In my detailed instructions, you will learn how to make the transition as smooth as possible.
In 8 simple and comprehensible steps.
Table of contents
Why switch to HTTPS?
1. Install SSL certificate on the server
2. Adjust WordPress and website address
3. Update permalinks
4. Replace old URLs in WordPress database
5. Redirect from HTTP to HTTPS
6. Clear caches
7. Trouble Shooting: Still no green lock?
8. Change URL on third party services
FAQ
Why switch to HTTPS?
There are many good reasons to switch your website to HTTPS. I therefore recommend that you do not put off the changeover:
You are legally on the safe side , especially if your website contains personal data, e.g. B. via contact forms or an online shop.
SSL encryption has been a ranking factor on Google since August 2014 and has only grown in importance ever since!
Your websites will be faster with HTTPS because you can use the faster http/2 (if your hosting provider supports it).
Major browsers like Google Chrome and Firefox brand websites without encryption as “not secure”. Especially when these forms contain which one personal information is submitted to the site.
More trust among readers and customers
However, switching to HTTPS also has some disadvantages that should not go unmentioned here:
One-time effort by changing the URLs on your website and third-party services (approx. 60 minutes to 2 hours)
Social shares are no longer displayed with some plugins
1. Install SSL certificate on the server
In order for your website to be secured by SSL, an SSL certificate specific to your domain must first be installed on your server.
For hosting providers that support the free Let’s Encrypt , such as B. webgo or all-inkl.com (but only from the PrivatPlus package), you can usually set this yourself in the admin area of your hosting package or server:
If your hosting provider does not support Let’s Encrypt, you will need to contact support to set up a paid SSL certificate. A simple domain validated certificate, such as B. RapidSSL, which is perfectly adequate for most blogs and websites, costs between €15 and €40 per year.
However, it can also be advisable to change the hoster. Because in 2023 nobody should actually have to pay for an SSL certificate.
With a vServer or Dedicated Server you can (or have to) install the SSL certificate yourself. It’s a bit more work, but you can also save a few euros a year. However, since there are many different web server systems, instructions for them would go beyond the scope of this guide.
If you are creating a new blog , I recommend starting with HTTPS right away. To do this, simply call up your blog URL with HTTPS during the setup process, i.e. https://www.igtechh.com instead of https://www.igtechh.com . This automatically sets https://www.igtechh.com as the WordPress and website address.
2. Adjust WordPress and website address
With the SSL certificate installed on the server, the next step is to customize your URLs in WordPress.
To do this, log into WordPress, go to Settings > General and replace the http in your URLs with https in both the WordPress Address (URL) and Website Address (URL) fields.
After saving the new URLs, you need to log back into the WordPress backend. This is because there is not yet an active user session under the new WordPress address.
3. Update permalinks
After changing the WordPress and website address, you have to save your permalinks again (under Settings > Permalinks ) so that they are updated with your new URL:
If you don’t do this, you’ll see 404 errors when you view a post or page.
4. Replace old URLs in WordPress database
Updating the permalinks has already made your site accessible again.
Unfortunately, this does not replace all URLs in WordPress with the new URLs using HTTPS. The old URLs with HTTP can still be found in all posts and pages (e.g. links to your own posts or to embedded media). Also in all plugins and themes the old URLs have not yet been replaced by the new ones.
This can result in parts of your site still loading over HTTP. As a result, a so-called mixed content warning is issued in many browsers (and e.g. a red lock is displayed next to your URL instead of a small green lock).
And that’s not good for visitors, and it’s not good for your Google ranking either!
Depending on the size of your site, replacing all of these URLs by hand can be very time-consuming. It is therefore best to install the free plugin Better Search Replace.
Please make sure to backup your WordPress database before using Better Search Replace !
In the WordPress backend, go to Tools > Better Search Replace .
Enter your old URL with HTTP in Search for and HTTPS in Replace with your new URL. Then you mark all tables with Ctrl + A under Select tables and check the box Test run? out of here:
5. Redirect from HTTP to HTTPS
To ensure that every request is forwarded from HTTP to HTTPS and your website cannot be reached under both protocols, it is necessary to create a 301 redirect.
To do this, you need to access your FTP server and add the following code to the .htaccess file (the file is located in your WordPress root directory).
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I recommend using Notepad++ or Brackets to open and edit the file . The code should be placed at the top of all other entries.
If your WordPress installation is on an nginx server (this is usually not the case), you must add the following code to your nginx.conf :
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
6. Clear caches
You should clear the cache of your caching plugin (e.g. Cache Enabler, WP Super Cache, W3 Total Cache, WP Rocket etc.) so that your changes are also applied to your live website.
If other plugins are caching, you should also clear their caches. This is e.g. This is the case, for example, with Contextual Related Posts, Simple Press, Autoptimize or ASA 2 Pro.
7. Trouble Shooting: Still no green lock?
You still get a mixed content warning in your browser and no green lock appears?
Then there are still resources hidden on your website (images, Javascript, CSS, etc.) that are accessed via HTTP.
7.1 Common Sources of Errors
Resources loaded unencrypted are often hidden in external resources, such as e.g.:
externally loaded fonts (e.g. Google Fonts or FontAwesome)
externally loaded scripts (e.g. the Pinterest button, Facebook Like Box or widgets)
Badges from blog directories and top lists
advertising banners and services
Tracking tools (e.g. Google Analytics or Matomo)
Old URLs can also hide in a child theme (with their own customizations) or a theme or plugin that has not been updated for a long time.
So it’s a good idea to update all installed plugins as well as your theme and check your child theme’s files.
Also, be sure to check your CSS files and Custom CSS in the Customizer (found under Appearance > Customizer in the WordPress admin). In some cases, images loaded via HTTP (e.g. background images) can be hidden there.
7.2 Source Code Review
To find out where the troublemakers are hiding, it is a good idea to open the page’s source code in your browser and search for http:// :
7.3 Checking with Chrome Developer Tools
The Chrome Developer Console is also very good for finding unencrypted resources. You open this in Google Chrome or Opera by right-clicking on your website. In the context menu that appears, click on Inspect element .
Warnings are displayed in the Console tab when resources are loaded via HTTP:
8. Change URL on third party services
Switching from WordPress to HTTPS may cause services connected to your site to stop working. Therefore, please check any apps or integrations connected to your website, e.g. B. Social network APIs and replace the old URLs with the new ones.
8.1 On your social media channels
To prevent unnecessary redirects, you should also change your URL on social networks. These include e.g. e.g.:
Facebook page (also with link to imprint and privacy policy)
Facebook groups (possibly present in the group description, announcements, etc.)
Pinterest profile (also for imprint)
Instagram (and possibly also Linktree)
google+
Listing on Google My Business and Bing Places
YouTube (also in the imprint)
8.2 In APIs
For connections to APIs to work properly, you should change your URL there as well. Since z. B. own apps on Facebook or Instagram.
Also remember to change URLs necessary for the app to function, e.g. B. the valid redirect URIs on Instagram or other URLs used for authentication:
8.3 With Google Analytics
With Google Analytics you can switch your URL to HTTPS under Management > Property Settings > Default URL :
8.4 In the Google Search Console
You must also change your URL in Google Search Console or clicks will no longer show up in search analytics.
Unfortunately, you can’t just change the URL, because http:// and https:// are considered different properties.
Instead, you’ll need to delete your existing property and re-add your site as a property with HTTPS in the URL:
Please remember to resubmit your sitemap to Google after creating the new property:
8.5 In the email signature and in the newsletter
If, like me, you use your website in the email signature, you should also change the URL to the encrypted SSL variant there.
This also applies to links that can be found in your newsletter (e.g. links to the imprint, data protection declaration, start page, images on your server, etc.).
Embedded forms from newsletter tools such as MailChimp, CleverReach and Co. can also create unencrypted connections that cause a mixed-content warning in the browser.
8.6 Affiliate Programs and Links
With affiliate programs and networks, it is often necessary to enter your own URL in a profile or to create an advertising space with your own URL. Again, you should replace the old URL with the new one (if possible).
You should also switch all affiliate links included on your website to HTTPS. You can also use the Better Search Replace plugin for this :
If you don’t do this, referrers may not be transmitted to the affiliate program or network.
Referrers are important for many advertisers because they can see which URL the affiliate link was clicked on. Under certain circumstances, it may even be the case that sales or leads are not remunerated because the referrer is missing!
FAQ
Here you will find answers to frequently asked questions about WordPress and SSL:
Will my website slow down if I use HTTPS?
Yes it will if your hosting provider only supports the legacy HTTP/1.1 protocol.
On the other hand, if your hosting provider already supports the new HTTP/2 protocol, using HTTPS will make your website even faster (HTTP/2 is supported by most browsers only in conjunction with HTTPS).
Isn’t there a plugin for test if my website supports HTTP/2?
Yes there is. You can save yourself many of the steps above by installing the Really Simple SSL plugin.
However, I advise against it for three reasons:
Each additional plugin you install increases the risk of your site being hacked (most security holes are found in plugins).
The plugin does not make any changes to the database or to the source code of plugins or themes. That means you may get displayed despite the mixed content warnings.
If you deactivate the plugin, all changes are gone again.
So:
Use it only temporarily, e.g. B. if you don’t have time for a proper and sustainable change at the moment.
What do I do with a redirect loop?
Your website may be caught in a redirect loop from HTTP to HTTPS back to HTTP to HTTPS etc. after the switch.
Here are some possible sources of error:
Redirect Plugins
Login plugins that change the login URL
Security plugins such as B. iThemes Security, via which a redirect was set
Added redirects in .htaccess or nginx.conf
In some cases, saving the permalinks again helps (see point 3 in the instructions).