Moving WordPress to SSL / HTTPS

Migrating WordPress to HTTPS

You may have noticed that the KSS Media Ltd website now shows the green SSL secure site padlock in the address bar, this is because we decided to move our WordPress site to SSL / HTTPS following Google’s announcement last month that they have decided to give a small ranking boost to sites that are SSL secured and want to eventually see “SSL everywhere” on the world wide web.  You can read the announcement details here:- http://googlewebmastercentral.blogspot.co.uk/2014/08/https-as-ranking-signal.html

Although SSL currently only accounts for 1% of the Google ranking algorithm, Google have made it clear that this is important to them and will become a stronger ranking signal as time goes on. So with this is mind and a couple of our clients asking about the implications, we thought it a good opportunity to test the process of migrating an entire WordPress site to SSL / HTTPS and monitor whether any website performance or Google ranking issues occur as a result of the change in the URL structure and the extra load on the hosting server that SSL encryption inevitably adds.

What is SSL Encryption? How Does It Work?

SSL (Secure Socket Layer) is a protocol that provides a secure channel between two machines operating over the Internet or an internal network and can be used when a web browser needs to securely connect to a web server over the insecure Internet.  It achieves this by encrypting all traffic sent between the browser and website so that no data is sent in “plain text” over the internet.

How Do I Migrate a Wordpress Website to SSL / HTTPS?

There are many guides detailing the move to HTTPS, some quite technical and going into details of server config and such. Some are very simple advising to use the WordPress HTTPS plugin, however this plugin is not updated regularly and I have heard a few stories of it breaking sites. The process I use is different to most other guides and I have tried to keep it simple and not use any plugin.  I have found this method works fine for most hosting configurations:-

  1. Order your SSL certificate from a trusted supplier and install on your web hosting server or ask your hosting company to do this for you. Test the SSL certificate is installed properly by visiting your site using https:// instead of http://
  2. IMPORTANT: Take a full backup of all website files and the WordPress database in case anything goes wrong.
  3. Login to your WordPress site and go to Settings > General.  Change the WordPress address URL and site address URL to https instead of http.
  4. After the above step your site may be inaccessible due to a redirect loop, don’t panic and quickly follow the next steps.
  5. Put this at the beginning of your .htaccess file in the WordPress root directory replacing yourdomain.com with your websites domain:-
    RewriteEngine On
     RewriteCond %{HTTP:X-Forwarded-Proto} !https
     RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

    …and this at the top of wp-config.php file under the opening <php tag :-

    if($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
     { $_SERVER['HTTPS'] = 'on';
     $_SERVER['SERVER_PORT'] = 443; }
  6. You now need to change the URLs of any media files that you have embedded in pages and posts from http to https. This can be done manually in WordPress admin(edit the post/page and go-to Text editing mode and change the URLs) or via this search and replace script from Interconnect IT that will replace all entries in your database for you, be careful with this tool, if you don’t know what you are doing it can destroy your install.
  7. That’s it, if you now access your site over https:// you should see the green padlock next to your address in the address bar. If it is yellow then you have not changed the URLs of some of the images on the page to https://  use this tool to help you identify where the insecure items are:- www.whynopadlock.com/

Google Webmaster Tools & Analytics Changes

In Google Analytics you need to change the default URL in Property Settings to https.  In Google Webmaster tools you will need to remove and re-add your site with the https address as Google seems to have no way to change to https at the moment.

Lost Social Media Share Counts

Unfortunately, one side-effect of moving your URL to HTTPS is that your social media share counters will be reset, in some cases this recovers but rarely returns back to the original number. There is no way to stop this happening as far as we are aware.

Performance Considerations

SSL unfortunately adds extra burden on your web hosting server and so can slow down your site loading times. This can be combated by use of a good caching plugin (we use W3 Total Cache) in combination with a good content delivery network that supports SSL and SDPY such as  Max CDN.

Further Reading

For some other tutorials for SSL migration that go into NGINX server configurations or how to install SSL certificates on your own server, check out the following resources:-

https://yoast.com/move-website-https-ssl/

http://designmodo.com/wordpress-https/

 

Leave a Comment