How to Make Your WordPress Website Secure (SSL) in 6 Steps
If you've looked into search engine optimization as a promotional technique for your website, you have likely come across the advice to make your website secure (having an https:// appear in front of your URLs instead of http://). Google has been very vocal in pushing for all websites to make the move to being secure, and even claims to give sites using SSL a slight boost over sites without it. This guide is meant for typical WordPress based websites. If you're an e-commerce store or a more complex website, you'd be better off employing an SEO consultant to oversee the migration.
Step 1 – install a secure certificate
My hosting company enables secure certificates for websites hosted with them by default (though you need to follow through with the steps listed below to have your sites render using them). They're very basic SSL certificates, but they meet the minimum standards for making a site secure. For most sites, this option will suffice just fine.
If your host doesn't include secure certificates in their standard plans, you'll need to contact them and find out what your options are and then have them install the secure certificate you choose to purchase. If they won't install the certificate for you, I'd suggest finding a new host with better support.
Step 2 – change your WordPress install to use secure URLs
Once your secure certificate is installed and active, login to your WordPress dashboard. Navigate to Settings > General. Change both the WordPress Address (URL) and Site Address (URL) to use an https:// at the beginning and then click save changes at the bottom of the page. (Note: WordPress will automatically log you out at this point and require you to log back in again.)
Step 3 – address mixed content issues & force all website pages to render securely
You can use a free plugin called Really Simple SSL to perform this task. Find the plugin in the WordPress plugin in the plugin repository, install it and activate it. You'll see a notice appear telling you to enable SSL on your site. Click to enable it.
Navigate to the plugin's settings page and ensure “Auto replace mixed content” is checked. You'll note you have three types of redirection you can employ (to force any request for a http:// page to the https:// version). In most cases, the Enable 301 .htaccess redirect option will do the trick. Save the settings at the bottom of the page.
If everything is working properly, you should see a green padlock to the left of your URL in the browser address bar. You should also find that visiting your website pages using http:// should 301 redirect you to the https:// version. I'd test this out on multiple pages and posts to make sure you are redirected to the https:// version with a green padlock next to the URL each time.
Step 4 – troubleshooting
If you're not seeing a green padlock next to your URLs in the browser's address bar, then something is causing the page to render without being fully secure.
Pro tip: If you're using the Genesis theme this can often be caused by the background images used in the “Customize” section. They don't update to using the secure URLs automatically and Really Simple SSL won't replace them with the SSL versions. Simply click to change the images, re-choose the same image from your media library and click save. The Customizer will now be using the images via secure https:// URLs.
If you're not using Genesis, or that fix doesn't do the trick, you'll need to dig deeper into what's going on. Open Firefox and install the Firebug add-on.
Go to a page that isn't showing the padlock, right click, and choose “Inspect element with Firebug.” A window will pop open at the bottom of your screen. Click to refresh the page in your browser now that the Firebug window is open. Click the Console tab in Firebug and then click the Errors tab. This will show you a list of the content on your site that is preventing it from loading securely. Fix those issues and you're good to go.
Step 5 – clean up your internal linking
While your site will be automatically forcing all requests for the http:// version of a page to the https:// one, it's still a good idea to change the links you have in your posts and pages to other posts and pages on your site to directly link to the secure version.
Install and activate the free Broken Link Checker plugin. It will take a while to crawl your entire site and gather all the links, so I'd recommend you let it run and come back to complete this task the next day.
Once the plugin has done a full crawl, it will present you with a list of broken and redirected links that you're linking to within your site. You can find this list by logging into your WordPress dashboard and navigating to Tools > Broken Links. You might find a ton of links you'll need to clean up, but right now we're going to focus solely on the links on your site that are linking to the old http:// version of your pages.
On the Broken Links screen, click the Search button at the top right. In the URL field, put your domain and choose Redirects from the Link Status dropdown. Click search links. This should present you with a list of the links on your site that need to be updated to link to the https:// versions of those URLs.
WARNING: If you're using a plugin like Pretty Link Pro or some other method of redirecting affiliate links, you want to be sure NOT to “Fix” the redirects for those links – or blindly “Fix” all links – or it will change all your affiliate links to direct links to the merchant.
If you're not using affiliate links, you can check all the posts and update them. Otherwise, tick off the boxes next to all the URLs of posts and pages and images on your site in this list and then choose the Fix Redirects option from Bulk Actions dropdown and click Apply. It will update all of the URLs to directly link to the https:// version of your posts. Continue doing so until you've changed them all out.
What if you're using redirects (cloaking) for your affiliate links? Unfortunately, you'll need to click the “Edit URL” option that appears when you hover over each link and change it to use https:// instead of http://. You could leave them alone, but it means you'll be adding an extra redirect to the transfer from your site to the affiliate site, which could slow down getting the user to where you want them to go.
Side note: If you use .htaccess to create redirects, make sure you update your .htaccess file to link internal redirects to the new https:// version. If you don't edit your .htaccess file to create redirects, you can ignore this portion of the task.
While this will catch most of your internal links that need updating, it won't catch things like links in author bios, so I'd recommend you also run your site through Screaming Frog after you've cleaned up the links using the method above to catch any stragglers.
Step 6 – add the secure version of your site to Google Search Console & update your Google Analytics settings
Be sure to add the secure version of your site as a new site in your Google Search Console (not sure how to do that? Check out my Beginner's Guide to Google Search Console here). I wouldn't delete the old http:// version because it contains data that won't transfer over to the secure version in Google Search Console. As far as GSC (formerly Google Webmaster Tools) is concerned, it's a different site.
Next, login to your Google analytics account. Click on the website you just made secure from your Accounts dashboard. The click the Admin button at the bottom of the left sidebar. Click Property Settings in the middle column. Click the dropdown under Default URL, choose https:// and click Save at the bottom of the page. Then, on this same page, click the Adjust Search Console button under the Search Console heading. Connect your Google Analytics profile for your site to the new https:// version of your site you added to Search Console in the prior paragraph. Click done.
That's it! You won't need to change out your analytics code and your Google Analytics data will remain seamless with all the data from the old http:// version and the new https:// version in the same account.
Now give Google time to sort it all out
You might see both versions of the same page in the search results while Google gets a grip on the change. As long as you followed the steps above and your content is successfully 301 redirecting all requests from the http:// version of a page to the https://, Google will figure it out and begin to update your URLs in the search results. Google claims that moving from http:// to https:// will not have a negative effect on your website's search engine rankings when you do it correctly.
Please note – I use affiliate links on this site. This means I might earn a commission if you click on a link and sign up for something.
Good stuff. Another option for Step 1 is Cloudflare. If you are willing to change where your domain name points you can get SSL for free w/o needing to set up the cert: https://www.cloudflare.com/ If you’re using WP just be sure to also install the Cloudflare plugin. https://wordpress.org/plugins/cloudflare/
Indeed an incredible piece of content about SSL. Rae, i wanted to know, in fact, i have a little confusion about SSL. I read numerous articles on the internet in which I find that it’s a great way to secure websites.
Search engines prefer https more than http. Websites which install SSL get more benefits in shape of better search rankings.
But somewhere on the internet I also read about SSL that SSL is used for those websites who are doing some sort of online business regarding sale or purchase. So, my question is, is it good for bloggers or not.
Thanks for fantastic share :)
Google wants everyone secure, whether or not they “need” to be. So, yes, good for bloggers. :)
Great piece Rae, thanks for the share.
Is there a good FREE alternative for the “really simple SSL” plugin?
Really Simple SSL is free.
What about running SSL with CDN delivery ? When you have SSL on pages when you also have a CDN this could cause errors for pages rending in browsers. Do you have any tips on that ? Might be a second part to this post.
Most CDN services have an option to serve assets securely. MaxCDN has a shared SSL that is free.
Thank you so much for your tips. :)