Web Dandy Web Design Articles
Web Dandy Web Design Articles

How To Move Your WordPress Site to HTTPS

by Web Dandy on July 1, 2017

The Changing Landscape

As Google and WordPress place more emphasis on security and the need to move all sites to HTTPS we look at how to move your WordPress site from HTTP to HTTPS.

Google looks at HTTPS in two ways: first as a ranking signal; secondly for security.

Google have stated "Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data."

In their website migration guide Google identifies several reasons to switch to HTTPS.

Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:

  • Encryption. Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can "listen" to their conversations, track their activities across multiple pages or steal their information.
  • Data integrity. Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
  • Authentication. Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.

In July 2018 Google Chrome 68 will start to display sites that are not HTTPS as "Not secure".

Google Chrome http vs. https

Matt Mullenweg posted on WordPress.org on Dec 1, 2016 "We're at a turning point: 2017 is going to be the year that we're going to see features in WordPress which require hosts to have HTTPS available. Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face".

"First, early in 2017, we will only promote hosting partners that provide a SSL certificate by default in their accounts. Later we will begin to assess which features, such as API authentication, would benefit the most from SSL and make them only enabled when SSL is there."

Data Security

The security of data, when being transmitted, is extremely important when it comes to keeping customers details safe and secure. In order to protect customers information an SSL certificate should be installed and used across all forms of web communication.

SSL (Secure Sockets Layer) or TLS (Transport Layer Security) the updated, more secure, version of SSL is the standard security technology for establishing an encrypted link between a web server and a browser. Note: Most companies still refer to SSL certificates, even though they are actually TLS certificates. For the purposes of this article we will use the common term SSL.

SSL uses encryption algorithms to scramble data in transit. This ensures that all data passed between the web server and the browser remains private and secure preventing criminals from reading and modifying any information transferred, including potential personal details.

Read on for a step by step guide on how to move your site to HTTPS.

Steps to Make Your Site Secure (HTTPS)

Step 1

Buy an SSL certificate.

To be able to create an SSL connection a web server requires an SSL certificate. Typically an SSL certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the certificate and details of the Certification Authority (CA) responsible for issuing the certificate.

Once installed site visitors will see the lock icon beside the web address, clicking on the lock icon displays your SSL certificate and the details about it.

There are a great number of SSL certificate vendors and prices vary greatly from free certificates e.g. Lets Encrypt to commercial certificates from Trustwave, RapidSSL and Comodo etc.

Free vs. Commercial — What's the Difference?

Let's Encrypt:

  • Is a free, automated, and open CA by the non-profit Internet Security Research Group (ISRG) that offers free SSL certificates for 90 days. After 90 days you have to renew.
  • Currently Let's Encrypt only provides domain validated SSL certificates*.
  • If your site deals with online transactions then a Lets Encrypt certificate won't be sufficient to protect your website as Let's Encrypt does not offer any warranty therefore site owners are liable in the case of data misuse or data breaches.

Commercial Certificates:

  • Commercial CAs provide various types of SSL including domain validated, organisation validated, EV SSL, wildcard or multidomain SSL (padlock HTTPS and green company name with country) (depending on the SSL certificate purchased) and they come with a trust seal/site seal.
  • These certificates cover site owners for data breaches. You can also make a warranty claim in the case of misuse or a data breach starting from $10,000.
  • They last for 12 months but can be extended to 39 months if required.

We would recommend a free certificate for hobby websites but for professional websites we would suggest purchasing a commercial certificate.

Step 2

Install your SSL certificate.

How you install depends on the platform your site is hosted on and the server software type. As an example here are the instructions from Comodo for installing onto an Apache Mod_SSL / OpenSSL server or via the cPanel/Webhost Manager (WHM) from Trustwave. Your CA should send you instructions on how to install onto a variety of server platforms.

Alternatively you can ask your web host to install the certificate for you. There is usually a fee for this service.

Step 3

Depending on how confident you are in editing your WordPress settings and .htaccess file you can either a) use a plugin (Really Simple SSL) to take care of the changes that need to be made or b) manually make the changes required.

a) Really Simple SSL Plugin

The Really Simple SSL plugin automatically detects your settings and configures your website to run over https.

Backup your site before installing the plugin.

  • Upload the plugin to the wp-content/plugins directory.
  • Go to plugins in your WordPress admin and click activate.
  • You'll then see a notice asking you to enable SSL. Click to enable and log in again.

Your site should now be https enabled. Please note: we cannot assume any responisibility for any site issues that develop as a result of using the plugin. For support visit the Really Simple SSL WordPress support page.

b) Manual

Once the SSL certificate is installed in the WordPress admin area under General Settings edit your WordPress address (URL) and site address (URL) so that they now read https.

Add the following code to the top of your .htaccess file, if you are setting up manually. If you are using the Really Simple SSL plugin it will add the "Force SSL" code to your .htaccess file so there is no need to add it again.

# BEGIN Force SSL
<IfModule rewrite_module>
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} !^on$ [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !^https$ [NC]
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
# END Force SSL

It's important that the above code has [R=301,L] rather than [R,L] otherwise Apache may default to a 302 (moved temporarily) rather than 301 (permanent redirect).

Step 4

Go through each and every page on your site and look for any pages where the padlock symbol is flagged as insecure. Where you see the insecure symbol this can be due to images which are in the main content area which have been hardcoded as HTTP. Change these to HTTPS, save the page and check to see if the page now shows as secure.

If this does not resolve the issue check the page(s) for scripts, CSS (if you are using Google to embed a font on your site then check the link is HTTPS) or other files that may also have been hardcoded as HTTP.

The Google Chrome browser is a great tool for searching out where changes need to be made. Open Google Chrome and enter your website URL. Click on 'Customise and control Google Chrome' (looks like three vertical dots - usually found in the top right hand side corner of the browser) then go to More Tools > Developer Tools > Console. Look through the Console for errors showing where an item is being loaded as HTTP and make the appropriate changes on the site to load as HTTPS.

From past experience we've found that a number of plugins e.g. Envira Gallery and Wonderplugin's WordPress Popup, hardcode meta data as HTTP or use image uploads e.g. a loading gif, a close button etc. If this is the case very often even after forcing WordPress to HTTPS you may still find that one or two plugins stubbornly leave images as HTTP. In these cases you will need to go through the plugin settings and change HTTP to HTTPS.

Search and Replace

Don't forget to backup your site before making any of the changes as search and replace plugins and edits to phpMyAdmin can sometimes break your site.

If your site is large you may want to use one of the following: the WordPress Better Search and Replace plugin, custom commands with phpMyAdmin or the Interconnect/it search and replace database script to make the process of updating any internal links within the database less time consuming.

phpMyAdmin Commands

UPDATE wp_options SET option_value = REPLACE(option_value, "http://www.example.com", "https://www.example.com");

UPDATE wp_posts SET post_content = REPLACE(post_content, "http://www.example.com", "https://www.example.com");

UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, "http://www.example.com", "https://www.example.com");

Be sure to update www.example.com to reflect your real domain name and change the wp_ table prefix to the prefix you are using.

Step 5

Submit your HTTPS (www. and non-www.) new property to Google Webmaster tools. You should see a falloff in pages cached for HTTP and an increase in HTTPS pages.

Your HTTPS Site

The visitors to your site can be confident that you are protecting them and their data and any data transmitted via your site is secure.

Contact us if you would like us to move your site to HTTPS.

Addendum

#1 on 6 July, 2017 Let's Enctypt announced that it will begin issuing *wildcard certificates in January of 2018. Wildcard certificates will be offered free of charge via Let's Encrypt upcoming ACME v2 API endpoint. A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.domainname.co.uk). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains.

#2 on 24 July, 2018 Google released Chrome 68.0.3440.75 which now displays "Not Secure" for any sites which are not HTTPS.