If you haven’t migrated WordPress from HTTP to HTTPS, you need to hurry. Google uses it as a search ranking factor and browsers now warn users if a website is insecure.

If you’re still using HTTP, your website is regarded as insecure.

That will have a significant impact on traffic and on trust.

Securing your WordPress website with an SSL certificate and switching to HTTPS is as easy as it is essential. It is also very straightforward when broken down into bite size pieces.

That’s what this article is all about.

We are going to walk you through the entire process of installing an SSL certificate and switching from insecure HTTP to the more secure, and now default, HTTPS.

Understanding HTTP, HTTPS and SSL

Web security

First, let’s set the scene by covering exactly what HTTP, HTTPS and SSL are and what they do.

HTTP

HTTP stands for Hypertext Transfer Protocol. It’s a network protocol used on the web to enable a browser to ‘fetch’ files from a server. All messaging happens behind the scenes and you see nothing except a small delay while the HTTP messages are happening.

When you click on a web page link or URL in your browser:

  1. The browser requests the file from the web server hosting that page.
  2. The server responds to that request and sends the web page to your browser.
  3. The browser displays the page on screen for you to read.

Every time you change the page, click a link or interact with a web page, this process is repeated.

When using HTTP, all messaging is sent in the clear, i.e. with no encryption. If somebody was watching your network and sniffing your data, they would be able to see exactly what you were doing while online.

HTTP connections also assume trust. The browser connects to the web server and assumes it’s the right server and the right website. It fetches the requested file and downloads it to your browser without checking if it is real or legitimate.

This has obvious security implications!

HTTPS

HTTPS stands for Hypertext Transfer Protocol Secure. It uses the same principles as HTTP with the messaging and fetching but with one key difference. All traffic between your browser and the web server is encrypted.

HTTPS also verifies that the server it is connected to is legitimate and definitely belongs to the service you think you’re connected to.

To achieve this level of security, we use SSL.

SSL

SSL stands for Secure Sockets Layer. It is technically known as SSL/TLS (Secure Sockets Layer/ Transport Layer Security) but everyone calls it SSL.

SSL is an internet security protocol that uses encryption to protect traffic flowing between your browser and a web server. In the context of the web and WordPress, SSL security is provided by a certificate known as an SSL certificate.

A website domain requires an SSL certificate to be able to use SSL. It’s part of the authentication process to keep the system secure.

A website owner has to apply to an independent third-party certificate authority to be granted an SSL certificate. It is granted on the domain, the www. name of the website.

The owners have to prove they own the website and that the details they provide are correct. The certificate authority checks these details and grants an SSL certificate only when they are satisfied everything is in order.

This provides a level of assurance that the owner of an SSL certificate for a domain owns that domain. This overcomes one of the weaknesses of HTTP, that of blindly trusting that your browser is connected to a legitimate web server.

Once installed in WordPress, an SSL certificate enables any compatible browser to request an encrypted connection. This overcomes the main weakness of HTTP. That of sending all traffic in the clear.

How SSL and HTTPS Works

How SSL and HTTPS works

HTTPS works by using an initial handshake and two vital steps, the certificate exchange and key exchange.

The certificate exchange is where the website sends a copy of the SSL certificate to the browser to prove it’s real and who it says it is.

The key exchange happens in both directions. The web server sends a copy of its public key to the browser and the browser sends a copy of its own public key to the web server.

These keys are what unlocks the encrypted package sent between the web server and browser so the browser can understand and display the file, the web page, it requested.

The process looks a little something like this:

  1. Your browser sends a hello (ClientHello) message to the web server. This is also known as a handshake.
  2. The browser tells the server what types of security it can handle.
  3. The server responds with a ServerHello message telling the browser what type of encryption it will use.
  4. The server then sends a copy of the SSL certificate to prove it is who it says it is.
  5. It also sends the public key so the browser can decrypt all traffic sent by the server.
  6. The browser checks the SSL certificate and responds with a copy of its own public key so the server can decrypt future requests from that browser.
  7. The server switches to encryption and checks if the browser understood the message.
  8. The browser responds telling the server it was able to decrypt the message and the browsing session continues.

That whole process usually takes just a second or two. It only has to happen once per session but has to be repeated every time you visit a new website or every time you open your browser to visit any website.

It takes a lot longer to explain how HTTPS using SSL works than it does for it to actually work!

Why You Need HTTPS on Your Website

WordPress HTTPS is now the default expectation of all web users. We expect to see the padlock in our browser telling us the website is secure.

There are three main reasons you should be using WordPress HTTPS:

  • Trust
  • Security
  • SEO

Let’s take a quick look at each.

Trust

Trust is essential online. You don’t need us to tell you that you are responsible for your own security but you also need to be able to trust the site you’re on.

Securing the connection between your browser and a website helps build that trust.

Browsers alert users if a website isn’t secure and does not use HTTPS. While they don’t say ‘Do not proceed as there be dragons ahead’, they may as well. It’s a well chosen warning, but it’s a warning nonetheless.

Put yourself in your visitor’s shoes. If you landed on a website that warned you it wasn’t secure, would you trust it?

Security

As a website administrator or owner, you have a responsibility to all your visitors. Not only to give them a superior user experience but also to protect them while they are with you.

That means ensuring their data is not put at risk, that nobody can listen to their traffic or hack them in any way while visiting your site.

If you run an online store or sell items, using HTTPS is mandatory to protect credit card details and personal information. If you allow user registration, you should also use HTTPSs to protect user accounts.

SEO

SEO is a secondary consideration compared to trust and security but it’s still important.

Google said back in 2014 that it would be using HTTPS as a ranking factor. If websites don’t use HTTPS, they won’t rank as highly as those that do. Google then implemented those changes back in 2018 and began the process of elevating secure websites.

If you’re spending money on SEO or SEO plugins and don’t use HTTP, you’re flushing money down the drain!

Prerequisites for Switching WordPress From HTTP to HTTPS

WordPress http to https

It’s simple to switch WordPress from HTTP to HTTPS. It has been around a while now and most web hosts support SSL and HTTPS.

You will just need a web host that supports SSL. A host that preferably offers SSL certificates for free as part of your hosting package.

Most of the web hosts we recommend include SSL as part of their hosting packages.

How to Move WordPress Site From HTTP to HTTPS

You have two main options to move WordPress from HTTP to HTTPS. You can use a plugin or perform the changes manually.

Let’s take a look at each option.

Each option requires you or your web host to have installed the SSL certificate. As each web host handles that differently, we cannot cover all of them here. Check your web host for instructions on installing your WordPress SSL certificate.

Once your WordPress SSL certificate is installed, proceed with one of these methods.

Move WordPress Site From HTTP to HTTPS Using a Plugin

If you’re a WordPress beginner or don’t want the hassle of manually switching to WordPress HTTPS, using a plugin is probably the easiest.

Install really simple SSL
  1. Log into your WordPress website
  2. Select Plugins and Add New from the left menu of your WordPress dashboard
  3. Type ‘ssl’ into the search box at the top right
  4. Select the Really Simple SSL plugin and select Install Now
  5. Select Activate once the option becomes available
  6. Select Settings and SSL from the left menu of your WordPress dashboard
  7. Check the plugin has found your SSL certificate

You should see a page that says 100% progress with a green button by SSL. This tells you the plugin has found and verified your SSL certificate and can use HTTPS.

Move WordPress Site From HTTP to HTTPS Manually

Setting up WordPress to use HTTPS manually takes a little longer but gives you full control over your website. It also means you’re not dependent on a plugin.

You will need access to the WordPress .htaccess file to perform the manual switch. Make sure you have this before you begin by logging into your web host’s file manager and navigating to root.

WordPress general setting for https
  1. Select .htaccess and select edit. If you can edit the file, you can proceed.
  2. Follow each step carefully to correctly set up WordPress HTTPS.
  3. Log into your WordPress website
  4. Select Settings and General from the left menu of your WordPress dashboard
  5. Add the ‘s’ next to http by WordPress Address (URL) and Site Address (URL)
  6. Save your changes
  7. Open your .htaccess file in the root folder of your host
  8. Add the following code to the file before the closing ‘# End WordPress’ and save it
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
WordPress .htaccess file

Now log back into WordPress remembering to add the ‘s’ to HTTPS. If you did it correctly, you should be able to login and use your website securely.

Whatever method you use to switch to WordPress HTTPS, there are a couple of things you need to do.

  • Update your sitemap – If you use Yoast or another SEO plugin, make sure an updated sitemap that reflects your switch to WordPress HTTPS
  • Change the link in Google Analytics or other tools – If you use monitoring or analytics tools, you’ll need to update those to reflect the changes.

How to Force WordPress to Use HTTPS

If you used one of the WordPress HTTPS methods above, there should be no reason to force it. However, you can if you want to.

You will need access to your wp-config.php file to do this. If you have access to your .htaccess file, you should also be able to access wp-config.php in your main WordPress file.

  1. Open wp-config.php in your favourite text editor
  2. Add ‘define(‘FORCE_SSL_ADMIN’, true);’ at the end of the file and save

As always, don’t include the ‘ or ’ in the code. Paste it exactly as in the image above.

How to Check if SSL Is Working Properly on Your Website

The easiest way to check if SSL is working properly is to visit your website. All browsers will now alert you if you’re trying to visit an insecure HTTP site.

If SSL is working, your website should appear in your browser. It should also have the padlock by the URL.

If SSL is not working, you should see a warning in your browser about trying to visit an insecure website.

Alternatively, you can check your website with DigiCert, one of the main certificate authorities. Add your URL into the box and select Check Server.

GoDaddy has a similar SSL checker.

Common WordPress HTTPS Errors and How to Fix Them

The process of securing WordPress with HTTPS is quite straightforward but it isn’t without its challenges. You may come across errors when trying to switch to WordPress SSL.

Hopefully, one of the solutions below can help:

“Your Connection Is Not Private” Error

The “Your Connection is Not Private” error means the SSL certificate isn’t cannot be read properly by your browser. This is predominantly a local browser or device issue rather than a server one.

There are a few solutions to this. Try each of these in turn to see what happens.

  • Reload the page
  • Try a different browser
  • Try Incognito or Private browsing
  • Clear the browser cache and cookies
  • Ensure your computer clock is accurate
  • Clear the SSL state on your computer (Windows)

To clear the SSL state in Windows, do this:

clear SSL state windows
  1. Right click the Windows Start button and select Network Connections
  2. Select Network and Sharing Center from the centre pane
  3. Select Internet Options in the bottom left of the new window
  4. Select the Content tab in the new window
  5. Select Clear SSL state and select Apply

SSL Padlock Not Appearing

If you have installed an SSL certificate and have tested it but the padlock still doesn’t appear, you have insecure links (HTTP, not HTTPS) on the page.

A browser queries all links on a page before it considers it secure. Only once every link has been validated will the browser display the padlock. If you have any insecure links on the page, you won’t see the padlock.

To fix this, simply check all links on the page and verify each uses HTTPS. Change the ones that don’t and retest.

“Not Secure” Warning on WordPress Login and Admin Pages

If you see ‘Not Secure’ when logging into WordPress, it just means that page isn’t being validated by the SSL certificate.

To address this, refer to the ‘How to Force WordPress to Use HTTPS’ section above. Once you force WordPress HTTPS, the error should disappear.

Redirection Loops

If you see “ERR_TOO_MANY_REDIRECTS” in your browser, it means one or more redirects on your page is pointing somewhere that points to somewhere else.

Redirects are common on the web and usually work fine. It’s a mechanism for telling a browser that the asset they are looking for can be found at a different location.

However, if the browser goes to that different location and finds another redirect telling it to look somewhere else, it shows the “ERR_TOO_MANY_REDIRECTS” error.

First check your browser, just in case.

Clear your browser cache and cookies and retry the link.

If it works, it was a browser error and not a WordPress error. No need to do anything else.

If the error still appears, try one or more of the following:

Clear your WordPress cache – If you use a caching tool such as WP Cache or WP Rocket, clear the cache and retest. Cache corruption could be causing the redirect.

Check your links – Use a service such as Serpworx to check for redirects. Identify redirects and check each of them. Change them as necessary.

Temporarily disable SEO plugins – Some SEO plugins redirect links as part of their features. Disable your SEO plugin, clear your WordPress and browser cache and try again. If you don’t see the error, troubleshoot the plugin. If you do, try another step.

Recheck HTTP to HTTPS – If you followed the steps in this guide and are seeing the error, revisit every step you took to make sure you got it exactly right. Any errors in SSL configuration can cause redirect errors.

Switch from plugin HTTPS to manual – If you checked everything and it all looks good and you used the plugin for WordPress HTTPS, consider doing it manually. Some plugins can throw random errors and this is one of them.

How to Update Your HTTPS Website on Web Services

We mentioned updating Google Analytics or other monitoring tools earlier but let’s cover them briefly again.

Google Analytics

Changing from HTTP to HTTPS is very straightforward in Google Analytics.

Google analytics default URL
  1. Select Admin at the bottom left
  2. Select Property Settings
  3. Select the website under Property at the top left of the center pane (Under the blue Create Property button)
  4. Set the default URL in the center pane to reflect HTTPS
  5. Select the blue Save button at the bottom of the page

Google Search Console

You will need to change from HTTP to HTTPS in Google Search Console to continue monitoring your website.

Google Search Console doesn’t have a ‘switch to HTTPS’ option. You will have to add your website as a new property and perform verification if prompted. It’s a simple process that takes a couple of seconds.

  1. Select your website at the top left and select Add Property
  2. Add the HTTPS version of your website and complete the steps

Bing Webmaster Tools

If you use Bing Webmaster Tools, your job is easier. As long as you perform the WordPress HTTPS steps in this article and check they work, Bing will automatically detect the change and update the settings to reflect it.

Social Media Platforms

Don’t forget to update the full URL in your social media accounts. Change to HTTPS on every social network you use and link back to your site.

You will need to log into each individually and edit any mentions of your website from the main settings area.

Frequently Asked Questions on WordPress SSL/HTTPS

We have tried to answer the most common questions around WordPress SSL and using HTTPS but in case you still have them, here are a few more quickfire questions and answers.

Will Moving to HTTPS Affect Search Engine Rankings?

Moving to HTTPS will affect search engine rankings but in a good way. Google and likely other search engines use HTTPS and SSL as positive markers. Websites that use SSL are viewed as more trustworthy and therefore, more worthy of promotion than websites without.

That has a positive impact on your SEO.

Why Does WordPress Site Show “Not Secure”?

Your WordPress site shows ‘Not Secure’ because it either doesn’t have an SSL certificate or there is something wrong with it. You will need to troubleshoot with your web host to fix this issue. Most web hosts will have an SSL section within cPanel or their admin area where you can check the status of your SSL certificate. That’s a good place to start.

Why is there no Padlock Sign on the SSL Website?

There is no padlock sign on the SSL website because the page you’re on has insecure links. That means one or more links on the page point is using HTTP and not HTTPS. If it’s your site, check all links on the page and change them to HTTPS. If it’s not your site, either notify the website administrator or try a different page.

Moving WordPress to HTTPS

If you’re only just now moving WordPress to HTTPS, you’re a little late to the party. Let’s call it fashionably late and make our entrance into the world of secure browsing.

While HTTP, HTTPS and SSL may all seem complicated, as we have shown, the process is actually quite straightforward if you break it down into bite size pieces. Hopefully, that’s what we have done here.

Do you have any advice for switching to WordPress HTTPS? Can you recommend a web host that offers free WordPress SSL?

If you’re new to WordPress, we have some other articles you might be interested in:

The post How to Secure WordPress by Moving From HTTP to HTTPS appeared first on Astra.

This content was originally published here.