SSL certificates aren’t new however there has never been more reasons to improve your website security by installing an SSL certificate on your WordPress website or blog.
Three years ago, Google’s search engine began to favor websites using encrypted HTTPS connections in the SERPs.
Over the past year or so Google has been putting more and more emphasis on security and privacy through the use of encrypted connections.
This became an SEO factor a while ago but as of July 2018 Google increased the “shaming” of websites that don’t adopt an SSL certificate and switch from HTTP to HTTPS.
Google Chrome browser already shows a green verified SSL padlock on the left-hand side of the address bar for all sites where an SSL certificate is properly installed and it is quickly becoming a signal of trust with users.
In July 2018 Google actively began showing the alternative “This website is not using a secure connection” something that is can affect trust and conversion rates especially considering the number of people who use Google Chrome as their main web browser.
There used to be a time when the only time you needed an SSL was if your website was transactional and allowed people to log in with passwords or collected credit card details but now there is a move to make the entire web secure and I for one am glad for it!
Free SSL Certificates
SSL Certificates used to be an expensive extra after buying your domain, however, these days provided your host supports it we can use a free SSL certificate from LetsEncrypt.
Hosting services like WPEngine and Siteground make it extremely easy to activate your SSL certificate from the control panels.
If your web host doesn’t have native support for LetsEncrypt then you need to visit the LetsEncrypt and go through their setup instructions first.
Let’s Encrypt is an authority set up and sponsored by Internet Research Group and sponsored by companies such as Google, Facebook, Sucuri, Mozilla, Cisco and more to ensure that we can encrypt the web without having to buy expensive SSL certificates from domain registrars.
Once that step is out of the way the next thing you need to look at is configuring your WordPress install so https is active.
How do you install an SSL Certificate on WordPress?
Firstly you need to check your SSL certificate has been applied to your domain. If you use a host that supports LetsEncrypt you should be able to access the cPanel and find a LetsEncrypt option.
Simply go here and apply the SSL certificate to your domain.
To check if there is already an SSL applied and you just need to setup WordPress try visiting your website and use https instead of http.
When the page loads click on the exclamation mark (!) on the left of your web address and if the dropdown says “Certificate: Valid” then you already have an SSL applied, you just need to configure WordPress.
There are several steps to turning https on for your website and this will differ if you have previously been using http for a long time and may have many links that need to be changed.
Here is the general process I follow to install an SSL certificate on a WordPress site.
Login to WordPress
Navigate to:
Dashboard > Settings > General
Then change the URLs from http to https for Site Address (URL) and WordPress Address (URL).
If when you land on this page you find both boxes are greyed out and you cannot click into the fields to edit them, this means you must have them set from your wp-config.php in the root of your WordPress install.
You can locate this file two different ways:
Firstly by going into your hosting account and cPanel and going to “file manager”. Once you are in the file manager you need to find the root folder of the specific WordPress install you want to edit.
Once you find the root folder you will see a file called wp-config.php
Back it up first!
Then go to edit the file.
The lines we are looking for will look like the below:
define('WP_HOME','http://mysite.com');
define('WP_SITEURL','http://mysite.com');
You simply want to update these two lines to:
define('WP_HOME','https://mysite.com');
define('WP_SITEURL','https://mysite.com');
Remember there should be no trailing / at the end.
The second method is similar but requires you get your FTP account and connect via an FTP client to access the files and folders on your server. If you prefer FTP then use this method. I personally use a program called WinSCP though Filezilla is a popular alternative.
Install Really Simple SSL plugin
In the WordPress Dashboard navigate to:
Dashboard > Plugins > Add New
and then search for “Really Simple SSL Plugin”
Once the plugin has installed activate it.
You will then be redirected back to the plugins page where a notice should appear at the top of the screen prompting you to turn on SSL.
Usually, that is everything you need to do with this plugin and it can also fix insecure content issues, however, I have had several instances where this plugin wasn’t able to fix all of my insecure content (content still being called over http not https) and you may find the same issue.
If so install the next plugin in step 3 which is more thorough when it comes to fixing insecure content.
Really Simple SSL plugin is one of a handful of plugins I actively recommend. See my full list of Essential WordPress plugins.
Install SSL Insecure Content Fixer plugin (Optional)
In the WordPress dashboard navigate to:
Dashboard > Plugins > Add New
and then search for “SSL Insecure Content Fixer”
Install and then activate the plugin.
Then navigate to:
Dashboard > Settings > SSL Insecure Content
Then turn on the “content” option and hit save.
This should fix any of the insecure content issues that remain.
Install Better Search & Replace Plugin (Optional)
If your WordPress website or blog isn’t new then you might find you have a lot of http links in pages and posts.
If you haven’t taken a backup already this is the most important time to do it. The changes you are about to make to the database are not possible to undo. The only way to restore your site if something goes awry is to restore from the backup!
In the WordPress dashboard navigate to:
Dashboard > Plugins > Add New
and then search for “Better Search & Replace”
Install and activate the plugin.
Then navigate to:
Dashboard > Tools > Search and Replace
Go to the plugin and run a search and replace to replace all instances of
http://yourdomain.com
with
https://yourdomain.com
When the test run is complete, do a real run to replace all instances.
You may need to come back here to replace other URLs on your website if some remain and prevent you from seeing the green padlock.
Clear your cache
If you are using a caching plugin like w3 Total Cache, WP Super Cache or Rocket Cache then you will want to clear it and then refresh your website to check that the green padlock symbol shows in the address bar.
If you are using Beaver Builder they have their own cache under Page Builder > Tools so make sure you don’t forget to clear that.
If you are using WPEngine or any hosting service with server-side caching turned on you will need to go into your control panel to clear any caches.
Check Everything works!
Now you want to give your website a refresh and have a scout around to make sure everything is working okay and most importantly check the browsers omnibox to make sure it displays the green padlock symbol shown below or a similar variant.
What you don’t want to see is an exclamation mark, this most likely means there is still some links on the page pointing to http.
If you have this issue right click on your website and view source code.
Then use CTRL+F (Windows) or Command+F(Mac) to search the code for http:// and try and find out which links are causing you issues.
Change your URL in Google Analytics
The next step is to log in to your Google Analytics account and then go to the “Admin” page (The link is currently in the bottom left corner).
Then click on the option that says “Property Settings”.
Here you will see an option called “Default URL” simply select the drop-down to change it to say https.
Then you can hit save. That is all you need to do to update Google Analytics after switching from http to https.
Update Google Webmaster Tools / Search Console
Next, you want to go to your Google Webmaster Tools account.
Unlike with Google Analytics, you can’t change the url, and you don’t want to delete the old instance.
Instead, you want to add it again as a new site using https and keep both http and https versions registered in your webmaster tools so you can report on any issues.
Technically you should also register versions of your web address with and without the www subdomain to cover all 4 possibilities as this can help you detect issues with all variations.
Once your new https address has been added you will need to submit your sitemap to your new webmaster tools property.
That completes the process.
You may see a short-term dip in rankings and traffic but don’t be alarmed it will recover if everything is setup properly, it takes a little while for Google to properly reindex all of your URLs but trust me, it’s worth doing sooner rather than later!
From now on, with any new websites if you set up the https version from the start you will be able to skip the majority of the steps in this tutorial.
Would you like to see if you are making any common SEO mistakes with your WordPress install? read our WP SEO guide.
If you don’t feel comfortable setting up your SSL certificate than contact us and we can discuss our SSL Installation service, which is free if you are signing up with our recommended hosting service.
Here are some other useful articles that you might find helpful
