7 Steps On How To Make A WordPress Site Secure
It’s been several changes since Google first announced HTTPS as a ranking factor back in 2014. Back in the day, only eCommerce store owners require to migrate from HTTP to HTTPS but now every WordPress site owner should implement it if they want to increase their search rankings. But as valuable as it is, WordPress HTTPS is pretty simple to implement. Here’s how to add WordPress HTTPS to your website.
In this tutorial, we’re going to teach you precisely how to migrate your WordPress site from HTTP to HTTPS using a live production site. We will go through everything from enabling HTTPS on your WordPress site to updating Google Analytics and the Google Search Console.
7 steps to migrate your WordPress site from HTTP to HTTPS
Step 1: Add HTTPS to WordPress by installing your SSL certificate
If you’re using shared hosting, the most obvious SSL certificate for you to use is Let’s Encrypt. Let’s Encrypt certificates hold the benefit of being both free and broadly supported by hosting providers.
P.S: If you’re hosting your WordPress site on a dedicated server, you’ll need to reach out to your host’s support to install an SSL certificate on your domain.
So, to get your Let’s Encrypt SSL certificate installed, I suggest you contact your host’s support team or consult their knowledge base. Sad to say that we can’t provide you the precise instructions because the specific method will differ depending on your host provider.
So for example, with SiteGround, You just need to click one button in your cPanel, but it might be different in some other hosting providers:
Once you’re done installing your SSL certificate, you can verify that it’s active by going to
https://yourdomain.com. If the certificate is well installed, you should see something like this:
Google is showing you that the SSL certificate is active, yet the connection still isn’t 100% private due to some problems we’ll fix in the following step.
However, if your WordPress HTTPS is not correctly installed, you’ll see something like below and will need to contact your hosting support:
Step 2: Install and configure the Really Simple SSL plugin
Google gives that “connection is private” sign because your WordPress site still carries images or other media which are inserted using the normal
http:// URL, instead of your new
https:// URL. To fix the problem, you will have to go back and update every single image link to
Fortunately, you don’t need to do that manually. The Really Simple SSL plugin will handle that for you. The plugin will also make two other major changes:
- It updates the URL for your site to HTTPS in the WordPress settings.
- It adds a 301 redirect to send all visitors and search engine traffic to the HTTPS versions of your pages. This is very important to avoid a possible duplicate content penalty in Google.
To manage all of this, install and activate Really Simple SSL.
After the activation, you should see a popup like this:
Click Go ahead, activate SSL! After clicking the button, you’ll likely get signed out of your dashboard and be requested to sign in again. Don’t panic – this is a normal consequence of switching your WordPress URL from HTTP to HTTPS. Simply sign in again with your usual username/password.
You should see that the URLs in your General Settings now have HTTPS:
Step 3: Verify WordPress HTTPS success on the front-end
Now, you should go to your website homepage and verify two things:
First, make sure that if you enter your URL as
http://yourdomain.com, it automatically redirects you to
Next, make sure that you see the “green padlock” on all of your site’s pages. If you’re using Google Chrome, it should look like this:
That’s all you need to do to enable WordPress HTTPS! However, if you’re using Google Analytics, a CDN, and/or Google Search Console, there are some issues that you need to fix.
Step 4: Update your site’s URL in Google Analytics
To keep your stats and tracking accurate, you need to change your URL in Google Analytics from HTTP to HTTPS. To accomplish that, head to Admin → Property Settings. Next, modify the dropdown from http:// to https:// under the Default URL setting:
Make sure to save your settings. The tracking code you added to your WordPress site will stay exactly the same, so you don’t have to worry about updating anything beyond this page.
Step 5: Create a new property in Google Search Console
Sadly, if you’re using Google Search Console, you can’t just simply swap the URL for your site. Therefore, to create an updated property, you’ll need to create a new version for HTTPS. Go to the Google Search Console site and click Add Property:
Follow the steps to add your site. You should also add a sitemap for the HTTPS version of your site:
Once you’ve added the HTTPS version of your site, everything on Search Console will function just like before.
Step 6: Update CDN URL to HTTPS
If you’re using a CDN, you’ll likely need to update your URL in your CDN settings too. Since the accurate method will depend on the specific CDN you’re using, we can’t give you more instructions.
You should review your CDN’s support documents to determine if/how you can update your URL to HTTPS.
Step 7: Update any links you manage to HTTPS
If you link to your WordPress site from any social media profiles or other external websites, you should update all of those links to point to the HTTPS version of your site. You can also contact any friendly website owner who links to you and ask them to update the URL of your site.
This isn’t required because the Really Simple SSL plugin added 301 redirects to automatically send HTTP traffic to HTTPS. However, it is the best method and reduces the need for redirects.
If you want to force SSL and HTTPS on your WordPress admin area, you can add the following line in the wp-config.php file: