OK I have https on my WordPress sites. Yup, in my last post (My sites don’t have HTTP. So What?), I said I didn’t have, and maybe didn’t need, and so wouldn’t implement HTTPS.
However since then, I have found out that my website host (HostGator) has automatically provided and enabled SSL certificates for my websites.
(I recently moved from hosting with SiteGround to HostGator. SiteGround also provides free SSL certificates – their hosting charges were just getting too expensive. And I had never done anything nor took notice of the HTTPS issue when I was hosting with them. Yes, my bad.)
I tested this by entering the https:// protocol before the URL of one of my sites in the address bar of the browser.
Previously I had been most concerned that the move to HTTPS would result in all kinds of problems with scary things like broken links, mixed content errors, websites not displaying properly, no images, etc.
But when I tested the https:// URL in the web browser and checked my sites, they pretty much all looked ok (except for one, but more on that later) via the https:// URLs. So right there, my biggest worry about the move to HTTPS on WordPress seemed to be taken care of.
Now the question was what else I needed to do so that the https:// urls are enforced and made the default; and how it might impact Google Analytics, Adsence, site maps, etc.
PRELIMINARY OBSERVATIONS
FYI:
- I am on a self-hosted WordPress platform
- HostGator had already automatically enabled SSL certificates for my sites when I recently migrated to them
- I use Genesis themes
- my default browser is Chrome
I know that there are a number of things I still need to do even though I now have active SSL certificates. The following are only what I can currently observe before further changes:
- When I enter https:// with domain name in the browser’s address bar, it works
- All internal links to other posts/articles also automatically link to https posts/pages
- However if I enter just my domain names (with and without www) without entering the https:// prefix,… it automatically uses the HTTP url. ε(´סּ︵סּ`)з
Steps I Took to Fully Enforce HTTPS on WordPress websites
The below are the steps I personally took to fully ensure HTTPS on WordPress is enforced and functional on my websites. However I do strongly suggest you refer to the links in the References at the end of the page.
SUMMARY OF STEPS
- backup your sites
- add https in WP admin to WP address & Site address
- 301 Redirect all visits to HTTPS pages
- Update Site Environments (next post)
1. BACKUPS
Via CPanel, I downloaded backups including Full, Home Directory, and all the MySQL Database backups.
2. ADD HTTPS IN WORDPRESS ADMIN
Change from http to https in your WordPress Address, and Site Address
Note: After this, WP will log you out. Log in again.
Sidenote:
The one website that I mentioned above that was not displaying correctly when I tested the https:// full url, corrected itself after this step! Yay!
3. AUTOMATICALLY DIRECT VISITORS TO SECURE VERSION OF WEBSITE
When the SSL certs are implemented, it looks like visitors can view my pages using either using HTTP or HTTPS version.
THAT IS NOT A GOOD THING!
- bad for SEO (Search Engine Optimisation)
- might provoke mixed content error
- Google is not happy when the non-secure HTTP version is shown (penalty being lower organic ranking in search engines and “Not Secure” warning shown to your visitors)
We want all visits to be automatically directed to the secure (HTTPS) version whether they enter http:// or with any, with or without using www.
So how do we direct visitors automatically to the HTTPS version?
There are 2 ways to do this:
Method 1: using .htaccess file with 301 Redirects
See either How to Move HTTP to HTTPS on WordPress or How to Properly Move WordPress from HTTP to HTTPS (Beginners Guide) for the code.
Tips:
- Do not duplicate
RewriteEngine On
- Put the
Rewritecond
andRewriteRule
immediately after the existing
RewriteEngine On
(at the top before any of the other code).
Image below shows what the top part of my .htaccess file looks like after the edit.
Method 2: or (easier) use Domains Redirect function in cPanel.
See either Setting up a 3011 Domain Redirect in cPanel or How to force your visitors to use your Shared SSL Certificate for instructions.
Sidenote: I tried this “easier” method but that resulted in “Page cannot be displayed. Too many redirects error”.
What Next? Updating Google, Social, and related Tools
Congrats! We have come a long way – or I feel I have come a long way anyway!!! So what next?
According to this very useful and recommended article: How to Move HTTP to HTTPS on WordPress, we next need to “update your site environment”. I will write about this in my next post. This post is already too long. I don’t like reading nor writing posts that are too long. My head feels as if it could either cry or explode or both. So see you in the next post My WordPress has HTTPS, Now What? [Part 2].
References:
- WebsiteSetup.org: How to Move HTTP to HTTPS on WordPress (Very Useful!!!)
- wpbeginner.com: How to Properly Move WordPress from HTTP to HTTPS (Beginners Guide) .
- wordpress.org/support : HTTPS for WordPress .
- support.google.com: HTTPS migration FAQs (Useful as this is from Google itself)
References (using cPanel’s Domain Redirect, without directly using .htaccess):
- inmotionhosting.com: Setting up a 3011 Domain Redirect in cPanel
- inmotioinhosting.com/YouTube: How to Setup a Redirect in cPanel
- webhostinghub.com: How to force your visitors to use your Shared SSL Certificate
Your Comments? Tips to share?