As 2020 approaches, it’s high time to install an SSL certificate and migrate your WordPress from HTTP to HTTPS, if you haven’t already done so. This topic has gained importance in recent years, primarily thanks to the efforts of Google, which through the introduction of phase changes informed users that visiting certain sites is not completely safe, all intending to motivate site owners to improve their security, by moving to the HTTPS protocol.
What is an SSL certificate?
SSL is an acronym for Secure Sockets Layer and is a security technology that enables encryption of communication between two points, in this case between a Web server and visitors. SSL is a technology that has been around for a very long time and is used by millions of online businesses and individual users to reduce the risk of data theft and leakage of sensitive information.
What is HTTPS?
HTTPS or Secure HTTP is an extension of the standard HTTP protocol used for secure communication in a network between two points, specifically between a user and a server. Every day we share our personal information on different websites, either through registration or online shopping. For the data to be protected, it is necessary to have secure communication between the user and the server. Now you must be wondering – why is it important for me to migrate a WordPress site from HTTP to HTTPS when it comes to a personal blog or the site of a small company whose goal is not online sales?
Why do you need SSL AND HTTPS anyway?
A little more than three years ago, Google announced its plan aimed at creating a safer Internet by encouraging, one might say, forcing all website owners to switch from HTTP to HTTPS protocol. Changes in this direction were introduced in stages, so since July 2018, the Internet browser Google Chrome has marked all websites without an SSL certificate as Not Secure. This warning can leave a bad impression on the business with visitors and end users, not to mention online stores where the possibility and security of online payment is extremely important for the business’s success.
HTTPS + WordPress
The conditions that a WordPress site needs to meet to switch to the HTTPS protocol are not complicated. All you need to do is purchase an SSL certificate, and you may already have one for free if your hosting company offers a free certificate with your annual hosting lease.
WordPress setup
The first step is to activate the SSL certificate on the domain. After activating the SSL certificate on your domain, you need to configure WordPress to use the HTTPS protocol on your website. We will show you how you can do it in two ways, and you can choose which one suits you better.
Migrating to HTTPS using a WordPress plugin
This is an easier way that we recommend to all beginners. The first thing you need to do is install and activate the Really Simple SSL plugin. After activating the plugin, click on Settings > SSL. The plugin will automatically scan and find the SSL certificate, and then configure the WordPress site to use HTTPS. The plugin will take care of everything for you, which means it will:
- Perform an SSL certificate check,
- Set WordPress to use
HTTPSin URLs, - Set redirects from
HTTPtoHTTPS, - Find all links that still load
HTTPand try to fix the error.z
NOTE: Although the description of the plugin states that you can keep the SSL certificate and freely deactivate the plugin, this is not 100% correct. You will need to leave the plugin on, otherwise, all mixed content errors will return when deactivating.
Manual migration to HTTPS
This method requires you to manually fix any issues (if they occur) and change files in the WordPress directory. Unlike the first method, this method is a better solution. In case this method is too complicated for you, we recommend that you entrust this work to a developer or another person who is better versed in the subject matter. Manual setup requires you to modify some files within the WordPress theme and code. The first thing you need to do is to make a change in the fields WordPress Address (URL) and Site Address (URL) in Settings > General, where you will replace http with https
<IfModule mod_rewrite.c>
RewriteEngine On RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>server {
listen 80;
server_name test.com www.test.com;
return 301 https://test.com$request_uri;
}Do not forget to replace test.com with your domain name. With this setting, you will avoid the appearance of the HTTPS not working error in WordPress because the entire website will be loaded via the HTTPS protocol. Also, if you want to force HTTPS within the WordPress admin, you need to edit the wp-config.php file – note that this step is unnecessary in most cases. Simply add the following line of code above That's all, stop editing! lines :
After all the steps, the site will correctly load SSL and display HTTPS, but it is possible that you will not encounter mixed content errors. These errors appear mainly due to images, scripts, or CSS files still loaded using the HTTP protocol in their URL. As a result, search engines will mark the page as unsafe, and it is very possible that they will block the loading of their content coming from HTTP, disrupting the site’s functioning.
You can check all possible errors with the help of the Inspect Tool (right-click – Inspect). Content errors will be displayed in the console as a warning, and you will be able to see details about each individual error. You’ll notice that many URLs represent photos, photo galleries, scripts, and CSS files used by WordPress plugins and themes.
Fixing mixed content errors in the WordPress database
The steps described above only apply to the WordPress configuration and do not affect changes to the database, meaning you have to do it yourself. However, if you have hundreds of pages and articles, this can take a large amount of time. Two ways can solve this problem:
- By setting the CSP policy at the web server level
- Changes in the database
How to set up a CSP policy?
If you are using an Apache or .htaccess compatible web server, add the following code:
<ifModule mod_headers.c> Header always set Content-Security-Policy "upgrade-insecure-requests;" </IfModule>
CSP policies serve to control the behavior of the user’s browser, and what this policy says is that it automatically translates all HTTP requests to HTTPS, which solves the problem of mixed content. You can find more information about the CSP policy here.
Changes in the database
If for any reason you are not able to set up the CSP policy, or it does not work, you need to make changes in the database, specifically, changes need to be made in several tables, namely:
wp_postsandwp_postmetawp_options
wp_postsand wp_postmetacontain all information about pages and articles, including all their content. This content, in addition to text, also contains links to images and videos. If we assume that your domain is test.com. You need to perform the following queries:
UPDATE `wp_posts`SET `post_content` = replace(post_content, 'http://test.com', 'https://test.com'); UPDATE `wp_postmeta`SET `meta_value` = replace(meta_value, 'http://test.com', 'https://test.com');
This query will simply change everything starting with http://test.com with https://test.com in the content of your articles and pages. If your tables do not start with a wp_ prefix, you need to modify the query above. For changes to wp_options MySQL a query like the one above will not work because of the serialization of the data within this table. Therefore, the best solution is temporarily installing and using the Better Search and Replace plugin, which can do the job for you.
Add the site to Google Search Console
After all these steps, don’t forget about Google Search Console. Major search engines such as Google view HTTPS and HTTP as two different websites, you need to inform Google that you have switched your website from HTTP to HTTPS. You will do this by logging into your account, within the Google Search Console and clicking on the Add a Property button. After that, a window will appear where you need to add the URL of the site that contains HTTPS. The next step is to verify ownership of the site. There are several ways to do this. Whichever you choose you will receive instructions for ownership verification. Once you’re done verifying, Google Search Console will start generating reports. It is also necessary to ensure that the HTTP and HTTPS versions of the site are entered into the Google Search Console.
