How to Migrate Your WordPress Site from HTTP to HTTPS
If you’ve been running a WordPress blog for some time now, you probably know already that HTTPS and SSL are a hot topic. Google has been pushing hard to get all blog owners and webmasters out there to migrate their blogs and websites from HTTP to HTTPS.
As with anything in life, security is a big thing. Having a proper SSL certificate installed and having your domain configured as HTTPS is now officially a search engine ranking factor.
A small one, but even so, it’s something that can help you move up the ladder. Not to mention the fact that your website visitors will feel more comfortable browsing your site and submitting details.
In addition, from October 2017, Google Chrome will display an unpleasant not-secure warning for websites that are not yet switched over to HTTPS and have input fields. Firefox has already been doing this for a while.
Migrating a WordPress blog is not overly complicated. But doing things wrong, or forgetting certain steps can have huge consequences. That’s why I’ve summarized all the steps required to migrate your WordPress site from HTTP to HTTPS without any issues.
What Is HTTPS and SSL All About?
There is literally tons of information out there about this topic, but here’s a very brief summary of HTTPS and SSL and why it is so important.
Back in the day, HTTPS was only justified for websites such as web shops and banks. Websites that required users to enter personal information or payment details. This made perfect sense. Nobody wants their personal data to be sent across the world wide web unencrypted so that hackers can capture that information and do bad things with them.
But as mentioned, the search engines are now very keen to have all websites migrated to HTTPS to enforce better security. So even if you’re just a simple blogger, Google still wants you to migrate to HTTPS. In fact, if your site is still on HTTP, your visitors will see the dreaded “unsecured” message in their Chrome or Firefox browser as soon as they submit data.
SSL stands for Secure Sockets Layer. The extra “S” appended to “HTTP” indicates that an SSL certificate has been installed. Without getting too technical, an SSL certificate basically encrypts data sent to and from a website. So let’s say you submit your name and email address on a blog to sign up for a newsletter. An SSL certificate makes sure these details are sent across the wire in an encrypted state rather than as plain text.
Need more technical details? Read this in-depth guide about the inner workings of SSL and HTTPS.
Migrate Your WordPress Site From HTTP to HTTPS
Follow the below steps and your WordPress site will be migrated in less than four hours without any headaches or issues. I have personally used this exact process to migrate all my websites earlier this year.
To follow these steps, make sure you are logged into your WordPress site and your hosting account. Also make sure you have access to an FTP client. If you don’t have one, I recommend you install FileZilla. It’s free and works really well.
1. Do a Full Backup
Before you make any type of drastic changes to your website, always make sure you do a full backup of your website. A full backup includes all your website files and also the database.
Most hosting companies provide some sort of backup feature to make it easier for people like you and me to do regular backups. Most of my websites are hosted with DreamHost and within my DreamHost panel all I need to do is press a button and DreamHost will back up everything that is associated with my hosting account.
This includes website files, database, email accounts, everything. The full backup remains on the DreamHost server available for download for a period of two weeks. Too easy.
There are also several WordPress plugins that can take care of your backup procedures, but I personally prefer to keep the amount of plugins installed on my WordPress sites to a bare minimum.
The more plugins you have installed, the more drain on the performance of your site, and the more security risk.
2. Purchase and Install an SSL Certificate
To make things complicated, there are different types of SSL certificates to choose from. Without going too technical, if you’re running a WordPress blog or website, I recommend you either go for a free Let’s Encrypt certificate or for a paid certificate provided by reputable certificate provider such as Comodo.
The good news is that most hosting providers make it very easy for you to purchase and install an SSL certificate. With HTTPS becoming such a big thing, it’s important for a hosting provider to make the migration process as easy as possible.
A Let’s Encrypt is free but is only valid for three months. It typically gets renewed automatically before that period runs out, so it’s really not a big deal. Let’s Encrypt was established to make it easier for small website owners and bloggers to migrate to HTTPS.
The three-month validity time frame helps to keep the pool of available certificates manageable. For example, a blog that ceases to exist two months after a Let’s Encrypt certificate was installed also releases that certificate back into the market so that another blog can use it.
For my websites and blogs I have purchased an SSL certificate from Comodo via my hosting provider DreamHost. For only $15 you can have your site secured for a year. Very affordable.
Go ahead and have a look at the SSL certificate of blogpioneer.com by clicking on that lock symbol next to the https address.
Purchasing and installing a certificate differs from host to host, but this DreamHost process is very straight-forward. Log into your own hosting panel and have a look at how this process works with your host. This should never be complicated.
3. Change Home and Site URL in WordPress
Once your SSL is purchased, installed and activated, there are still a lot of steps to complete to make sure your blog doesn’t lose any traffic or authority.
Sadly, too many people think that installing a certificate is all you need to do, but in reality that’s not even half the work that needs to be done.
The first thing you should change immediately is the WordPress and Site Address URL in General Settings of your WordPress admin panel. Simply change the HTTP bit into HTTPS as per below image.
By doing this you’re telling your WordPress installation where it now lives. By having HTTPS in front of your website address, you basically have a whole new website.
WordPress may now force you to log back into your site again, because the URL has changed.
4. Update the Wp-config.php File
The next thing you need to do is add a couple of lines to the wp-config file of your WordPress installation. This file contains configurable information about your WordPress site, such as database credentials and secret keys.
In theory, you would never have to access this file, but it’s important to add the below lines.
With your FTP client you can download this file to your computer. Open the file in Notepad and add the below lines. The wp-config file should already contain a line that says something about “WP_DEBUG”.
A good spot to add the two lines is right below the line with the “WP_DEBUG” phrase. Once you’re done, upload the file via FTP and you’re good to go.
By adding these two lines you’re forcing any web requests to HTTP to be redirected to HTTPS.
To make it easier for you, I have added these lines of code in a text file so you can copy and paste. You can download this file here.
5. Update the .htaccess File to Redirect to HTTPS
The next important change is adding a few lines in the .htaccess file of your WordPress installation. This is a distributed configuration file used by the Apache server your website lives on. It contains information about caching, re-directions and other exciting technical stuff that you normally wouldn’t have to worry about too much.
When migrating your WordPress blog to HTTPS it’s important to make a few minor changes in this file. The safest way to do this is via the Yoast SEO plugin. Go to SEO, Tools and then File Editor. Then in the .htaccess file, add the lines as per below image at the top of the file.
If you don’t use the Yoast SEO plugin, you can download this file to your computer via FTP just like you did with the wp-config file. Open it in Notepad, apply the changes and upload the file. Make sure that the file extension is still .htaccess when you save it. The file essentially has no name. It just ends with .htaccess which can be a bit confusing.
It’s important to point out that the htaccess file is a crucial element in your WordPress installation. If it contains errors, your site may not load anymore. That’s why it’s essential that you do regular backups and always be very careful when editing files such as these.
By doing this you’re telling the search engines that all requests to the HTTP version of your site need to be redirected to the HTTPS version.
6. Update Existing 301 Redirects in the .htaccess File (Optional)
If you have changed URL’s of individual pages or posts in your WordPress blog, then most likely you will have added 301 redirects in that same htaccess file. If not, you really should do so otherwise you may be missing out on valuable link juice.
In addition, Google gets upset when it can’t find old URL’s anymore and by adding 301 redirects in this file, you’re letting the search engines know what happened to these old URL’s
A 301 redirect would look something like the below image. So if you’ve added these in the past, make sure you update them to go to the new HTTPS URL’s.
All you need to do is change the HTTP bit to HTTPS and all is good.
7. Update the Robots.txt File (Optional)
The Robots file can be used to tell the search engines to ignore, or even deny access to, certain files and folders within your WordPress blog installation.
Just like with the wp-config and htaccess files, the robots file needs to be handled with extreme care. The average blogger may never even see this file, so don’t worry about it too much.
However, if you’ve added URL’s in this file, you must now update them to the HTTPS version.
If you are using any custom scripts in your blog or website, make sure you are now pointing to them with HTTPS. This happens when you have manually created script files and you are including them in your site by pointing to their http location. You will need to update these references to HTTPS.
Similarly, if you’re using external libraries and they are pointing to HTTP, make sure they are updated to HTTPS as well. This will prevent the mixed content warning from appearing in the browser.
Mixed content means a web page within your site is marked as HTTPS but is still referencing HTTP elements that should also be marked as HTTPS.
Don’t worry too much about this step if it doesn’t mean much to you. Most bloggers won’t be using custom or external script libraries.
9. Update Plugins (Optional)
It could be that you are using plugins that have hard-coded references to HTTP elements within your website. You will need to update those hard-coded references to HTTPS.
This step is optional because most plugins won’t require you to configure hard-coded URL’s. But it’s still recommended to go through your list of plugins and just see how they are configured and whether they are still working properly.
10. Change Hard-Coded Internal Links Throughout Your website
This is a very important step.
Typically, withing WordPress, when you link to another post within your site, or when you add an image to a post, this results in links such as in the below image.
It is important that you go through all your pages, categories and posts to update all internal links to the HTTPS version.
There are two ways to go about this:
The manual way:
This is very time consuming, but safe. Do it this way if you have a small blog, or if you are not at all confident touching the database directly.
The database way:
This is much quicker, but carries more risk. Do it this way if you feel comfortable making bulk database changes and are confident you won’t break anything.
If you decide to do it manually, simply update all instances of references to the HTTP version of your website. This is not difficult, but may take some time depending on how much content you have.
If you want to do bulk updates via the database, this tutorial is a helpful resource. It also mentions a plugin that you can use, but personally I wouldn’t choose to use a plugin for this type of work.
11. Test All Redirects
Now it’s time for a bit of fun and test whether your hard work has paid off.
Once you’re confident that you have applied all the necessary changes as per the above steps, it’s important to make sure everything works well on your blog.
Here are a few things you can do:
Open a new browser, and type in the HTTP version of you site. If your browser automatically redirects to the https version, then that’s awesome. Make sure you test both “http://yourdomain…” and “http://www.yourdomain…” versions.
Test individual pages and posts:
Navigate to some of your important and popular pages and posts and test that the lock symbol is displayed and not the mixed content one. If you still see any mixed content misery, investigate the HTML version of the page you’re looking at and search for any instances of “http://” and change them to HTTPS. For example, I’ve seen it happening many times that the footer contains links to contact and about pages. These links must also be updated.
12. Test Incoming Backlinks
It’s also important to test that incoming backlinks work properly. If they don’t get redirected, your blog will lose the value of that backlink.
Do you know any sites that link to your website? Open them in a browser and click on the link that should go to your website. This link will still be marked as HTTP.
But the changes you have made to the htaccess file should automatically redirect these links to the new HTTPS version of that particular page or post.
If you don’t know of any sites that link to you, go to Google Search Console where you can most of these backlinks.
13. Update Google Analytics Settings
If you have Google Analytics installed for your traffic tracking purposes, you will need to update your blog settings.
Log into Analytics and go to the admin section. Select Property Settings of the property you want to change (in case you have more than one website). Then simply change the Default URL to https as per below image.
You will need to do the same for the View of that Property. Click on View Settings and then change the Website’s URL. Very easy.
14. Update Google Search Console Settings
In Google Search Console, formerly known as Google Webmaster Tools, you will need to add the HTTPS version of your website as a brand new property. It’s important to point out that Google considers the HTTPS version of your blog as a whole new website.
That’s why the redirects as per the above steps is so important. With those changes you’re basically telling the search engines that all authority from your HTTP website will need to passed onto the HTTPS version of your site.
In Google Search Console you will need to create two new properties: the “https://www.yourdomain.com” version but also the “https://yourdomain.com” version. You will then need to tell Google which version is your preferred version.
Please note that once you’ve done this, you will need to have a total of four web properties for just one website in Google Search Console: two HTTP versions and two HTTPS versions. It’s important that you keep all four of them, even after the migration is complete.
The preferred version you set in Google Search Console has to match the version you configure in your WordPress admin console as per step 3.
15. Update Bing Webmaster Tools Settings
Are you using Bing Webmaster Tools? Make sure you tell Microsoft and Bing about your new HTTPS website too!
It’s a bit easier in Bing than it is in Google. All you need to do is delete the previously submitted sitemap file and submit the new HTTPS one.
Not using Bing Webmaster Tools yet? I recommend you do as it’s the second most important search engine and they’re here to stay for a very long time.
Setting up is easy. Simply submit your website URL, the sitemap, upload a verification file, and that’s it, done and dusted.
16. Update Social Media Settings
The last step in the process is an easy one. Log into all your social media accounts and simply update the URL of your website.
Final Thoughts on HTTP to HTTPS Migration with WordPress
Hopefully this step-by-step process is helpful to you. It has worked really well for all my WordPress websites and they’re still running fine without issues.
One of the reasons people are afraid to switch over to HTTPS is that it may affect their search engine rankings. I can honestly say that none of my websites have lost any authority and they’re still going strong.
If anything, traffic has somewhat increased. But I can’t say whether that’s because of the switch to HTTPS.
One last thing I’d like to point out is that moving over to HTTPS may delete your social media share counts. Why? Because your website with HTTPS is considered a brand new website.
I do believe that some social media share tools have jumped into this and implemented a fix, or perhaps a hack, to prevent this from happening. One of these plugins is Social Warfare, but I’m sure there are others too.
If social share counts is important to you, it’s best to dive a little deeper into this.