Now that a lot of hosts are offering Let’s Encrypt as part of their hosting package and Google is punishing non-https sites, there’s no better time to convert your site to HTTPS.
What Is the HTTPS Protocol?
HTTPS (HTTP Secure) is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS, or HTTP over SSL. The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication. In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor.
Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. Since 2018, HTTPS is used more often on websites than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private.
In short, you should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users’ personal information.
How Do I Get HTTPS?
A lot of popular web hosts, including SiteGround offer HTTPS and Let’s Encrypt as part of some of their hosting plans. So it’s as easy as a mouse-click to transform your domain from HTTP to HTTPS.
Login to your cPanel hosting account and find the Let’s Encrypt module.
Let’s Encrypt (cPanel)
Locate the domain (if you have more than one hosted there, it will be in the form of a dropdown), and select it.
Encrypting a Domain
Voila, you’re all done installing the SSL certificate. Now we need to prepare an .htaccess file (or add to an existing one), and then work within WordPress for a bit. Hang tight.
Modifying Your .htaccess File
Simply login too your cPanel, navigate to File Manager, find your site root’s .htaccess file and add this code at the top:
# BEGIN Redirect to non-www https
# Redirect www to non-www https
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
# Redirect http to https
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# END Redirect to non-www https
A Couple of Caveats
I highly recommend that you disable any CDN integration and/or caching plugins before beginning the migration.
Working in WordPress
Now you are in the home stretch. You’ll need to login to your WordPress dashboard, find, download, and deploy a few key plugins and then you will be set.
Plugins Required
First, let’s install the following plugins:
- Better Search and Replace — This plugin will allow you to scour your site looking for HTTP URLs and then replacing them with HTTPS versions of those same URLs.
- Insecure Content Fixer — This plugin will help you fix any insecure content issues that may arise after you’ve done all the other steps outlined above.
You can delete these two plugins once everything is running smoothly.
Better Search and Replace
You are going to look for and replace all instances of http://[yourdomain.com] with https://[yourdomain.com]. Once you’ve keyed in the parameters, let the plugin do its work. If you are lucky, this will be all that’s needed to completely migrate to HTTPS.
Insecure Content Fixer
If you are still getting warnings about insecure content, one of two things is happening:
- There is third-party insecure content on your web site; or
- You have overlooked some insecure content within your site’s domain.
In either case, there’s still a bit more work to be done. Let’s soldier on.
WordPress HTTPS Settings
The most important step, of course, is telling WordPress that you’ve switched to HTTPS. In Settings > General, change your URL string in two places:
Tell WordPress to Use HTTPS
Testing Your Site
There are several ways you can test your site to be sure it’s serving up secure content.
Try Why No Padlock?, a free testing site that provides a list of all the insecurely-loaded items. You should fix all the red X’s in your theme or plugins and then click on the “Test URL Again” button to get rid of the red X’s entirely.
Or you can use Google to inspect your website. Google Chrome’s Inspector has a Console tab. If the HTTPS page displays yellow or red in the address bar as you can see in the second and third columns below, go ahead and open the Console to find out the insecure assets.
Google’s Inspector Console
Further Reading
Here are some links to articles that might help you understand the HTTPS protocol a bit better.
- HTTP Migration Checklist
- Resolving Mixed Content Warnings
- HTTPS For WordPress
- Should I Move My WordPress Site to HTTPS?
- Why Google is Forcing SSL
- Pixel Privacy’s Article on SSL
If you’d like us to help you make the switch from HTTP to HTTPS, just sign up for our conversion services!
Joni Mueller has been designing web sites for hire since 2003, when she first blew up her web host’s server by insisting on running Greymatter. Since then, Joni has designed for Blogger and Movable Type, TextPattern, WordPress and CMS Made Simple. She lives with her cat and shoe collection in a bucolic old section of Houston called Idylwood. For some strange reason, Joni likes to refer to herself in the third person. When she’s not working on web design, she’s ordering lawyers around. And blogging about it. Or both.
Leave a Reply