Word­Press migra­tion from HTTP to HTTPS can give you a lot of headaches if you are not sure what you are doing. We went through this process recent­ly, and decid­ed to save your trou­bles if you plan to imple­ment an SSL encryp­tion on your web­site soon. Here is a detailed guide on how to suc­cess­ful­ly switch from HTTP to HTTPS!

Google insecure websites’ labeling

In the last cou­ple of years, Google has been giv­ing a slight boost in search results to web­sites using HTTPS encryp­tion. Since imple­ment­ing SSL is com­pli­cat­ed, car­ries cer­tain risks, and it’s only one of two hun­dred rank­ing fac­tors, many web­site own­ers decid­ed it’s not worth the has­sle. How­ev­er, Google recent­ly announced their plan of mov­ing towards a more secure web, and pro­mot­ing the migra­tion from HTTP to HTTPS agen­da more aggres­sive­ly, which will make every­one recon­sid­er their deci­sion regard­ing HTTPS encryption.

Here at pur­ple­plan­et, we’ve had “migra­tion from HTTP to HTTPS” on our list of tasks for a while, to improve our on-site SEO, but this news from Google was the final boost we need­ed to move things for­ward. Dur­ing the process, we encoun­tered some trou­bles. Since there are not many arti­cles cov­er­ing the top­ic of how to safe­ly move a web­site to HTTPS, and keep all search rank­ings, I decid­ed to write about our expe­ri­ences. Hope­ful­ly, it will help some of you to go through the migra­tion smoothly.

Choosing and installing an SSL certificate

When we decid­ed to switch to the HTTPS pro­to­col, the first step was to choose and install an SSL certificate.

There are a lot of dif­fer­ent options when choos­ing an SSL cer­tifi­cate, due to val­i­da­tion and cov­er­age lev­el, as well as diverse brand­ing options.

Based on the validation level there are 3 certificate types:

• Domain Val­i­da­tion Cer­tifi­cate (DV) – The basic lev­el of val­i­da­tion for non-eCom­merce websites.
• Orga­ni­za­tion Val­i­da­tion Cer­tifi­cate (OV) – For eCom­merce and web­sites that col­lect per­son­al infor­ma­tion, and are reg­is­tered companies.
• Extend­ed Val­i­da­tion Cer­tifi­cate (EV) – This cer­tifi­cate is the high­est lev­el of insur­ance, and is the best choice for eCom­merce, and web­sites that col­lect per­son­al infor­ma­tion when user trust is a cru­cial factor.

Based on the coverage level there are also 3 certificate types:

• Sin­gle domain cer­ti­fi­ca­tion – Pro­tects a sin­gle domain only, with­out any subdomains.
• Mul­ti-domain cer­ti­fi­ca­tion – The best choice if you want to pro­tect sev­er­al dif­fer­ent domains but don’t want to both­er with installing a sep­a­rate cer­tifi­cate for each domain.
• Wild­card cer­ti­fi­ca­tion – Cov­ers SSL encryp­tion on mul­ti­ple sub­do­mains, which share the same pri­ma­ry domain.

Since our site does­n’t han­dle any sen­si­tive infor­ma­tion, and we want­ed to pro­tect only the pri­ma­ry domain, we’ve decid­ed to go with Host­ga­tor’s Pos­i­tive SSL, which is a basic option but still very safe. It pro­tects the web­site with 2048-bit sig­na­tures and 256-bit encryp­tion. Pos­i­tive SSL cer­tifi­cate cov­ers a sin­gle domain, with and with­out www.

Our cer­tifi­cate was issued imme­di­ate­ly. How­ev­er, you might have to wait up to 5 days if you pur­chase an OV or EV certificate.

After we’d pur­chased the cer­tifi­cate, and installed it on our web serv­er, the real work began to get a green pad­lock in the address bar, and pre­serve all our search rankings.

Setting up WordPress to use SSL and HTTPS

Turn off your CDN and clear website’s cache

If you are using a Con­tent Deliv­ery Net­work, you’ll want to tem­porar­i­ly turn it off to avoid serv­ing mixed con­tent after you’ve changed your web­site’s URL in Word­Press admin.

We are using MAXCDN in com­bi­na­tion with W3 Total Cache plu­g­in, so I turned off CDN and cleared the cache in two clicks.

Setup your new website address

First, force your admin to use SSL encryp­tion by log­ging into your Word­Press with an SSL address, e.g. https://yourwebsite.com/wp-admin/

1. Go to Set­tings » General.
2. Update the Word­Press Address and Site Address fields.

Setup 301 redirects from http:// to https://

We chose to set up redi­rects in our .htac­cess file. I found sev­er­al exam­ples of .htac­cess code, but this is the code that worked for us:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Make sure your website doesn’t serve any HTTP links

This is the hard­est part, espe­cial­ly if you get an ugly HTTPS error in your brows­er, which points out that your web­site is insecure.

The error looks like the screen­shot above, and if you click on the red tri­an­gle and Details you will prob­a­bly get a Mixed Con­tent error, which means there is an HTTP link still left some­where in your files.

Go thor­ough­ly through every part of your Word­Press web­site look­ing for HTTP links. Check your:

• HTML sitemap
• robots.txt
• Absolute URLs on all pages and posts
• Embed­ded con­tent such as MailChimp sign-up forms or Social media pages’ iframes
• Images
• Javascript files
• CSS files
• Cus­tom JavaScript and Ajax libraries

Scan for the insecure content!

There are sev­er­al Word­Press plu­g­ins that can be help­ful. If you decide to use a plu­g­in, make sure to back­up your data­base first. How­ev­er, I decid­ed to do every­thing man­u­al­ly, and to detect errors using a com­bi­na­tion of these tools:

• Scream­ing Frog – This is a pre­mi­um desk­top tool, but you can use it to check up to 500 URLs for free. Using this tool you can quick­ly detect all HTTP links, on which page the link is found, and to which page it points to. It also shows you an anchor text and image info with alt text.
• Inter­nal Link Ana­lyz­er – A very handy free tool. It checks inter­nal links and anchor types, which is very use­ful for detect­ing where the link is that you’re look­ing for. The only down­side was, for some rea­son, after iden­ti­fy­ing and chang­ing all absolute links to rel­a­tive, it still gave me the same results.
• SSL check – A free tool lim­it­ed to 200 pages per web­site. It crawls an HTTPS web­site search­ing for HTTP inter­nal links in text con­tent, images, scripts and CSS files.

Migration from HTTP to HTTPS and MAXCDN

After you’ve fin­ished with Word­Press adjust­ments, if you are using CDN, you have to install an SSL cer­tifi­cate to CDN, to be able to con­tin­ue using it.

It was hard to find instruc­tions on set­ting up MAXCDN to use an SSL con­nec­tion, so I had to con­tact their sup­port for help. Below are detailed instruc­tions on how to set­up SSL with­in MAXCDN, for a sin­gle domain SSL license, as well as for the wild­card license. If you are using anoth­er Con­tent Deliv­ery Net­work, I advise you to con­tact their sup­port, before los­ing too much time on try­ing to fig­ure out how to set up every­thing correctly.

Create a new Pull Zone

1. Go to the Zones tab in your MAXCDN account.
2. Click the Cre­ate Pull Zone but­ton. You will prob­a­bly have to delete a pre­vi­ous­ly cre­at­ed HTTP-based pull zone.
3. Choose the name for your new pull zone and in the Ori­gin Serv­er URL field enter your HTTPS address. Click the Cre­ate button.

only-if-you-have-a-wildcard-certification”>Create cus­tom domains (only if you have a wild­card certification)

If you pre­vi­ous­ly used CDN sub­do­mains to dis­trib­ute requests across mul­ti­ple host­names, you have to recre­ate them again in the CDN, and adjust CNAME records on your server.

1. Click on the Zones tab
2. Click View Pull Zones button
3. In Man­age drop down » choose Set­tings

In Cus­tom Domains Set­tings add your cus­tom sub­do­mains and after you’ve fin­ished adding all sub­do­mains, update the CNAME records in your domain’s DNS settings.

Wildcard certificate upload

If you have a wild­card cer­ti­fi­ca­tion, you have to upload your cer­tifi­cate to CDN and then install it in the SNI tab.

1. Click Account.
2. Click SSL.
3. Click New Cer­tifi­cate button.
4. Enter the required infor­ma­tion in all fields.

Name – Use a descrip­tive name

SSL Cer­tifi­cate – Here you have to copy and paste your cer­tifi­cate, along with the lines Begin and End certificate.

If you are not sure where to find your cer­tifi­cate, you can use the SSL check­er tool. Enter your host­name in the Enter host­name field and click the Check but­ton, scroll to the end of the page and click on Show in the Chain Details field. At the end of this field, you will find your certificate.

SSL Key – Enter your pri­vate key here along with the lines Begin and End key.

Cer­tifi­cate Author­i­ty (CA) bun­dle – This is a file that con­tains your root cer­tifi­cate and all inter­me­di­ate certificates.

You can use a tool called Cer­tifi­cate key match­er to find your Cer­tifi­cate Author­i­ty (CA) bun­dle. Enter your Cer­tifi­cate and your Pri­vate key on the left side, if they match, you will get your CA on the right side.

After you’ve suc­cess­ful­ly uploaded your cer­tifi­cate to CDN, you have to install it in the SNI tab.

1. Click on the Zones tab
2. In Man­age drop down » click SSL
3. On the SNI tab » Choose the cer­tifi­cate you pre­vi­ous­ly uploaded
4. Click Install

Single domain certificate

If your cer­tifi­cate cov­ers only your root domain, with­out any sub­do­mains, you can pur­chase CDN’s SSL cer­tifi­cate, or use the Shared SSL on their serv­er for free.

1. To use Shared SSL, click on the Zones tab
2. Click Man­age drop down » choose SSL
3. On the Shared SSL tab » click the Enable button

The down­side of using CDN’s Shared SSL is that you won’t be able to have your own cus­tom sub­do­mains for dis­trib­ut­ing serv­er requests across mul­ti­ple hostnames.

Update the MAXCDN URL in WordPress

As I men­tioned before, we are using the W3 Total Cache plu­g­in. The last step was to update infor­ma­tion in the CDN tab of the plu­g­in, and enable the CDN in Gen­er­al Settings.

Migration from HTTP to HTTPS and Google Search Console

When I was going through dif­fer­ent arti­cles on han­dling migra­tion from HTTP to HTTPS in the Google Search Con­sole, I ran into instruc­tions to use the Change of address tool. Unfor­tu­nate­ly, this tool does­n’t work for migra­tions from HTTP to HTTPS, so you have to skip this part. It’s not pos­si­ble to change the exist­ing Google Search Con­sole account –  you have to open anoth­er one.

Verify your new account

If you used the HTML file upload ver­i­fi­ca­tion method before, and the file is still in your root fold­er, you don’t need to upload it again – just choose this method and click the Ver­i­fy button.

Resubmit your robots.txt file

1. In the Crawl sec­tion » click on robots.txt Tester
2. Enter the con­tent of your robots.txt file
3. Click on the Sub­mit button.

Resubmit XML sitemaps

1. In the Crawl sec­tion » click on Sitemaps
2. Click on the Add/Test Sitemap but­ton to add your sitemaps
3. After adding, refresh the page and sub­mit all sitemaps to index.

Fetch and render

1. In the Crawl sec­tion » click on Fetch as Google
2. Click the Fetch and Ren­der but­ton to fetch your URLs
3. When asked, choose the option Crawl this URL and its direct links
4. Refresh the page and Sub­mit to index your URL and linked page.

Disavow file

If you’ve already been using a dis­avow file, you need to sub­mit it again. First, down­load the file from your HTTP Google Search Con­sole account and upload it again on your new HTTPS account.

The same applies for rich­cards, high­light­ed con­tent, exclud­ed sitelinks, etc. – If you had set up these options in your old account, you’ll need to set them up again.

You will prob­a­bly have to wait for some time to get all your posts, pages and images indexed. You can mon­i­tor the progress in the Sitemaps section.

Google Analytics updates

Updat­ing your Google Ana­lyt­ics account should be easy. You don’t have to open a new account, just switch to HTTPS on your exist­ing account.

1. In your Admin tab » click on Prop­er­ty settings
2. Choose HTTPS under Default URL
3. Repeat this for all views you are using, in View Set­tings

Now you need to re-link your Google Ana­lyt­ics account with the new Google Search Con­sole account. To do this:

1. Go to the bot­tom of Prod­uct Link­ing in Prop­er­ty settings
2. Click on All Prod­ucts
3. Click Edit
4. Click the Adjust Link but­ton »  choose your Google Search Con­sole account from the list.

If you are using an old­er ver­sion of Google Ana­lyt­ics code, you might also need to update that code.

External links and additional things

You don’t have to update all of your exter­nal links because fluc­tu­a­tion in traf­fic caused by los­ing exter­nal links point­ing to your web­site will be only tem­po­rary. How­ev­er, you should update the exter­nal links you have con­trol over, espe­cial­ly the links on your social media pages.

This is pret­ty much all that we have done to switch from HTTP to HTTPS suc­cess­ful­ly. Here is the list of addi­tion­al things you might con­sid­er to update if you are using these services:

• Bing Web­mas­ter Tools
• Yan­dex Web­mas­ter Tools
• Google AdWords URLs
• Face­book App URL and Ad URLs
• MailChimp RSS cam­paign URL
• URLs in any oth­er track­ing tools beside Google Analytics

SSL test

If you fol­lowed all the instruc­tions for migra­tion from HTTP to HTTPS care­ful­ly, you should be able to pass the SSL test with an A grade.

You can take your own SSL test to check if your Word­Press migra­tion from HTTP to HTTPS was suc­cess­ful, and if there is any­thing left you might improve.