/ / Force WordPress SSL (HTTPS)

Force WordPress SSL (HTTPS)

This post was originally published May, 2017 and updated July 2018.

As of July, 2018 Chrome will show “not secure” to any visitor of an unsecured site. ie: http://thesite.com

Converting WordPress to SSL is becoming more and more important – for user experience as well as SEO ranking.

Quick Links

Printable Checklist
Certificates
Code Snippets
Recommended Tools
Important Notes

If your WordPress SSL certificate is working, you’ll see the “HTTPS” protocol in the browser address bar, and a padlock. If you see a green section with the name of a company or website, that is HTTPS as well – just a more secure certificate. Most bloggers only need the first type of certificate which we’ll discuss below.

But that padlock can be deceiving. Most plugins and installation instructions are simply forwarding all links instead of changing them. This can severely slow down your site.

Before we get started, it is important to note that there are lots of tutorials out there, lots of bad advice and lots of “It’s easy! I did it!” (and they did it entirely incorrectly.)

Important Note #1: You need to be able to use FTP or your File Manager to follow this tutorial.

Important Note #2: If you do any of this coding incorrectly (ie: an extra comma) it can break your entire site!

To be honest, and for your own benefit I hope the warning above scared some of you away. (I’m looking at you, Ms Know-enough-to-be-dangerous.) For all my DIY friends, follow these instructions below and please use the checklist to force WordPress SSL correctly.

There are 4 main steps to Force WordPress SSL:

1. Purchase & install the SSL certificate

2. Convert all URLs to WordPress SSL

3. Fix “Mixed Content” using SSL Checker tools

4. Miscellaneous but Important Changes

Step 1: Purchase & Install the SSL Certificate

Cost ranges from free SSL certificates to roughly $99/year.

Most of you will only need the free SSL certificate from LetsEncrypt². And you will need your hosts’ help to install this.

A quick review of the three available SSL certificates:

Domain Validation SSL Certificate

The easiest certificate to get is the domain verification certificate. If you can prove the domain name is yours, you can obtain this certificate. There is no difference (yet) in the appearance of a DV or OV certificate.

Organization Validation SSL Certificate

The second level SSL certificate – a little more secure and a little more difficult to obtain, is the organization verification. For this one, you need to prove you own the domain and you’re a legitimate company associated with the domain. Both DV or OV certificate signed websites will display a padlock and “https” instead of “http”.

Domain Validation SSL Certificate

Extended Validation SSL Certificate

To obtain this certificate, you need to prove the following¹:

  • Verifying the legal, physical and operational existence of the entity
  • Verifying that the identity of the entity matches official records
  • Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate
  • Verifying that the entity has properly authorized the issuance of the EV SSL Certificate

Extended Validation SSL Certificate

To purchase or to obtain the free SSL certificate, you’ll first need the Certificate Signing Request (CSR) from your hosting account.  Then you give the CSR to your SSL certificate provider. They confirm everything is A-OK, and send you a zip file. That zip file is the SSL certificate. You send that to your hosting company, and they ‘install’ it.

  1. Generate a CSR by requesting one from your hosting account (or generate one in CPanel if that feature is available)
  2. Get a free SSL certificate from Lets Encrypt or purchase one from GoDaddy or whichever company you prefer. They will request the CSR in order to generate the SSL certificate.
  3. Verify the domain ownership through the email sent to you (or html file upload).
  4. The SSL certificate will be sent to you in a zip file through email. Forward this zip file to your hosting provider for installation. OR use cpanel to install the certificate yourself, if that feature is activated.

Step 2: Convert all URLs to WordPress SSL

This is the part that can easily be done with a plugin. Except that if you remove that plugin, it all falls apart. And who wants to be reliant on a plugin?

  1. Change the Settings / Home URL to HTTPS
  2. Add this to the wp-config.php file via FTP to force SSL on your dashboard pages too.
    define('FORCE_SSL_ADMIN', true);
  3. Add the following rewrites to your htaccess file via FTP to redirect any incoming links to their HTTPS counterparts.
    Change “yoursite.com” to your domain name. On the third line, use the new URL(with or without the www – whichever is your preferred URL).
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.yoursite.com [NC]
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [L,R=301,NC]
  • Convert interlinking URLs in your database using Better Search and Replace plugin by Delicious Brains. Use the dry run feature first to be sure you’re getting all the URLs that you expected and none that you aren’t!
    • Search for: http://mydomain.com
    • Replace with: https://mydomain.com
    • Select tables: run each table one at a time
    • Case Insensitive: YES
    • Replace GUID: NO

Better Search and Replace plugin

  1. Replace the URLs in your files. I haven’t found an easier way to do this, than good old fashioned search and replace in a code editor… anyone have any tips here?
    • Use FTP to download your theme,
    • use search and replace in each file to find and replace the HTTP with HTTPS.
    • Upload new saved files back to your server.

Please remember that when editing files directly with FTP, one wrong character can bring down your site. be careful

  1. Check each menu & widget for old links that need the https treatment.

Step 3: Fix “Mixed Content” with SSL Checker Tools

“Forcing HTTPS” is a misnomer. It is impossible to force a page to be secure when it is not. If you have two doors in your house, one is locked and the other is open – the house is not secure. Both doors need to be locked. So now that we have the first door locked (the URLs), it’s time to find all the windows and doors and force them to use SSL too.

The job of finding and securing links, scripts, iframes, and anything else that is part of your page is a bit onerous. The places we need to look are your active theme, plugins and any other code or image that you’ve added to your site via widgets or content. Everything must come from a secure HTTPS source.

To find insecure items in your page, turn off your cache plugin, clear the cache and use an incognito tab (for Chrome). Check each page, using the inspector or developer tool set options in your browser. You’re looking for a “Mixed Content” warning. It will look like this:

In this case, the font, from Google API is being loaded from http://fonts.googleapis.com instead of https://fonts.googleapis.com. A quick change of that URL, and we cleaned it up.

Check the following pages:

  • single blog page with comments form
  • single page (ie: contact)
  • archive (ie: mysite.com/this-category)
  • home page
  • landing page
  • special archive template (ie: recipe index)

When you have finished all the obvious sources of mixed content, it is time to use an SSL checker to find those stragglers. Use the following tools to find any missed insecure items:

This is where a lot of people skip and use a plugin. However, a plugin is not changing the URLs, but at best using jquery for on-the-fly changes; and at worse, using redirects which slow the site.

Websites, specifically WordPress, will be using SSL for a long time – it’s best to get it done right to begin with!

Step 4: Miscellaneous & Important!

Google Search Console / Webmaster

In Google, you’ll need to login to your Search Console and start recording the stats from your new URL. There is a “Change of Address” function which I’ve seen on some tutorials, but it does not work! 

From Google: The tool does not currently support the following kinds of site moves: subdomain name changes, protocol changes (from HTTP to HTTPS), or path-only changes.³

To start using Google Webmaster tools / Search Console, simply “Add a New Property” just like you did originally. Add both the https://www.mysite.com and https://mysite.com versions.

Verify them both. And continue to set them up as you did with the non-https sites: select preferred domain and link your analytics profile.

**I recommend keeping your old sites there as reference. But soon, Google will begin crawling and indexing the new site. There will be no duplicate content issues if you’ve followed what I’ve indicated above.

Google Analytics

You’ll want to be sure that the https stats are tracking in Google Analytics as well. To do this, go to Property>  Property Settings > and change the “Default URL” to https.

Submit a Sitemap

When you force WordPress SSL you’ll automatically generate a new sitemap (if you’re using Yoast’s SEO plugin for WordPress). Just use this url and re-submit to Google Search Console:

https://mysite.com/sitemap_index.xml

Social Sharing Numbers Tracking

Unfortunately your sharing numbers will be lost unless you fix that too. We have always loved the Social Warfare plugin, and now there is one more reason to love it! See the tutorial here.

Change Miscellaneous Site Links to SSL verified link

Don’t forget to verify your new WordPress SSL URL with:

  • social media profiles (ie: Facebook, Pinterest, Instagram, Twitter)
  • social sharing trackers (ie: addthis account, hellobar, sumome, jetpack)
  • ad suppliers (ie: Adthrive, MediaVine, RewardStyle)
  • affiliate companies (ie: Shareasale, clickbank, ebay)
  • email marketing suppliers (ie: MailChimp, ConvertKit, MadMimi)

Conclusion


If you made it through all that, wanna work for me? 🙂

If you’re slogging through in true startup fashion – have questions? Post ’em below and I’ll answer! Now’s your chance for free advice!

¹   https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate/

²   https://letsencrypt.org/

³  https://support.google.com/webmasters/answer/83106?hl=en

Fancy an infographic?

Click here.

25 Comments

  1. It’s good one… about insecure resource I also fix by plugin:

    *****

    However, can search database too for fix all the HTTP to be HTTPS too.

  2. I had only used Really simple SSL plugin and not updated the Analytics and Google fonts URL on my client’s website.

    Thanks to you. I have completely setup SSL on WordPress website.

  3. Don’t need to scan or fix insecure resource because my secret weapon 🙂

    [link removed by admin]

    (Free) and fix all HTTP resource. cheers bro

  4. I copied and pasted the redirect code into my .htaccess file, but there was a mistake and now my site permanently redirects to the wrong place!!!

    I didn’t realize this was a 301 redirect until it was too late!
    You should really call that out to warn people. Someone might permanently redirect their site to “yoursite.com”

    thanks a lot… 🙁

    1. Hi Brian,

      If you were doing it as I described you should have no problem changing that link – you were using FTP or file Manager right? Also please take note of any “IMPORTANT NOTES” that I place in my posts at the beginning. They really are “important”!

      1. Sure, but not everyone’s site is set up as your site directory is. My wordpress is not installed in my root directory – another story.

        Before I realized what the code was actually doing, I had already implemented it incorrectly.

        Your “IMPORTANT NOTES” mention nothing of a permanent 301 redirect. The step by steps simply say, “Add the following rewrites,” mentions nothing of a permanent 301. When I googled it my heart stopped.

        All I’m saying is, this can be very damaging to someone’s website infrastructure, as my site was permanently redirected and I’ve spent all day coming up with various fixes.

        1. If the instructions are followed (including the warning IN step 3) the permanent redirection is the intended result – not at all damaging. If there is something wrong with the tutorial or instructions I’m happy to fix. Just let me know where!

  5. I followed your instructions and changed the domains to my own. However, my wordpress is in a different location (not root directory), and I needed to change the redirect. This is where I made a mistake, which was my fault and I should have been more careful, but I didn’t think the consequences would be permanent. Instantly.

    Thats my issue with your tutorial. You don’t explain what a 301 is, or that you’re even suggesting to use one. It’s just a simple copy paste move on. I only wanted to point it out so no one else has to go through this.

  6. Whenever I implement step 2 part 3, adding those lines of code to my htaccess file, I get an error that “yoursite.com has redirected you too many times” and then below that “ERR_TOO_MANY_REDIRECTS” (I’m using my proper domain here, not yoursite.com). I paid very close attention to every step so I was able to roll back the change and get my site functioning normally again, but I haven’t been able to find a way around this. Any ideas?

    1. We’ve had redirect issues when the host has scripts in place that accomodate SSL certificates – which is quite common nowadays. Or with cloudflare installed. That is the first thing I would check. Contact your host and see if they can help?

  7. great article!! although, i think there’s a simpler way to enable https. one signup with cloudflare on free account, then set up your nameservers, and add some basic force https plugin, i think simple ssl is too excessive a plugin for basic redirect…

    1. Yup – It’s time I update this – its far more common for hosts to offer Lets Encrypt too. It’s rare that one has to purchase a certificate unless you need bank level security!

  8. Hello,

    I am going to change my http to https ASAP, It has been more than 2 months I want to do it by I scared to do something wrong and loose my google visitors.

    The reason I have to do it ASAP is Google has changed my domain http to https recently (just in some of indexed results).

    —–

    I have a question. As instructions suggest, we are manually replacing all links in db, then why should we add any htaccess rules?

    I had been noticed that I should not redirect links using htaccess, because it slows down the site.

    Some of my friends did the part 1 of your tutorial (buying/installing ssl certificate) and then, without changing links in db, they added htaccess rules to re-write and redirect http urls to https. I told them this is not a good solution, specially for high traffic websites.

    Thank you

    1. changing links in your db means less redirects (which is faster loading times), and less mixed content. the htaccess rules are for the incoming links.

  9. Very good and extensive article. Already have my WP site up and running securely. One thing missing though: People can still create new posts with non-secure links (mostly images), so the site is shown as “mixed” in the browser. Is there a way to enforce links from secure source in new posts?

Leave a Reply

Your email address will not be published. Required fields are marked *