower bounce rates due to delays.

Consider these statistics from Kissmetrics:

  • 47% of consumers expect a web page to load in 2 seconds or less.
  • 40% of people abandon a website that takes more than 3 seconds to load.
  • A 1 second delay in page response can result in a 7% reduction in conversions.

Decreased load times mean a lot more than less waiting. They mean increased conversion potential and lowered bounce rates too!

Off-Site HTTPS Benefits

Using HTTPS also helps improve things off your site.

Most importantly, Google has labelled HTTPS as a ranking signal.

They’ve made it clear they like HTTPS and want sites to use it.

As they continue to make changes in Chrome to highlight non-secure sites, this impact of HTTPS on site visibility and ranking is likely to increase.

And let’s face it, in the competitive world of search engine rankings, every edge you can find counts.

3. How Do You Set Up HTTPS?

Specifics will depend on the software used by your site, the site’s complexity, your hosting provider and a number of other factors.

For this guide, we’ll be focusing on WordPress.

Step 1: Choose a Certificate Type

All certificates are issued by Certificate Authorities. These authorities essentially use their reputation to provide proof to visitors that you are who you say you are.

Picking the best Certificate Authority is mostly about cost.

However, there’s three other things to consider when choosing a certificate type.

Consideration #1: Encryption Strength

The strength of encryption is usually measured in bits.

The higher the number, the less chance that someone can figure out your secret code or fake having the code themselves.

Bigger is better, but the current standard is 2048-bit for keys and 128- or 256-bit for data

Consideration #2: Certificate Validation Level

Certificates also come in different validation levels.

While an increased validation level won’t necessarily improve security, the higher options make your security more obvious to visitors. However, this comes with increased costs, waiting times and documentation.

Common validation levels include:

  1. Domain Validation (DV) – Available for free via Let’s Encrypt, CACert, Comodo, Symantec and some hosting providers. While you can pay for a DV certificate, this doesn’t make much sense with quality free options available. Most DV certificates take only a few minutes to obtain and provide the same level of security as other certificate types.
  2. Organization Validation (OV) – Can be purchased through certificate providers and adds your organization information to the certificate. Can take several days to complete the issuing process.
  3. Extended Validation (EV) – Purchasable through certificate providers. Typically the most expensive option. It adds your organization to the URL bar and certificate for increased visibility. Can take up to one week to complete the issuing process.

In most cases, a DV certificate is ideal.

All validation levels offer the same level of security.

Sure–The OV and EV certificates will add additional ways for viewers to verify security and show your commitment to keeping the data provided by site visitors safe.

However, they can cost 2 to 3 times what a DV certificate costs and require a lot more documentation to obtain.

While you can deploy a DV certificate with many hosting providers for free, an EV certificate will likely cost around $80 to $100 per year.

Consideration #3: Domain Coverage

You can’t always use a certificate on more that one site.

There are different types certificates for use with multiple domains or subdomains. These go by a few different names, include:

  • Wildcard Certificates
  • UCC (Unified Communications Certificates)
  • SAN (Subject Alternative Name) Certificates

The number of domains you can use with the certificate will depend on the certificate authority you use. In most cases, it starts around 5 sites per certificate.

If you’re investing in an OV or EV certificate, a multi-domain certificate, will offer substantial savings.

However, this isn’t as important if you’re using free DV certificates.

Our Recommendation:

For most readers, we think the free Let’s Encrypt DV certificates offer a great mix of value and easy installation.

Want to know how to get your free certificates?

Keep reading! We’ll get to the steps soon!

Step 2: Acquire and Install Your Certificate

For this guide, we’ll obtain and install a certificate using the Let’s Encrypt service. If you want an OV or EV certificate, you can probably use your hosting provider.

But if you want to shop around for the best price, you’ll can check out these third-party options:

One benefit with going through a hosting provider or third-party certificate service is that they’ll usually do the setup for you.

Since the steps will differ by provider or certificate authority, so we won’t cover specific steps for those services here. Just keep in mind, they might charge extra for the assistance.

Before you fork over your hard-earned money, check your hosting panel to see if they offer a one-click installer.

Hosting CompanyWebsite URLFree SSL CertPaid SSL Option
1and1https://www.1and1.com/
A2 Hostinghttps://a2hosting.com
A Small Orangehttps://asmallorange.com/
Bluehosthttps://www.bluehost.com/
Cloudwayshttps://www.cloudways.com
Dreamhosthttps://www.dreamhost.com/
FatCowhttp://www.fatcow.com/
Flywheelhttps://getflywheel.com/
GoDaddyhttps://www.godaddy.com/
GreenGeekshttps://www.greengeeks.com/
HostGatorhttps://www.hostgator.com
Inmotion Hostinghttp://www.inmotionhosting.com/
Kinstahttps://kinsta.com/
Laughing Squidhttps://laughingsquid.us/
Liquid Webhttps://www.liquidweb.com/
MediaTemplehttps://mediatemple.net/
Pantheonhttps://pantheon.io/
Pagelyhttps://pagely.com/
Pressablehttps://pressable.com/
SiteGroundhttps://www.siteground.com/
WP Enginehttps://wpengine.com/

In general, obtaining a certificate goes something like this:

  • You’ll generate a Certificate Signing Request (CSR) with your hosting provider
  • You’ll submit the CSR to a certificate service
  • They will verify the information and issue a certificate
  • You’ll upload the certificate to your hosting account using FTP or a hosting dashboard

If this sounds too complicated, DON’T WORRY!

With Let’s Encrypt, the majority of this is automated. You’ll click a few buttons and be ready to go!

For supporting providers, you’ll find an option in cPanel or Plesk.

All you need to do is:

  • Click the Let’s Encrypt icon in your hosting dashboard

letsencrypt cpanel

  • Choose your domain from the dropdown at the bottom of the screen.
  • Enter the email address associated with the domain at your name registrar.

add lets encrypt

  • Click Install

NOTE: If you’ve recently changed domain names or try to install your certificate on a staged testing server, you might run into issues with validation. Just wait a few hours for the changes to update around the Internet and try again.

If you have shell access for your hosting environment, the Electronic Frontier Foundation’s CertBot offers step-by-step instructions for getting your free certificate through Let’s Encrypt.

Just choose the hosting software and OS and follow the steps listed.

Step 3: Verify Your Certificate

The certificate is installed! We’re finished right?!

Not quite…

While Let’s Encrypt takes the hassle out of installing certificates, you’ll still need to be sure you’ve configured your WordPress install to actually use the certificate.

The first step is to be sure the certificate is working.

Simply head to a page on your site and instead of using “http://” use “https://” in the URL bar.

If everything loads okay, we know the certificate is good.

If you see a mixed content warning, don’t worry! We’ll be fixing those shortly.

If you get a full-screen error or encounter major problems with the loading of your site, the Qualys SSL Labs tool is great for finding out the next step to troubleshoot your issues.

Step 4: Implementing HTTPS in WordPress

Before going through these steps, check with your hosting provider to see if they offer any tools to assist you.

Many hosts offer one-click site optimizers that will enable HTTPS as well.

If so, you can just skip this section and cruise on down to Step 5.

If your provider doesn’t have a dedicated plugin or setting, you still have a few options.

To Implement HTTPS Using a WordPress Plugin:

One of the great things about WordPress is the bounty of plugins to add features to your site.

Just install a plugin and BAM! new features on your site.

We recommend “Really Simple SSL“. really simple ssl wordpress plugin

The free version will work for most sites.

If you have further issues, the Pro version is great for tracking down mixed content issues or enabling advanced features and it has a fair price.

To install the plugin:

  • Login to your WordPress Dashboard
  • Hover over Plugins on the sidebar
  • Click “Add New”

WordPress Dashboard - Plugins

  • Search for “Really Simple SSL” in the Search Plugins box

WordPress Plugins - Search

  • Click “Install Now” in the box for the plugin

WordPress Really Simple SSL Install

  • Wait for the installation to finish
  • Click “Activate” in the box for the plugin

WordPress Really Simple SSL Activate

Now we need to configure the plugin itself:

  • Go to Settings > SSL in the WordPress Dashboard

Really Simple SSL Settings

  • Click the Settings tab

Really Simple SSL Settings Tab

  • Check “Auto replace mixed content”
  • Check “Enable 301 .htaccess redirect”
  • Check “Enable javascript redirection to SSL”
  • Click Save

Really Simple SSL Settings Tab Recommended

Let’s see if it’s working!

Clear any caching plugins installed through WordPress (such as W3 Total Cache, WP Rocket, WordFence or WP Super Cache) or your hosting and refresh your page.

Now look in the URL bar.

Secure URL Bar Chrome

Secure URL Bar Firefox

You see a lovely green padlock?

Score! We’ve got the basics in place!

To implement HTTPS in WordPress without a Plugin:

Without a plugin, things get a bit geekier.

NOTE: This is digging into a major piece of your site. Doing things wrong can break things. If you’re not comfortable with these steps, as your web developer to help!

You’ll need to edit the .htaccess for your WordPress install.

  1. Connect to your hosting provider via FTP and open the .htaccess file for editing
  2. Paste the following code into the blank space at the bottom of the file

# Force HTTPS
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Step 5: Updating On-Site Links to Work with HTTPS

If you used the plugin method, you won’t have much to worry about.

However, doing these steps can shave a little off your loading times by removing the need for your site to change any links its finds.

For manual HTTPS implementations, this is essential to getting that little green padlock we’re after.

Even with HTTPS running on your site, anything on your site that uses an HTTP link could result in a mixed content warning.

What’s that mean?

Essentially, the browser is just warning browsers that while the site is secure, some parts of the page are not.

It also gets ride of your shiny green padlock.

We don’t want to leave visitors guessing which parts of your site are secure. So let’s fix that!

Tracking down mixed content issues can be time consuming.

You’ll want to load each page and check the URL bar once the page if fully loaded.

If it’s secure you’re good to go!

If there’s a mixed content error, open your browser console.

  • In Chrome, the shortcut is Ctrl-Shift-I (Cmd-Shift-I on Mac).
  • In Firefox, the shortcut is Ctrl-Shift-J (Cmd-Shift-J on Mac).

Then check the Security Tab.

It will show the exact items on each page causing the mixed content issue.

This can be everything from scripts to images and anything in between.

In short, if you can link to it, it can cause you problems.

NOTE: The best way to avoid this is to use relative linking whenever possible on your site. Instead of linking to “https://www.yourdomain.com/awesome-image.jpg” just link to “/awesome-image.jpg” then you’ll never have to worry about this again!

You’ll also want to be sure to change your WordPress site setting to point to the HTTPS version of the site as well.

  • Click Settings > General in the WordPress Dashboard sidebar menu

WordPress Dashboard Settings General

  • Enter the root HTTPS address to your site (the URL that people would type in to land on your homepage) in the “WordPress Address (URL)” and “Site Address (URL)” boxes

WordPress URL Settings

  • Click Save Changes

With these changes in place, your site is now pointing to HTTPS wherever possible and hopefully serving up a secured version of your website to viewers.

Step 6: Purge Your Caches

With most of the settings finalized, you’ll want to purge any caching plugins, such as W3 Total Cache, WP Rocket, WordFence or WP Super Cache to ensure that all new requests to the site use the latest HTTPS configuration.

If you’re using a CDN such as Cloudflare, you may need to clear your cache there as well.

Step 7: Update Your Analytics and External Services

While visitors won’t see any major differences between your HTTP and HTTPS sites, most popular analytics providers (i.e. Google Analytics, Google Merchant Services and Google Search Console) see them as two different sites.

This means that unless you update your settings with your analytics providers, you won’t get any data once you’ve switched to HTTPS.

In most cases, you can add the HTTPS property to the list and group them to avoid confusion or clutter on the interface.

Updating your Google Analytics is easy!

  1. Load your Google Analytics Admin page

  1. Click the dropdown in Property column
  2. Choose “Create New Property”

add new property analytics

  1. Put the name you wish to use in the Website Name field
  2. Click the dropdown under Website URL and choose HTTPS://
  3. Enter the URL to your site in the box
  4. Choose your Industry Category
  5. Choose your Reporting Time Zone
  6. Click “Get Tracking ID”
  7. Add the tracking code to your site

Google Search Console is just as simple!

  1. Load your Google Search Console Dashboard
  2. Click “Add a Property”
  3. Enter your URL starting with “https://” into the box
  4. Click “Add”
  5. Follow the Verification instructions

To make viewing your sites easier, you can add your HTTP and HTTPS sites to a set on your Dashboard.

  1. Click “Create a Set”
  2. Enter a set name
  3. Choose your HTTP URL from the Members in Set dropdown menu
  4. Choose your HTTPS URL from the Members in Set dropdown menu
  5. Click “Save Changes”

If you use any other tracking tools, a quick search in the support documentation will likely show the steps needed to ensure your HTTPS traffic is tracked properly.

Step 8: Update Your Backlinks

You’ve probably spent a fair bit of time linking back to your site on forums, emails or social.

While existing links will redirect to HTTPS at your site, that adds a tiny delay that you can avoid by updating the links used in your signatures across the web and on your social media accounts.

You’ll also want to be sure to adjust the links used in your advertising campaigns across the internet.

If you work with other businesses to build links or other sites that regularly link back to your site, be sure to notify them of your switch to HTTPS and request that they update their links accordingly.

Step 9: Configuring HTTP Strict Transport Security

WARNING: This step SHOULD NOT be completed until you know your site’s HTTPS features are functioning properly.

Once you know that your HTTPS site is loading properly and you’ve fixed your mixed content issues, you can enable a setting known as HTTP Strict Transport Security (HSTS).

Essentially, even with HTTPS, your site’s traffic is still vulnerable to man-in-the-middle attacks until the redirect to your HTTPS site kicks in.

Then there’s the added delay (we’re talking milliseconds here) of the redirect from HTTP to HTTPS.

If you’re looking to optimize things to their fullest, add the following line to the .htaccess file of your site:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

This not only defaults your site to HTTPS, it adds your site to something known as the HSTS Preload List.

This list is updated periodically with major browsers to automatically load included sites via HTTPS, even on the first visit.

No more worries about delays or snooping hackers!

4. How Can I be Sure HTTPS is Running Properly?

At this point, the bulk of the changes are completed!

Congratulations! Your site is now secure!

Time to kick back and relax with a frosty beverage and a big ‘ol steak right?

Not just yet…

How can you be sure everything is actually working?

Here’s a few ways to check that you haven’t missed anything implementing HTTPS for your site.

  • Crawl your site manually: If you have a smaller site, manually crawling your site is the most straight-forward way to ensuring that all pages are error free. Simply make a list of your pages, load each one in your browser and check to be sure that you are seeing a green padlock for each one.
  • Google Search Console: If you’re using Google Search Console, you should add the HTTPS version of your site to your properties and upload a new site map. This will allow you to ensure that Google can crawl your site properly and index pages accordingly.

Google Search Console

  • SSL Labs Server Test: This online tool from Qualys checks your HTTPS implementation and issues a letter grade based on best practices. With the steps listed in this guide, you should see that your site earns an A. If not, the tool’s report card will offer actionable steps for improving your score.

Qualys SSL Labs

  • HTTP Security Report: As an alternative to the SSL Labs tool, the HTTP Security Report digs a little deeper to find more ways to optimize your site security. However, it focuses on more advanced features that you might not need to worry about as much. If your site scores a 40 or higher, you’re officially more secure than the average site in their database. While most of the features toward the end of their report card are outside the scope of this guide, they’re a great starting point for creating an enterprise-grade HTTPS/SSL plan and learning more about the future of HTTPS.

HTTP Security Report

5. Anything I Need to Worry About Once It’s Running?

With your certificates verified and installed and your site redirecting traffic to HTTPS, the only thing left to worry about is certificate expirations.

This will depend on the method that you used to verify and install your certificate.

  • If you’re using a host-supported Let’s Encrypt system, renewal is often automatic every 90 days.
  • For host-supplied SSL certificates, they’ll typically take care of renewal when you pay your annual certificate fee.
  • If you installed your certificate manually, or used Certbot through the shell, you will need to complete the process again at each expiration to renew your certificate.

Most hosts will send reminders when certificates are set to expire.

However, it is best to set a reminder as an expired certificate often results in a very intimidating warning page when visitors browse your site.

The Future of HTTPS and SSL

As more people continue to store and transmit more data online, the need for security will grow.

This means, the tools and techniques for offering exceptional site security will change as well.

We’ll keep this guide up to date on the latest best practices, trends and recommendations to ensure you always know how to secure and protect your site’s traffic and data.

Be sure to check back every few months for new developments!

Next Steps

Implementing HTTPS is just one part of your overall site security.

While it adds an effective layer of protection to any data transmitted to or from your website, it does nothing to stop hackers from using other methods.

This makes it essential to continue to use strong passwords, keep your WordPress site and plugins up to date, scan for malware and use a firewall to help repel attacks.

Your site is only secure as its weakest point.

If you’re not sure where to start, consider the WordFence WordPress plugin.

Wordfence Security

It offers an easy-to-use interface for boosting site security.

There’s also a free option cover basic needs. The paid tiers offer faster updates and protection for a small monthly fee. Given the cost of recovering a hacked site and the PR hit that comes with a data breach, we consider the fee a fair price to pay.

Want More Tips?

Our WordPress Security Course offers simple to follow instructions and tips for locking down your WordPress site and keeping your data secure. Sign up to stay up to date on the latest security trends from the comfort of your inbox!

No spam, no fluff. Just great guides to help you make the most of your WordPress site!