Google has been pretty adamant in its efforts to make the web more secure. First, by proposing that web browsers should start flagging all HTTP pages as insecure, then by boosting search engine rankings for websites which use HTTPS. Additionally, Google has decided to place a red X in the address bar, striking through websites which don’t use a secure, or HTTPS connection and plans on marking all non-secure pages, including HTTP with the same indicator used to indicate a broken HTTPS links. But are these reasons enough to migrate your WordPress from HTTP to HTTPS?
What is HTTPS?
HTTPS or HyperText Transfer Protocol Secure is a protocol used to allow secure communication between your browser and the web server. Unlike HTTPS, which is a secure connection, HTTP is insecure and it’s possible for any unauthorized parties to intercept and listen to the communication between you and the website. This communication is typically pretty ordinary unless you’re entering any sensitive information including a password, credit card info or a social security number. HTTPS adds a layer of security over the communication using SSL/TSL or Secure Sockets Layer and Transport Layer Security protocol by encrypting the data and protecting its integrity during transfer.
Why should you move to HTTPS?
There are several reasons why you should move your WordPress website to HTTPS. The first and most obvious one is security. With HTTPS, all the information, which would normally be sent as plain text, is completely encrypted. This is particularly useful for e-commerce websites, which handle customer information on a daily basis. Secondly, it has added SEO benefits due to HTTPS being a ranking signal. Finally, green address bar helps build what is called SSL trust. This means that the customers are more relaxed when they know that their data is secure.
Transferring to HTTPS
The basic requirement for transferring your WordPress website from HTTP to HTTPS is an SSL certificate. You can either buy one using a certified vendor or by asking your provider to get one for you. A single domain certificate costs around $9 per year. Once you have the certificate, it’s time to install it on your website. First, you need to generate a CRS code and an RSA key and take them and the certificate and give them to your WordPress host.
Redirecting HTTP to HTTPS
Now that you have installed the SSL certificate, it’s time to redirect all HTTP traffic to HTTPS. Fortunately, there’s a WordPress plugin just for that called Really Simple SSL. It detects the existing settings and configures your website to run over HTTPS. If you’re using an Apache server, you can redirect the traffic using the following line of code which you add to the .htaccess file:
RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourwebsite.com/$1 [R=301,L]
Updating links to HTTPS
This is a pretty straight-forward job. You can do it by hand, by that would take a lot of time. Instead, you can use a free WordPress plugin called Better Search Replace, which does this job automatically. Once you install it, navigate to the Tools section of the WordPress dashboard and select the Better Search Replace plugin. Click on Search/Replace and under Search for enter the old WordPress domain address and under Replace with the HTTPS address. Once you’ve selected the necessary tables, simply click Run Search/Replace.
Transferring CDN to HTTPS
As you migrate your WordPress website to HTTPS, you should to the same with any CDNs you might be using. If you don’t, you risk getting a mixed-content warning on your website. There are numerous tutorials available on the internet on how to accomplish this, so feel free to check them out. Once you’ve updated the CDN, it’s time to update that info in the WordPress plugin used for integration. You can use CDN enabler to switch the URL from HTTP to HTTPS and enable the CDN HTTPS option.
Check for Mixed Content Warnings
When you move to HTTPS, the biggest challenge you’ll experience is preparing your content for secure connections. When a page is loaded via HTTPS, all the elements such as images or JavaScript files need to be loaded via HTTPS as well. If you don’t, you’ll end up getting a lot of mixed content warnings. The easiest way to check your WordPress website is to use the SSL Check tool, which crawls your website a looks for insecure elements such as images and JavaScript. Once found, you should replace them with HTTPS equivalents.
Updating the Google Search Console Profile
Now that your website is running on HTTPS, the next step is to create a new HTTPS version of the Google Search Console profile. When you’ve finished creating the new profile, it’s time to re-submit the sitemap files. Those who have a disavow file need to update it as well. Simply go to the Google’s Disavow Tool, select your old HTTP profile and download the file. Open the tool again, only this time you’ll have to submit the HTTPS version of the disavow file.
Updating Google Analytics
Finally, you need to update your Google analytics. This does not affect the analytics data, but it does, however, help when you have to link your WordPress website to the Google Search Console. All you have to do is to click on the domain property settings and change the default URL to HTTPS version. Do the same for the view settings and remember to re-link the newly created Search Console Profile with the Analytics account.
At this moment, HTTPS is the leading standard when it comes to website security. Although migrating your WordPress website from HTTP to HTTPS requires a little more work, it does come with a number of added benefits. Not to mention that if you follow the guidelines closely, the work itself is fairly easy. Just make sure to update the SSL certificate once a year. This may sound like a hassle, but it’s a small task to ensure the privacy and security of your data, and the data of your users.