WordPress migration from HTTP to HTTPS
Key Takeaways
- First, you must install an SSL certificate. Then, you go through your WordPress, MAXCDN, Google Search Console, and Google Analytics to migrate everything fully.
- It’s crucial that you remove any HTTP links, as this will flag your site as insecure. Plus, you should update any external links so that you don’t lose the backlink juice.
- Once you’ve finished your migration, you can take an SSL test to see if you’ve done everything correctly.
WordPress migration from HTTP to HTTPS can give you a lot of headaches if you are not sure what you are doing. We went through this process recently, and decided to save your troubles if you plan to implement an SSL encryption on your website soon. Here is a detailed guide on how to successfully switch from HTTP to HTTPS!
Google insecure websites’ labeling
In the last couple of years, Google has been giving a slight boost in search results to websites using HTTPS encryption. Since implementing SSL is complicated, carries certain risks, and it’s only one of two hundred ranking factors, many website owners decided it’s not worth the hassle. However, Google recently announced their plan of moving towards a more secure web, and promoting the migration from HTTP to HTTPS agenda more aggressively, which will make everyone reconsider their decision regarding HTTPS encryption.
Here at purpleplanet, we’ve had “migration from HTTP to HTTPS” on our list of tasks for a while, to improve our on-site SEO, but this news from Google was the final boost we needed to move things forward. During the process, we encountered some troubles. Since there are not many articles covering the topic of how to safely move a website to HTTPS, and keep all search rankings, I decided to write about our experiences. Hopefully, it will help some of you to go through the migration smoothly.
Choosing and installing an SSL certificate
When we decided to switch to the HTTPS protocol, the first step was to choose and install an SSL certificate.
There are a lot of different options when choosing an SSL certificate, due to validation and coverage level, as well as diverse branding options.
Based on the validation level there are 3 certificate types:
- Domain Validation Certificate (DV) – The basic level of validation for non-eCommerce websites.
- Organization Validation Certificate (OV) – For eCommerce and websites that collect personal information, and are registered companies.
- Extended Validation Certificate (EV) – This certificate is the highest level of insurance, and is the best choice for eCommerce, and websites that collect personal information when user trust is a crucial factor.
Based on the coverage level there are also 3 certificate types:
- Single domain certification – Protects a single domain only, without any subdomains.
- Multi-domain certification – The best choice if you want to protect several different domains but don’t want to bother with installing a separate certificate for each domain.
- Wildcard certification – Covers SSL encryption on multiple subdomains, which share the same primary domain.
Since our site doesn’t handle any sensitive information, and we wanted to protect only the primary domain, we’ve decided to go with Hostgator’s Positive SSL, which is a basic option but still very safe. It protects the website with 2048-bit signatures and 256-bit encryption. Positive SSL certificate covers a single domain, with and without www.
Our certificate was issued immediately. However, you might have to wait up to 5 days if you purchase an OV or EV certificate.
After we’d purchased the certificate, and installed it on our web server, the real work began to get a green padlock in the address bar, and preserve all our search rankings.
Setting up WordPress to use SSL and HTTPS
Turn off your CDN and clear website’s cache
If you are using a Content Delivery Network, you’ll want to temporarily turn it off to avoid serving mixed content after you’ve changed your website’s URL in WordPress admin.
We are using MAXCDN in combination with W3 Total Cache plugin, so I turned off CDN and cleared the cache in two clicks.
Setup your new website address
First, force your admin to use SSL encryption by logging into your WordPress with an SSL address, e.g. https://yourwebsite.com/wp-admin/
- Go to Settings » General.
- Update the WordPress Address and Site Address fields.
Setup 301 redirects from http:// to https://
We chose to set up redirects in our .htaccess file. I found several examples of .htaccess code, but this is the code that worked for us:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Make sure your website doesn’t serve any HTTP links
This is the hardest part, especially if you get an ugly HTTPS error in your browser, which points out that your website is insecure.
The error looks like the screenshot above, and if you click on the red triangle and Details you will probably get a Mixed Content error, which means there is an HTTP link still left somewhere in your files.
Go thoroughly through every part of your WordPress website looking for HTTP links. Check your:
- HTML sitemap
- robots.txt
- Absolute URLs on all pages and posts
- Embedded content such as MailChimp sign-up forms or Social media pages’ iframes
- Images
- Javascript files
- CSS files
- Custom JavaScript and Ajax libraries
Scan for the insecure content!
There are several WordPress plugins that can be helpful. If you decide to use a plugin, make sure to backup your database first. However, I decided to do everything manually, and to detect errors using a combination of these tools:
- Screaming Frog – This is a premium desktop tool, but you can use it to check up to 500 URLs for free. Using this tool you can quickly detect all HTTP links, on which page the link is found, and to which page it points to. It also shows you an anchor text and image info with alt text.
- Internal Link Analyzer – A very handy free tool. It checks internal links and anchor types, which is very useful for detecting where the link is that you’re looking for. The only downside was, for some reason, after identifying and changing all absolute links to relative, it still gave me the same results.
- SSL check – A free tool limited to 200 pages per website. It crawls an HTTPS website searching for HTTP internal links in text content, images, scripts and CSS files.
Migration from HTTP to HTTPS and MAXCDN
After you’ve finished with WordPress adjustments, if you are using CDN, you have to install an SSL certificate to CDN, to be able to continue using it.
It was hard to find instructions on setting up MAXCDN to use an SSL connection, so I had to contact their support for help. Below are detailed instructions on how to setup SSL within MAXCDN, for a single domain SSL license, as well as for the wildcard license. If you are using another Content Delivery Network, I advise you to contact their support, before losing too much time on trying to figure out how to set up everything correctly.
Create a new Pull Zone
- Go to the Zones tab in your MAXCDN account.
- Click the Create Pull Zone button. You will probably have to delete a previously created HTTP-based pull zone.
- Choose the name for your new pull zone and in the Origin Server URL field enter your HTTPS address. Click the Create button.
only-if-you-have-a-wildcard-certification”>Create custom domains (only if you have a wildcard certification)
If you previously used CDN subdomains to distribute requests across multiple hostnames, you have to recreate them again in the CDN, and adjust CNAME records on your server.
- Click on the Zones tab
- Click View Pull Zones button
- In Manage drop down » choose Settings
In Custom Domains Settings add your custom subdomains and after you’ve finished adding all subdomains, update the CNAME records in your domain’s DNS settings.
Wildcard certificate upload
If you have a wildcard certification, you have to upload your certificate to CDN and then install it in the SNI tab.
- Click Account.
- Click SSL.
- Click New Certificate button.
- Enter the required information in all fields.
Name – Use a descriptive name
SSL Certificate – Here you have to copy and paste your certificate, along with the lines Begin and End certificate.
If you are not sure where to find your certificate, you can use the SSL checker tool. Enter your hostname in the Enter hostname field and click the Check button, scroll to the end of the page and click on Show in the Chain Details field. At the end of this field, you will find your certificate.
SSL Key – Enter your private key here along with the lines Begin and End key.
Certificate Authority (CA) bundle – This is a file that contains your root certificate and all intermediate certificates.
You can use a tool called Certificate key matcher to find your Certificate Authority (CA) bundle. Enter your Certificate and your Private key on the left side, if they match, you will get your CA on the right side.
After you’ve successfully uploaded your certificate to CDN, you have to install it in the SNI tab.
- Click on the Zones tab
- In Manage drop down » click SSL
- On the SNI tab » Choose the certificate you previously uploaded
- Click Install
Single domain certificate
If your certificate covers only your root domain, without any subdomains, you can purchase CDN’s SSL certificate, or use the Shared SSL on their server for free.
- To use Shared SSL, click on the Zones tab
- Click Manage drop down » choose SSL
- On the Shared SSL tab » click the Enable button
The downside of using CDN’s Shared SSL is that you won’t be able to have your own custom subdomains for distributing server requests across multiple hostnames.
Update the MAXCDN URL in WordPress
As I mentioned before, we are using the W3 Total Cache plugin. The last step was to update information in the CDN tab of the plugin, and enable the CDN in General Settings.
Migration from HTTP to HTTPS and Google Search Console
When I was going through different articles on handling migration from HTTP to HTTPS in the Google Search Console, I ran into instructions to use the Change of address tool. Unfortunately, this tool doesn’t work for migrations from HTTP to HTTPS, so you have to skip this part. It’s not possible to change the existing Google Search Console account – you have to open another one.
Verify your new account
If you used the HTML file upload verification method before, and the file is still in your root folder, you don’t need to upload it again – just choose this method and click the Verify button.
Resubmit your robots.txt file
- In the Crawl section » click on robots.txt Tester
- Enter the content of your robots.txt file
- Click on the Submit button.
Resubmit XML sitemaps
- In the Crawl section » click on Sitemaps
- Click on the Add/Test Sitemap button to add your sitemaps
- After adding, refresh the page and submit all sitemaps to index.
Fetch and render
- In the Crawl section » click on Fetch as Google
- Click the Fetch and Render button to fetch your URLs
- When asked, choose the option Crawl this URL and its direct links
- Refresh the page and Submit to index your URL and linked page.
Disavow file
If you’ve already been using a disavow file, you need to submit it again. First, download the file from your HTTP Google Search Console account and upload it again on your new HTTPS account.
The same applies for richcards, highlighted content, excluded sitelinks, etc. – If you had set up these options in your old account, you’ll need to set them up again.
You will probably have to wait for some time to get all your posts, pages and images indexed. You can monitor the progress in the Sitemaps section.
Google Analytics updates
Updating your Google Analytics account should be easy. You don’t have to open a new account, just switch to HTTPS on your existing account.
- In your Admin tab » click on Property settings
- Choose HTTPS under Default URL
- Repeat this for all views you are using, in View Settings
Now you need to re-link your Google Analytics account with the new Google Search Console account. To do this:
- Go to the bottom of Product Linking in Property settings
- Click on All Products
- Click Edit
- Click the Adjust Link button » choose your Google Search Console account from the list.
If you are using an older version of Google Analytics code, you might also need to update that code.
External links and additional things
You don’t have to update all of your external links because fluctuation in traffic caused by losing external links pointing to your website will be only temporary. However, you should update the external links you have control over, especially the links on your social media pages.
This is pretty much all that we have done to switch from HTTP to HTTPS successfully. Here is the list of additional things you might consider to update if you are using these services:
- Bing Webmaster Tools
- Yandex Webmaster Tools
- Google AdWords URLs
- Facebook App URL and Ad URLs
- MailChimp RSS campaign URL
- URLs in any other tracking tools beside Google Analytics
SSL test
If you followed all the instructions for migration from HTTP to HTTPS carefully, you should be able to pass the SSL test with an A grade.
You can take your own SSL test to check if your WordPress migration from HTTP to HTTPS was successful, and if there is anything left you might improve.