Before I start this article, I would like to ask one question to you, How many HTTPS links do you see in first page of Google search result? Generally, I get more than 50% for my search queries and major top links belong to HTTPS. It is self explanatory how important HTTPS and SSL is. As SSL is mandatory for safely processing transaction e-commerce website, but here I am not going to talk about security and safety, my concern is SEO. The web is moving toward using HTTPS encryption by default and it is encouraged by Google with announcement HTTPS as a ranking signal in 2014. Chrome and Firefox browsers started to display warning for HTTP (Non secure) websites. So you decided to move on HTTPS. Hold a minute and see the challenges. you will get many examples on Google saying huge drop in traffic after moving HTTPS if not implemented properly. So you must aware of the challenges. In this post, we will move a WordPress website to HTTPS, Setup free SSL and update dependencies to meet SEO guidelines. It is assumed Apache server is used in Ubuntu server.
1. Update Server Environment
Current WordPress version 4.9.2 recommends PHP 7.2 or greater. So update your server environment to PHP 7.2. Read following tutorial to update PHP:
Install or Upgrade to PHP 7.X on Ubuntu
2. Setup SSL
Generate free SSL certificate from Let’s Encrypt and setup web-server using following tutorial:
Install Free SSL from Let’s Encrypt with Apache on Ubuntu
3. 301 Redirect
You can setup 301 permanent redirect from HTTP to HTTPS for your website by following .htaccess file configuration in website root folder (if you didn't do it in vhost conf file specified in Step 2 tutorial):
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R=301]
4. Verify SSL
You can use the free SSL check tool from Qualys SSL Labs. If everything is right, you should get an A letter grade in the test. Use following link (replace example.com with your base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
To check for too many redirects, you can use Patrick Sexton’s Redirect mapper tool. It shows how many redirects are happening on your site on both the www and non-www versions.
5. Reconfigure WordPress
In WordPress Admin, Go to Settings > General and Update the WordPress Address and Site Address settings with https.
If these are non-editable (readonly) then you might need to change defined WP_HOME and WP_SITEURL in your wp-config.php:
define('WP_HOME','https://example.com');
define('WP_SITEURL','https://example.com');
Note: Both settings should NOT have a slash "/" at the end.
If you don't find the parameters in wp-config file then don't worry, we will update in database directly in next step.
6. Updating Legacy Content
You can run following queries in MySQL terminal or PhpMyAdmin
To update existing WordPress configuration options:
UPDATE wp_options SET option_value = replace(option_value,'http://example.com','https://example.com');
To update existing links, image sources and other http content to https in posts:
UPDATE wp_postmeta SET meta_value = replace(meta_value,'http://example.com','https://example.com');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://example.com', 'https://example.com');
7. Themes and Plugins Update
Update Wordpress theme and plugin options to update http to https. You need to update custom scripts and external libraries (like jQuery, Angular...etc) to point to the HTTPS version.
If you are using CDN then you need to migrate from HTTP to HTTPS.
Also, make sure your canonical links are updated to https. Generally it is automatically updated once configuration is updated.
8. Update Hotlinking Protection
Hotlink protection prevents other websites from directly linking to files and pictures on your website.
If it is done via cPanel/zPanel then you need to update URL to https.
If it is done manually then you need to update it. Update .htaccess to allow https for image hotlinking protection:
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?example.com
Similarly update .htaccess where these images or content are allowed (like in your subdomain) if needed.
9. Update Google Analytics
You need to update your Google Analytics Property and View, click on Admin option in left menu bar.
For Property, select your domain in property > Property Settings > default URL, change it to the HTTPS:// version.
For View, select your domain in View > View Settings > Website’s URL, change it to the HTTPS:// version.
10. Update Google Search Console (Webmasters)
In the existing Google Search console, there is no way to define 301 existing profile so you need to create a NEW profile for HTTPS version and can verify it via Google Analytics. You need to submit Sitemap from HTTPS version.
If you are using Bing Webmaster Tools, just submit your newly created HTTPS sitemap. that's it.
11. Social Media Updates
Similarly, you might want to update YouTube channel, Google+ page, Facebook page, Twitter, Pinterest ...social media linking to HTTPS version of your website.
If you are using a comment plugin such as Disqus, you will need to migrate your Disqus comments over from HTTP to HTTPS.
Conclusion
In this guide, you can see how to migrate Wordpress website from HTTP to HTTPS properly, update the existing content and configurations accordingly and check list for major things to update. Apart from safety and security, it lets you benefit from increased speed and better SEO. As HTTPS is the future of the web, this is a great investment. Feel free to share any other HTTP to HTTPS migration tips in Comment section.
Enjoy HTTPS with WordPress !!