Intro
I have recently moved my 3 main websites from http to https and this post gives an overview of the process, including some info on why I made the move to https and also how I completed the move to https.
Why move a website from http to https?
- https provides a secure connection and communication between the user and the website.
- For SEO, as Google has previously announced https as a ranking signal and are encouraging everyone to use https where possible.
- Previously, cost may have been a barrier to moving to https, but now many web hosts offer free security certificates as part of their hosting packages. These make use of authorities such as Let’s Encrypt.
Resources, links, information to read before moving to https
Some of Google’s resources
Secure your site with https – https://support.google.com/webmasters/answer/6073543
Sites moves – https://support.google.com/webmasters/answer/34437
Site moves with URL changes – https://support.google.com/webmasters/answer/6033049
Other resources
http://searchengineland.com/http-https-seos-guide-securing-website-246940
https://www.keycdn.com/blog/http-to-https
https://www.link-assistant.com/news/https-case-study.html
WordPress specific resources
https://www.bram.us/2014/12/06/migrating-your-wordpress-website-from-http-to-https/
https://css-tricks.com/moving-to-https-on-wordpress/
Disclaimer/Warning
The information below is a general outline of what’s involved in moving a WordPress website from http to https – it’s not an exhaustive ‘steps to follow’ guide. This process worked for my websites when moving them from http to https, this worked for my specific setup, hosting etc and may not work in the same way for other users. Problems during the process may lead to a website no longer working, not being accessible or having content issues. Therefore, I’d suggest seeking professional assistance when performing a move from http to https unless you’re a very experienced IT professional user (who doesn’t mind updating the database using SQL, changing website host settings, tinkering with .htaccess and wp-config.php files and the odd bit of website downtime, head-scratching and troubleshooting!)
Moving a WordPress website from http to https
Backup
Backup all website content before starting a process like this. You know it makes sense, Rodney!
Preparation
These are all steps I would recommend before starting the move process and are all useful to do, but not essential.
1. Do an SEO check to get current SEO results, for later comparison to see any effects.
2. Do a Page Speed check, also for later comparison to see any effects.
3. Add a tweet to say that moving from http to https.
4. Add a banner to top of site to say moving from http to https.
Note: I recommend WordPress plugin WPFront Notification Bar.
5. Crawl the current website with tool like Xenu (Windows) or Integrity (Mac) to check for any already existing errors, 404s etc. Save the results of this to a file or PDF in case needed for comparison later. Use the results to fix any already existing errors e.g. 404 errors etc.
6. Update WordPress and all WordPress plugins to latest versions.
7. Pause any Google Adwords (or other ads) which are running, as during the move to https there may be site errors, display issues etc, which you don’t want to direct users into (especially when paying for it!)
Turning on https
Note: This step depends on your website host and how they let you do this.
For my website, I went to the host’s control panel and used an option there to turn on SSL, having read and agreed the terms and conditions. I then waited for the 90 minutes they stated it would take for the certificate to be issued and the site to start working in https. To check this, I tried various pages on my website with https to see if they were available.
I found that with each of my 3 websites, it took less than the 90 minutes for this to work.
Once certificate is issued and https is working across your website
At this point your WordPress website is at a mid-way point of https links being available but your WordPress content will not be accessing it and still using the http links.
Note: The steps below will result in your website using https throughout the site. I found that with my 3 different WordPress sites I ran into problems at different points in the process (WordPress admin not available, website not displaying at all, display issues with the content and so on) but once I had successfully completed all these steps, all 3 websites were then working in https.
- Update the WordPress Settings to use the https versions of the URLs for ‘WordPress Address (URL)’ and ‘Site Address (URL)’. This lets WordPress know that you now want to use https from now on.
Note: I did have a problem here with two of my sites, where changing the URLs to https in the front end seemed to have worked when I saved the changes but didn’t actually work and took me to the login page. For these sites, I manually updated the wp-config.php file to set the WP_SITEURL and WP_HOME settings – see WordPress Codex for more info - Force SSL for wp-admin – see WordPress Codex for more info
- Update the database to use the https versions of the URLs for images, links etc. This step is part of the process of fixing mixed content warnings, which appear when a https page has both https content and http content, which means you won’t be seeing the green padlock for that page until the mixed content is fixed.
There are various ways to do this, such as using search and replace plugins but I found using SQL queries to update the website’s database the most reliable and controllable method.
Here are some links on doing this:
https://www.bram.us/2014/12/06/migrating-your-wordpress-website-from-http-to-https/
https://css-tricks.com/moving-to-https-on-wordpress/The SQL I used to do this was based on the following suggestion from the www.bram.us link above – replace your site.co.uk with your website domain. Again, proceed with caution!UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yoursite.co.uk', 'https://yoursite.co.uk'); UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.yoursite.co.uk', 'https://www.yoursite.co.uk');
- Redirect all http requests to https using 301 redirects to preserve as much ‘link juice’/SEO ranking as possible.
To do this, add the following to the top of the .htaccess file in your WordPress directory:RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Going off-piste
At this stage, for each of my 3 websites, I went a bit off-piste from what the various guides were suggesting for the steps to move to https and found the following steps of my own all helped the process. Some might not be necessary, but I think they all helped the process.
- Clear any cache plugins your website might be using (e.g. Comet Cache) and clear the cache in the web browser you want to test your site in. I recommend Firefox as it clearly shows the status of your content in the URL bar. (e.g. the green padlock when the whole page is secure content)
- Update the Permalinks in WordPress, using Settings/Permalinks. Make a change to your current settings, then save changes, then once saved, change it back to how it was, to force through a Permalinks update. More info on Permalinks.
- Again, clear any cache plugins and your browser cache.
- Check your website homepage, using the https version of the URL, to see how things are looking and get a general feel of how things have gone.
- At this stage, I would recommend getting the homepage working, using Firefox to verify this – you want to see the green padlock as mentioned above. I also recommend using the Developer Tools/Console to check for any mixed content messages, which you can work through one at a time to fix. Once the homepage is working, you’ll need to then work through any other main website pages, in the same way, until the green padlock is displayed.
- Depending on the WordPress theme and plugins that you use, you may have lots of places to check for any hard-coded http URLs which will need changing to https. An example of this is using a Cookie Consent plugin, where you hard-code the cookie info page url to show the user when they click More Info – this may need manually editing to use https instead of http.
- Check any existing Redirect plugins you may be using, and update the urls as necessary, to use https.
- You may need to check your website hosting control panel, to see if any DNS settings need updating, such as redirects using DNS.
- Also any add-on domains, which point to your site – such as a .uk version – will need to be checked to see if they need changing to point to the https url.
Off-site updates
So, hopefully, by this stage, your website should be fully working in https. You’ll now have some changes and maintenance to do, off of your website.
- Google Search Console – Add the https site to Google Search Console as it treats it separately to http site – and, if possible, use the Verify with Google Analytics option.
Also submit the XML sitemap so that Google can crawl the https site fully.
And use the Fetch as Google option to test it and request recrawl of homepage and all links. - Google Analytics – Use the https version of the site from now on. To do this, choose the relevant account -> Admin -> Property Settings -> Choose https
- Google Adwords – Update any URLs in your ads to use https – that includes Ads and Ad Extensions/Sitelinks and other such addons/items.
- Any other ads – Update any URLs to use https
- Bing Search – As have used 301 redirects (in .htaccess) Bing should automatically pick this up – but you can also login to Bing account and select relevant site and then use Site Move (under Diagnostics & Tools menu) to move it to https url. Can also submit the new https sitemap too.
- Social Media – Update any Social Media links into your website to use https – e.g. Twitter, LinkedIn etc.
Tidy up after move to https completed successfully
This is mostly a reverse of the Preparation steps above, once the site has moved successfully.
1. Remove the site banner.
2. Add a new tweet to say site has moved from http to https.
3. Do another crawl of the website (as mentioned in Preparation steps above) – but this time using https url – to check for any errors that will need fixing.
4. Turn back on any Google Adwords, or other ads, which you want running again.
5. Redo the Page Speed test – using the https url – to check if there are any differences.
Then, at some future point (whether a few days or a few weeks) redo the SEO tests to check the latest results and visibility of your https site. This may need several SEO tests over a period of weeks or even months for any changes to be seen.
About my testing services: iOS App Testing / Android App Testing / Website Testing