How to secure your WordPress website (and improve your SEO in the process)

What is HTTPS?

HTTPS is a URL (web address) system similar to the standard HTTP (HyperText Transfer Protocol) scheme. However, HTTPS signals the browser to use an added encryption layer of SSL to protect the traffic. SSL stands for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral in order to prevent eavesdropping and tampering.

Why should I bother moving to HTTPS?

• General security. Many visitors will not do business or even submit their details on a web site that does not have an SSL certificate. The Secure sign tells visitors that they can shop or use a web site with assurance, knowing they are protected.
• Better Google rankings! Google recently announced that it has started using HTTPS as a ranking signal, meaning the secure HTTPS sites will now get preference in their index.

What you will need?

1. You will need a valid SSL certificate. I'm not going to go into the installation of that in this post. Most web hosts will provide you with a free SSL certificate nowadays. You can pay for a better one but in most cases your site probably doesn't need that investment.
2. You will also need Admin access to your WordPress Dashboard.
3. About 10 minutes of your time. Probably less.

[x_alert heading="Before we start" type="warning"]

Before we begin, it is important to make sure that your SSL certificate is already installed on your domain and that you can access it via HTTPS. You can use an SSL Checker tool to confirm this.

Do not forget to backup your entire web site - files and database, before you make any changes, to prevent you from losing it if something goes wrong.

Once that’s done, you can continue.

[/x_alert]

Step 1: Change the web site's address to HTTPS

1. Login to your WordPress Dashboard and go to: Settings > General.
2. Change the start of both the WordPress Address (URL) and Site Address (URL) to https: e.g. from https://mysite.com to https://mysite.com.
   

   https-name-change-settings

3. Click on Save Changes at the bottom.
4. This process will log you out of your website and return you to the login prompt where you will have to log in again. Notice you are now logging in to a site with the https:// prefix.

Step 2: Fixing mixed content

If you open your web site right after the URL change, you might notice some pages which do not display the padlock next to your web address. This is because some of the files on your site are in the WordPress database with a https:// address instead of a https:// one.

This can be easily resolved by using a plugin called Better Search Replace. It looks like this:

Better Search Replace

1. Install it as any other plugin in your WordPress: from the Dashboard > Plugins > Add New > Search for: Better Search Replace > Install now > Activate.
2. Once activated, go to: Dashboard > Tools > Better Search Replace.
3. Search for: Should be your old WordPress website URL e.g. https://mysite.com
4. Replace with: Should be the new URL that includes https:// e.g. https://mysite.com
5. Select tables: Select all tables with Shift+Click or Ctrl-Click for Windows and Cmd-Click for Mac.
6. Case-Insensitive and Replace GUIDs must be left unchecked. You have the option to do a dry run, by leaving Run as dry run checked. As we have backed up our site and we know what we are doing we will uncheck that one too.
   

   Better Search Replace interface, ready to search and replace items in the database

7. Once you are ready to proceed, click on the Run Search/Replace button:

Now if you visit the HTTPS version of your web site, you should get the "Secure" or padlock signs depending on the browser you are using.

Step 3: Redirect all traffic through HTTPS

Even when you switch the WordPress to HTTPS, visitors will still be able to access your web site via https:// if they type that in deliberately or follow and old link to your site.

To force HTTPS and redirect all traffic from HTTP to HTTPS, we need to add some code to your web site's .htaccess file:

The .htaccess file can be edited via:

• Your web hosting control panel's File Manager.
• FTP.
• WordPress Dashboard using the WP Htaccess Editor plugin, if you do not have access to the first two options.
• If you are using the Yoast SEO plugin, then you can edit the .htaccess via SEO > Tools > File Editor.

Once you have your .htaccess file open you need to add this section of code:

[x_code]BEGIN Force HTTPS ###
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L][/x_code]

Then save the file.

Step 4: Testing!

Double check your web site and make sure that it displays and functions properly.

Try browsing the inner pages and check if all of your images are showing. If you are running an E-commerce web site, then try placing an order.

If you still get mixed content warnings, you can use the Why No Padlock? tool to investigate further.

Step 5: Notifying the search engines for the change.

Add the new address in Google Webmasters, Google Analytics, Bing Webmaster and any other tools you are using.

Google Webmasters:

Google treats https://domain.com and https://domain.com as separate web sites. When you switch to HTTPS, you need to add the HTTPS version of your web site as a new Property in your Google Webmasters account.

Within a week you will notice the traffic and the rankings transferred from the HTTP to the HTTPS version of your web site.

Google Analytics:

Go to Property > Property Settings > Default URL > switch to https://

Bing Webmaster:

Use the Site Move tool to move your URL from HTTP to HTTPS:

And that's how you move established WordPress web site from HTTP to HTTPS.