Moving your website to HTTPS / SSL: tips and tricks

In 2014, we decided to switch over to the (now) commonly-used HTTPS protocol to encrypt sensitive data that’s being sent across our website. This post describes some useful tips based on our own experiences that might come in handy if you’re considering switching.

Addendum March 2021

Moving your WordPress site to support HTTPS connections with SSL certificates became a lot easier as of WordPress 5.7. In that release, the WordPress team added a new feature to Site Health that checks if a site runs on a hosting package that supports HTTPS. If it does, the feature offers a one-click option to move your site to HTTPS. It even updates the links in the database for you and prevents mixed content warnings from happening. So, activate that SSL certificate for your site and get to it!

A little backstory

Back in 2014 HTTPS became a hot-topic after the Heartbleed bug became public. This bug allowed people with ill intent to listen in on traffic being transferred over SSL/TLS. It also gave them the ability to hijack and/or read the data. Luckily, this bug got patched quickly after its discovery. This incident was a wake-up call that properly encrypting user information over the internet is a necessity and shouldn’t be an optional thing.

To emphasize the importance of encrypting sensitive data, Google Chrome (since January 2017) displays a clear warning next to the address bar whenever you visit a website that doesn’t encrypt – potential – sensitive data, such as forms.

How do I switch?

Because it’s important that your data is safe, we took steps in 2014 to ensure that we have SSL-certificates across our own websites. If you decide to switch (you really should!), there are a few things that you need to take into account to ensure your website fully works as intended once you’re done.

  • You need to change all your internal links. This also means updating links to assets (where necessary). Make sure to go through your theme and alter references to CSS, images and JavaScript files. Additionally, you can change all your links to start with // instead of https:// which will result in protocol-relative URLs.
  • Ensure your CDN supports SSL as well. We make use of MaxCDN, which allows you to easily set up SSL on your CDN subdomain.
  • There are various levels of SSL that you can choose from, each with their own pros and cons. You will find more information about that later on.
  • Ensure you have a canonical link present in the <head> section of your website to properly redirect all traffic coming in from http:// to https://.

Google also published a handy guide on how to move to HTTPS without massively impacting your ranking, which can be found here.

How does this influence my rankings?

Like stated in the previous section, moving from HTTP to HTTPS can influence your rankings slightly if you don’t plan accordingly. However, after you switch over to HTTPS, your rankings will actually improve over time. Google announced in 2014 that having an SSL certificate will be considered a positive ranking factor, so it’s worth the investment.

To make sure Googlebot can re-index your website more rapidly after the move, make sure you migrate to https:// during low-traffic hours. This way Googlebot can use more of your server’s resources. Just take into account that a medium-sized website might take a while to regain rankings. Have a sitemap? Then Googlebot might be able to recalculate and re-index your website even faster.

Setting up HTTPS & SSL on your server

Generally speaking, hosting providers have a service to allow you to enable HTTPS/order a certificate. There are a few types of certificates you can choose from, which differ in a few ways. Every variant also has their own price tag, so before purchasing one, make sure that you go with a certificate that fits your needs and budget!

If you’re a bit strapped for cash and tech-savvy, go take a look at Let’s Encrypt to acquire a free(!) certificate.

If you run and manage your own web server, there are a few things that you’ll have to enable in your server configuration before being able to use SSL certificates. This tutorial explains what steps to take to get a certificate running on your server.

OCSP stapling

Having to check the validity of an SSL certificate can result in a small hit in loading speed. To overcome this, you can make use of OCSP stapling. OCSP stapling is a feature that enables the server to download a copy of the certificate vendor’s response when checking the SSL certificate. This means that once a browser connects to the server, it checks the validity of the certificate based on the copy on the server instead of having to query the certificate vendor itself, resulting in a significant performance improvement.

Apache

Before enabling OCSP stapling on your Apache server, please check that you’re running version 2.3.3+ of Apache by running the command apache2 -v (or httpd -v) on your server. Lower versions of Apache do not support this feature.

If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with a VirtualHost configuration specifically made for usage with HTTPS/SSL.

In that file, take the following steps:

  1. Inside the <VirtualHost></VirtualHost> section, you should add SSLUseStapling on.
  2. Just above the <VirtualHost></VirtualHost> section, add SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
  3. Check that the configuration is still valid by running apachectl -t. If so, reload Apache by running service apache2 reload.

Nginx

Nginx also supports OCSP stapling. Before editing the server configuration, please check that you’re running version 1.3.7+ of Nginx by running the command nginx -v on your server. Lower versions of Nginx do not support this feature.

If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with an Nginx configuration specifically made for usage with HTTPS/SSL.

In that file, add the following lines in the server {} section:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;

The last line references a file that contains a list of trusted CA certificates. This file is used to verify client certificates when using OCSP.

After adding these lines to the file, check that the configuration is still valid by running service nginx configtest. If so, reload Nginx by running service nginx reload

Strict Transport Security header

The Strict Transport Security Header (HSTS) is another handy feature that basically enforces browsers to use the HTTPS request instead of the HTTP equivalent. Enabling this feature is relatively painless.

Apache

If you’re running Apache, first enable the Apache Headers module by running a2enmod headers. After this, it’s only a matter of adding the following line to your VirtualHost configuration (in the <VirtualHost></VirtualHost> section) that you set up earlier for HTTPS:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Reload the Apache service and you’re good to go!

Nginx

Nginx requires you to add the following line in the server{} section of your server configuration file:

add_header Strict-Transport-Security max-age=31536000;

Testing

To see if your SSL certificate is working properly, head over to SSL Labs, fill in your domain name and see what kind of score you get.

Redirecting URLs

To ensure requests are properly redirected to the HTTPS URL, you need to add an extra line to you configuration. This way, traffic that tries to visit your website over HTTP, will automatically be redirected to HTTPS.

Apache

In your default VirtualHost configuration (so the one that’s used for HTTP requests), add the following to ensure URLs get properly redirected:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

As with the other changes we made before, don’t forget to reload Apache!

Nginx

In Nginx, change the default configuration file that was used for HTTP requests and alter it as such:

server {
    listen 80;
    server_name your-site.com www.your-site.com;
    return 301 https://your-site.com$request_uri;
}

Don’t forget to reload Nginx before testing these changes.

Conclusion

“Should I switch over to HTTPS?” Short answer: Yes. Using HTTPS ensures that private (user) information is being sent across the web in a more secure manner. Especially if you’re dealing with monetary transactions, HTTPS is a must.

What type of certificate you end up going with, depends on your specific use case and budget. Make sure to properly research your options beforehand.

Read more: WordPress security in a few easy steps »

Coming up next!


26 Responses to Moving your website to HTTPS / SSL: tips and tricks

  1. Hindi Shayari
    Hindi Shayari  • 7 years ago

    Thanks for sharing amazing info because today am I transfer on https

  2. Android
    Android  • 7 years ago

    Hmmm looks very hard to implement the ssl certificate but I think the hosting providers can do that for the site owners without any fee. Nice tips by the way.

  3. javidan
    javidan  • 7 years ago

    hi
    after i install ssl my sitemap is have problem it dont have url in it
    just text
    https://www.cesardl.info/sitemap_index.xml

  4. Vidyadhar
    Vidyadhar  • 7 years ago

    Good information. I am using cloudfare free CDN and really-simple-ssl wordpress plug in. All appears to be fine. But yoast is not generating site map with Https. In my google webmaster site map urls start from http only.

  5. Wilfred
    Wilfred  • 7 years ago

    I allways thought that HTTPS was an issue of webshops. I didn’t realize that it’s a ranking signal for all kind of websites. I will take a look this week how to set it up.

  6. Carsten Meiselbach
    Carsten Meiselbach  • 7 years ago

    Thanks for this nice article (and lot’s others from Yoast)!

    Mid of last year I’ve done a switch from HTTP to HTTPS for my Blog “Happy Carb”. Overall it was running successful, I didn’t noticed any negative Ranking Drop.

    But two things were pretty annoying:
    Google Search Console needs to be setup again for the HTTPS-Version. Please note: I didn’t keep the HTTP-Version, every link was redirected to HTTPS. I was wondering why I couldn’t just tell the Google Search Console my change Domain Protocoll correctly.

    Facebook Likes for my pages where resetted to zero since the changed Protocoll results in a different URL. In my opionion Facebook should change this behavior, because of the nulled likes lot’s of positive Social Signals get lost. I didn’t find a way to change this behavior and for sure I don’t want to allow Facebook to access the HTTP versions of my pages…

    Good thing to notice here: I used the following MySQL Database Search & Replace util for changing all internal links:

    https://interconnectit.com/products/search-and-replace-for-wordpress-databases/

    Also my advice: run a 404 and 301 checker tool on all pages after you’ve done the switch.

    Kind regards,
    Carsten

    • Jimmy Comack

      Hi Carsten,

      Thanks for your reply! Glad you liked the article!

      In regards to the Facebook likes not properly being fixed, there is a solution, but it requires altering code: https://developers.facebook.com/docs/plugins/faqs#faq_1149655968420144

      Hope this helps.

      • Carsten Meiselbach
        Carsten Meiselbach  • 7 years ago

        Hello Jimmy,

        thanks for your note about the Facebook Likes recovery solution.
        Within my HTTP => HTTPS change last year, I checked this notes from Facebook. Since I’m using 301 redirects to HTTPs versions and Yoast SEO for WordPress for generating the Open Graph metas, it still wasn’t easy to create an update the way Facebook wanted.

        The og:url should keep the old URL (just the HTTP version in my case) and, the important thing, the corresponding page must being accessible by the Facebook crawler for the HTTP version without the redirect to HTTPS.

        So two things to solve. Yoast SEO for WordPress unfortunately doesn’t provide a mechamism to overwrite the og:url meta generation (right?). Setting up the Facebook crawler identification could be done within the .htaccess file.

        What I’m wondering about: why doesn’t Facebook just define an alternative og:url (“og:url:alternative”) that keeps the old URL? That would be the easiest way, Crawler access could grap this information from the given page and not cryptic handled ones. But ok, this is just a wish, maybe somebody from the Facebook Development Department ist reading this posts ;)

        Overall, in my opionion, HTTP to HTTPS shouldn’t result into this kind of problems since you’re going to enhance the quality of your Website. This should be more respected by Facebook and also Google itself, since also the Search Console reacts very strange for this kind of updates.

        Kind regards,

        Carsten

        • Carsten Meiselbach
          Carsten Meiselbach  • 7 years ago

          Update to my last reply: I’ve done a testing concerning the regain of “old” Facebook Likes for my Blog again – see my result. What I’ve done in detail – running on WordPress, Apache 2.4:

          .htaccess:

          RewriteCond %{HTTPS} !on
          RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit/[0-9]
          RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

          functions.php

          add_filter( ‘wpseo_opengraph_url’, ‘my_opengraph_url’ );
          function my_opengraph_url( $url ) {
          return str_replace( ‘https://’, ‘http://’, $url );
          }

          => generates og:url to HTTP version of page
          => Using Facebook Debugger for fetching Open Graph meta again. https://developers.facebook.com/tools/debug/
          => works to recover Likes from the >oldand< HTTPS versions. Still a problem :/

  7. Prosperity Kenneth
    Prosperity Kenneth  • 7 years ago

    Hey, My website has DA 25 on http, DA 14 on https. I redirected traffic to https but I want https to have equal DA with http. Please help

    • Jimmy Comack

      Hi Prosperity,

      I’m not entirely sure what you mean; What are you referring to when you speak of DA?

      Cheers,

      Jimmy

  8. Colin
    Colin  • 7 years ago

    I am a hosting reseller and I switched to HTTPS with Let’s Encrypt and enabled HSTS for extra web security and now my customers can’t access their cPanel or WebMail from my hosting website without getting errors from the main browsers.

    They can get to their cPanel by https://cp.myhostingwebsite.com or https://cp.theirdomainname.com.

    These subdomains aren’t covered with a Domain Validated (DV) SSL cert but my Hosting provider has used theirs and my domain name isn’t included in their cert so not trusted.

    In my circumstances a DV SSL cert shouldn’t be used with HSTS enabled as it is going to cause problems or is there a work around?

    A wildcard cert will do the job but they aren’t out until Jan 2018 but how long will it take my hosting provider take to implement it? Who knows….

    • Jimmy Comack

      Hi Colin,

      As far as I’m aware, there’s no workaround for the problem you’re describing in regards to the DV SSL cert because they don’t support multiple domains.

      Your best bet would be to disable HSTS for the time being.

      Cheers,

      Jimmy

  9. Steve Conway
    Steve Conway  • 7 years ago

    We were thinking about the plan of action to follow while moving our blog to https, our digital team powered with yoast did the job perfectly. And your article is a really good guide on how we can do it.

  10. Aasha
    Aasha  • 7 years ago

    Really nice and definitely it will be useful for many people. Kindly keep update like this.

  11. Manivasagam
    Manivasagam  • 7 years ago

    Thanks Jimmy for the awesome guide. What about the Backlinks we’ve created for the http:// version ? will that pass the link juice to the https version automatically ?

    • Jimmy Comack

      Hi Manivasagam,

      Ensuring you have proper 301 redirects is quite essential in this case. Sadly, this won’t be automatically ‘fixed’.

      Hope this answers your question.

      Cheers,

      Jimmy

  12. Murat
    Murat  • 7 years ago

    Hello Jimmy,
    Great advices! I never heard about OCSP stapling. I should try to speed up a little my website. Like Mike Clegg, i’m using a WordPress Plugin and for the moment it’s painless!
    Regards,

  13. Mike Clegg - Travel and Destinations
    Mike Clegg - Travel and Destinations  • 7 years ago

    Thanks team for this post and update. I have just moved my site over to HTTPS! I also used a WordPress plugin called “Really Simple SSL” (recommended by my host provider) and it was super easy.

    Just a note that when I checked my sitemap (generated by your plugin) it was still HTTP, so I disabled it and then re-enabled it and then it become HTTPS.

    Kind regards,
    Mike

  14. Nathan Smith
    Nathan Smith  • 7 years ago

    Do you guys offer service to help with the migration or take a look at our set up to ensure all our settings are correct?

    I migrated to https several months ago. I feel like my site is missing a few things.

    • Jimmy Comack

      Hi Nathan,

      I just quickly ran a check and everything seems fine.
      What is it exactly that you feel is missing?

      Cheers,

      Jimmy

    • Colin Crawford
      Colin Crawford  • 7 years ago

      Hi
      There are several websites that you can check your SSL cert and other web security.

      https://www.ssllabs.com/ssltest/index.html
      https://www.htbridge.com/ssl/

  15. Ron Tumbokon
    Ron Tumbokon  • 7 years ago

    One of the negative consequence of moving to https is losing Facebook likes count and comments. Is there a plugin to easily recover these, without going to the WordPress code?

    • Jimmy Comack

      Hi Ron,

      I’m not aware of any plugins that can help with this. However, it is possible to redirect Facebook to the proper URL. Facebook has a section about that here: https://developers.facebook.com/docs/plugins/faqs#faq_1149655968420144

      This means you’ll have to touch (some of) the code to get this to work.

      I hope that this helps answer your question.

  16. Purple Leaf Marketing
    Purple Leaf Marketing  • 7 years ago

    Excellent guide. Thanks for sharing all the related information and each details. This is so helpful.