Migrating a WordPress website to https / SSL – a guide

Last month Google announced that it would be marking all non https / SSL pages as insecure from July 2018:

“Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

This means that any sites not running https will be marked with a security warning. Even if your site doesn’t captures sensitive personal information like logins or credit card details then this warning will appear. This might be off-putting for some users and is poor practice if you are capturing sensitive details and financial information.

See our previous blog post for more information on the https announcement.

What is https / SSL?

When you visit a website running https, you’ll notice the padlock symbol and the web address has an additional ‘s’ after ‘http’.

If you click on the padlock symbol you will get further information about the site. The extra ‘s’ comes from the word ‘Secure’ in the SSL – secure socket layers – certificate which confirms the identity of the website and controls how the information is transferred.

When a website uses https, any information transferred from the user’s browser to the web server will be encrypted. This means it is scrambled so it can’t be read by anyone intercepting the information.

That information is stored and decrypted whenever it needs to be viewed by anyone that has the appropriate rights – the encryption key.

Note: Technically SSL is not the correct name anymore. In the late 90s the name changed to TLS (Transport Layer Security) and SSL was actually retired. However, the name has stuck.

 

Why migrate to https? Users looking for the padlock

Most websites that ask users to enter personal information such as login details or credit cards details should already run in https.

While most website users won’t understand the fine detail  of https or SSL, most do understand enough about the issue to look for the padlock when they are using buying or logging in.

Web security and SSL provider Globalsign surveyed conducted a survey in 2014 and found the following:

• 75% are aware of security risks when visiting a website.
• 77% are concerned  about their data being intercepted  or misused online.
• 55% are worried about identity theft on the Internet.

See more data on the survey on this link

There are other good reasons for migrating to https:

• https is a sign of trustworthiness and is increasingly recognised by web users
• improved SEO – it is one of many so-called ranking signals but Google will almost certainly view https sites positively and should rank them above non https websites.
• Improved speed – speed is another ranking factor and websites that run under https are often faster. Try this test to see the results for yourself: https://www.httpvshttps.com/

If you run any sort of e-commerce website then you have to migrate to the https. There’s no alternative if you want to keep selling.

Most of the websites we design use WordPress as the Content Management System so we’re focusing on how to migrate to https.

How to migrate a WordPress website to https

So you have an up to date WordPress website that has been working well for you, generating good traffic figures, enquiries and orders etc.

You have decided to take the plunge and migrate to https. Fortunately it’s a fairly straightforward process but best done by your web developer or someone experienced in the procedure. You’ll need to edit specific bits of code so access to FTP or the hosting file manager is needed. You should have admin access to the MySQL database.

Effectively the process is very similar to moving URLs for a WordPress website and there’s plenty of resources available for doing that. However there are specific points to consider when migrating a WordPress websites to https.

1. Backup your website

Before you do anything you need to backup your website files and MySQL database. That means if you make a mistake or something doesn’t work you can roll back to the last working version.

Your website host will often automatically backup but always check first to ensure you have this available.

2. Buy or get hold of an open source SSL certificate for your domain name

This is something that your web hosts should be able to do for you. You will need to purchase the SSL certificate and ensure that it is installed and working by running a simple page and changing the URL to https.  If the page displays using https then your SSL certificate is properly installed.

Alternatively Let’s Encrypt provide a free open source SSL certificate but your hosts need to support it.

3. Migrate your admin to https

Open the wp-config.php file using file manager or download and edit using FTP. Add this line:

    define('FORCE_SSL_ADMIN', true);

and save the file.

Then try logging in to your usual admin address using https instead of http.

If everything has worked then you’ll be able to log in to admin using https.

4. Change the website address

Now you are ready to take the plunge and change the website address in settings > General.

Changing the http to https and updating will automatically update the databases.

You may need to log in again at this point.

5. Search and replace http:// with https:// in the MySQL database

There are likely to a lot of references in your page and post contents to your internal web pages for http://

These need to be replaced. You can do this by plugins such as Velvet Blues or the Search and Replace script but make sure you take a backup first.

Alternatively you could so a search and replace in the main database table for content wp_options and run this script:

UPDATE wp_options SET option_value = replace( option_value, '%http://www.yourdomain%', '%https://www.yourdomain%' )

Where yourdomain is enough to uniquely identify your domain name and the ‘*’ is a wildcard.

6. Add permanent 301 redirects

You need to redirect anyone using the old http address permanently to the new https address. You also need to indicate to search engines that the web address has permanently changed. This is done using a 301 redirect.

Edit the .htaccess file and add this line:

    <IfModule mod_rewrite.c>

    RewriteEngine On

    RewriteCond %{HTTPS} off

    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    </IfModule>

7. Test thoroughly
   

Once all these setting are in place, test thoroughly:

• Make sure the website works over https.
• If you try using the old http address the website should redirect to https.
• Run a broken link checker to test that there are no missing images or broken links.

If all this is ok then finalise the migration and go live.

8. Adjust Google Search Console and Google Analytics and other site environment issues

You’ll need to create a new property in Google Search Console, generate and add a new XML sitemap and adjust the URL in Google Analytics.

Also ensure that your sites URLs for social media profiles are updated, although the redirects should handle any old URLs. We’ll cover this in more detail in a future blog post.

You will need to test and view each page and the most common issue is mixed content warnings where something is being referenced under http. Click on more information and your browser should list which assets are coded as http. They can, for example, be http URLs for images or style sheets along with

Alternatively use the Really Simple SSL plugin

If you don’t have time or feel confident about your technical skills have no fear. There is an excellent free plugin – Really Simple SSL – that we have used successfully for several migrations of WordPress websites to https and is highly recommended.

It works as follows:

• Get an SSL certificate
• Activate the plugin
• Enable SSL with one click

You will still need to test and troubleshoot but it really does work well.

Get in touch if you have a WordPress website that you need migrating to https on our contact form.