Moving your website to HTTPS / SSL: tips and tricks
In 2014, we decided to switch over to the (now) commonly-used HTTPS protocol to encrypt sensitive data that’s being sent across our website. This post describes some useful tips based on our own experiences that might come in handy if you’re considering switching.
Table of contents
Addendum March 2021
Moving your WordPress site to support HTTPS connections with SSL certificates became a lot easier as of WordPress 5.7. In that release, the WordPress team added a new feature to Site Health that checks if a site runs on a hosting package that supports HTTPS. If it does, the feature offers a one-click option to move your site to HTTPS. It even updates the links in the database for you and prevents mixed content warnings from happening. So, activate that SSL certificate for your site and get to it!
A little backstory
Back in 2014 HTTPS became a hot-topic after the Heartbleed bug became public. This bug allowed people with ill intent to listen in on traffic being transferred over SSL/TLS. It also gave them the ability to hijack and/or read the data. Luckily, this bug got patched quickly after its discovery. This incident was a wake-up call that properly encrypting user information over the internet is a necessity and shouldn’t be an optional thing.
To emphasize the importance of encrypting sensitive data, Google Chrome (since January 2017) displays a clear warning next to the address bar whenever you visit a website that doesn’t encrypt – potential – sensitive data, such as forms.
How do I switch?
Because it’s important that your data is safe, we took steps in 2014 to ensure that we have SSL-certificates across our own websites. If you decide to switch (you really should!), there are a few things that you need to take into account to ensure your website fully works as intended once you’re done.
- You need to change all your internal links. This also means updating links to assets (where necessary). Make sure to go through your theme and alter references to CSS, images and JavaScript files. Additionally, you can change all your links to start with
//
instead ofhttps://
which will result in protocol-relative URLs. - Ensure your CDN supports SSL as well. We make use of MaxCDN, which allows you to easily set up SSL on your CDN subdomain.
- There are various levels of SSL that you can choose from, each with their own pros and cons. You will find more information about that later on.
- Ensure you have a canonical link present in the
<head>
section of your website to properly redirect all traffic coming in fromhttp://
tohttps://
.
Google also published a handy guide on how to move to HTTPS without massively impacting your ranking, which can be found here.
How does this influence my rankings?
Like stated in the previous section, moving from HTTP to HTTPS can influence your rankings slightly if you don’t plan accordingly. However, after you switch over to HTTPS, your rankings will actually improve over time. Google announced in 2014 that having an SSL certificate will be considered a positive ranking factor, so it’s worth the investment.
To make sure Googlebot can re-index your website more rapidly after the move, make sure you migrate to https://
during low-traffic hours. This way Googlebot can use more of your server’s resources. Just take into account that a medium-sized website might take a while to regain rankings. Have a sitemap? Then Googlebot might be able to recalculate and re-index your website even faster.
Setting up HTTPS & SSL on your server
Generally speaking, hosting providers have a service to allow you to enable HTTPS/order a certificate. There are a few types of certificates you can choose from, which differ in a few ways. Every variant also has their own price tag, so before purchasing one, make sure that you go with a certificate that fits your needs and budget!
If you’re a bit strapped for cash and tech-savvy, go take a look at Let’s Encrypt to acquire a free(!) certificate.
If you run and manage your own web server, there are a few things that you’ll have to enable in your server configuration before being able to use SSL certificates. This tutorial explains what steps to take to get a certificate running on your server.
OCSP stapling
Having to check the validity of an SSL certificate can result in a small hit in loading speed. To overcome this, you can make use of OCSP stapling. OCSP stapling is a feature that enables the server to download a copy of the certificate vendor’s response when checking the SSL certificate. This means that once a browser connects to the server, it checks the validity of the certificate based on the copy on the server instead of having to query the certificate vendor itself, resulting in a significant performance improvement.
Apache
Before enabling OCSP stapling on your Apache server, please check that you’re running version 2.3.3+ of Apache by running the command apache2 -v
(or httpd -v
) on your server. Lower versions of Apache do not support this feature.
If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with a VirtualHost configuration specifically made for usage with HTTPS/SSL.
In that file, take the following steps:
- Inside the
<VirtualHost></VirtualHost>
section, you should addSSLUseStapling on
. - Just above the
<VirtualHost></VirtualHost>
section, addSSLStaplingCache shmcb:/tmp/stapling_cache(128000)
- Check that the configuration is still valid by running
apachectl -t
. If so, reload Apache by runningservice apache2 reload
.
Nginx
Nginx also supports OCSP stapling. Before editing the server configuration, please check that you’re running version 1.3.7+ of Nginx by running the command nginx -v
on your server. Lower versions of Nginx do not support this feature.
If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with an Nginx configuration specifically made for usage with HTTPS/SSL.
In that file, add the following lines in the server {}
section:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
The last line references a file that contains a list of trusted CA certificates. This file is used to verify client certificates when using OCSP.
After adding these lines to the file, check that the configuration is still valid by running service nginx configtest
. If so, reload Nginx by running service nginx reload
.
Strict Transport Security header
The Strict Transport Security Header (HSTS) is another handy feature that basically enforces browsers to use the HTTPS request instead of the HTTP equivalent. Enabling this feature is relatively painless.
Apache
If you’re running Apache, first enable the Apache Headers module by running a2enmod headers
. After this, it’s only a matter of adding the following line to your VirtualHost configuration (in the <VirtualHost></VirtualHost>
section) that you set up earlier for HTTPS:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Reload the Apache service and you’re good to go!
Nginx
Nginx requires you to add the following line in the server{}
section of your server configuration file:
add_header Strict-Transport-Security max-age=31536000;
Testing
To see if your SSL certificate is working properly, head over to SSL Labs, fill in your domain name and see what kind of score you get.
Redirecting URLs
To ensure requests are properly redirected to the HTTPS URL, you need to add an extra line to you configuration. This way, traffic that tries to visit your website over HTTP, will automatically be redirected to HTTPS.
Apache
In your default VirtualHost configuration (so the one that’s used for HTTP requests), add the following to ensure URLs get properly redirected:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
As with the other changes we made before, don’t forget to reload Apache!
Nginx
In Nginx, change the default configuration file that was used for HTTP requests and alter it as such:
server {
listen 80;
server_name your-site.com www.your-site.com;
return 301 https://your-site.com$request_uri;
}
Don’t forget to reload Nginx before testing these changes.
Conclusion
“Should I switch over to HTTPS?” Short answer: Yes. Using HTTPS ensures that private (user) information is being sent across the web in a more secure manner. Especially if you’re dealing with monetary transactions, HTTPS is a must.
What type of certificate you end up going with, depends on your specific use case and budget. Make sure to properly research your options beforehand.
Read more: WordPress security in a few easy steps »
Coming up next!
-
Event
WordCamp Netherlands 2024
November 29 - 30, 2024 Team Yoast is at Sponsoring WordCamp Netherlands 2024! Click through to see who will be there, what we will do, and more! See where you can find us next » -
SEO webinar
The SEO update by Yoast - October & November 2024 Edition
26 November 2024 Get expert analysis on the latest SEO news developments with Carolyn Shelby and Alex Moss. Join our upcoming update! 📺️ All Yoast SEO webinars »
Thanks for sharing amazing info because today am I transfer on https
Hmmm looks very hard to implement the ssl certificate but I think the hosting providers can do that for the site owners without any fee. Nice tips by the way.
hi
after i install ssl my sitemap is have problem it dont have url in it
just text
https://www.cesardl.info/sitemap_index.xml
Good information. I am using cloudfare free CDN and really-simple-ssl wordpress plug in. All appears to be fine. But yoast is not generating site map with Https. In my google webmaster site map urls start from http only.
Hi Vidyadhar,
Mike Clegg pointed out here https://yoast.com/moving-your-website-to-https-ssl-tips-tricks/#comment-529224 that he needed to deactivate and reactivate the plugin to get the sitemaps to properly regenerate.
Hope this helps!
I allways thought that HTTPS was an issue of webshops. I didn’t realize that it’s a ranking signal for all kind of websites. I will take a look this week how to set it up.
Thanks for this nice article (and lot’s others from Yoast)!
Mid of last year I’ve done a switch from HTTP to HTTPS for my Blog “Happy Carb”. Overall it was running successful, I didn’t noticed any negative Ranking Drop.
But two things were pretty annoying:
Google Search Console needs to be setup again for the HTTPS-Version. Please note: I didn’t keep the HTTP-Version, every link was redirected to HTTPS. I was wondering why I couldn’t just tell the Google Search Console my change Domain Protocoll correctly.
Facebook Likes for my pages where resetted to zero since the changed Protocoll results in a different URL. In my opionion Facebook should change this behavior, because of the nulled likes lot’s of positive Social Signals get lost. I didn’t find a way to change this behavior and for sure I don’t want to allow Facebook to access the HTTP versions of my pages…
Good thing to notice here: I used the following MySQL Database Search & Replace util for changing all internal links:
https://interconnectit.com/products/search-and-replace-for-wordpress-databases/
Also my advice: run a 404 and 301 checker tool on all pages after you’ve done the switch.
Kind regards,
Carsten
Hi Carsten,
Thanks for your reply! Glad you liked the article!
In regards to the Facebook likes not properly being fixed, there is a solution, but it requires altering code: https://developers.facebook.com/docs/plugins/faqs#faq_1149655968420144
Hope this helps.
Hello Jimmy,
thanks for your note about the Facebook Likes recovery solution.
Within my HTTP => HTTPS change last year, I checked this notes from Facebook. Since I’m using 301 redirects to HTTPs versions and Yoast SEO for WordPress for generating the Open Graph metas, it still wasn’t easy to create an update the way Facebook wanted.
The og:url should keep the old URL (just the HTTP version in my case) and, the important thing, the corresponding page must being accessible by the Facebook crawler for the HTTP version without the redirect to HTTPS.
So two things to solve. Yoast SEO for WordPress unfortunately doesn’t provide a mechamism to overwrite the og:url meta generation (right?). Setting up the Facebook crawler identification could be done within the .htaccess file.
What I’m wondering about: why doesn’t Facebook just define an alternative og:url (“og:url:alternative”) that keeps the old URL? That would be the easiest way, Crawler access could grap this information from the given page and not cryptic handled ones. But ok, this is just a wish, maybe somebody from the Facebook Development Department ist reading this posts ;)
Overall, in my opionion, HTTP to HTTPS shouldn’t result into this kind of problems since you’re going to enhance the quality of your Website. This should be more respected by Facebook and also Google itself, since also the Search Console reacts very strange for this kind of updates.
Kind regards,
Carsten
Update to my last reply: I’ve done a testing concerning the regain of “old” Facebook Likes for my Blog again – see my result. What I’ve done in detail – running on WordPress, Apache 2.4:
.htaccess:
RewriteCond %{HTTPS} !on
RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit/[0-9]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
functions.php
add_filter( ‘wpseo_opengraph_url’, ‘my_opengraph_url’ );
function my_opengraph_url( $url ) {
return str_replace( ‘https://’, ‘http://’, $url );
}
=> generates og:url to HTTP version of page
=> Using Facebook Debugger for fetching Open Graph meta again. https://developers.facebook.com/tools/debug/
=> works to recover Likes from the >oldand< HTTPS versions. Still a problem :/
Hey, My website has DA 25 on http, DA 14 on https. I redirected traffic to https but I want https to have equal DA with http. Please help
Hi Prosperity,
I’m not entirely sure what you mean; What are you referring to when you speak of DA?
Cheers,
Jimmy
I am a hosting reseller and I switched to HTTPS with Let’s Encrypt and enabled HSTS for extra web security and now my customers can’t access their cPanel or WebMail from my hosting website without getting errors from the main browsers.
They can get to their cPanel by https://cp.myhostingwebsite.com or https://cp.theirdomainname.com.
These subdomains aren’t covered with a Domain Validated (DV) SSL cert but my Hosting provider has used theirs and my domain name isn’t included in their cert so not trusted.
In my circumstances a DV SSL cert shouldn’t be used with HSTS enabled as it is going to cause problems or is there a work around?
A wildcard cert will do the job but they aren’t out until Jan 2018 but how long will it take my hosting provider take to implement it? Who knows….
Hi Colin,
As far as I’m aware, there’s no workaround for the problem you’re describing in regards to the DV SSL cert because they don’t support multiple domains.
Your best bet would be to disable HSTS for the time being.
Cheers,
Jimmy
We were thinking about the plan of action to follow while moving our blog to https, our digital team powered with yoast did the job perfectly. And your article is a really good guide on how we can do it.
Really nice and definitely it will be useful for many people. Kindly keep update like this.
Thanks Jimmy for the awesome guide. What about the Backlinks we’ve created for the http:// version ? will that pass the link juice to the https version automatically ?
Hi Manivasagam,
Ensuring you have proper 301 redirects is quite essential in this case. Sadly, this won’t be automatically ‘fixed’.
Hope this answers your question.
Cheers,
Jimmy
Hello Jimmy,
Great advices! I never heard about OCSP stapling. I should try to speed up a little my website. Like Mike Clegg, i’m using a WordPress Plugin and for the moment it’s painless!
Regards,
Thanks team for this post and update. I have just moved my site over to HTTPS! I also used a WordPress plugin called “Really Simple SSL” (recommended by my host provider) and it was super easy.
Just a note that when I checked my sitemap (generated by your plugin) it was still HTTP, so I disabled it and then re-enabled it and then it become HTTPS.
Kind regards,
Mike
Do you guys offer service to help with the migration or take a look at our set up to ensure all our settings are correct?
I migrated to https several months ago. I feel like my site is missing a few things.
Hi Nathan,
I just quickly ran a check and everything seems fine.
What is it exactly that you feel is missing?
Cheers,
Jimmy
Hi
There are several websites that you can check your SSL cert and other web security.
https://www.ssllabs.com/ssltest/index.html
https://www.htbridge.com/ssl/
One of the negative consequence of moving to https is losing Facebook likes count and comments. Is there a plugin to easily recover these, without going to the WordPress code?
Hi Ron,
I’m not aware of any plugins that can help with this. However, it is possible to redirect Facebook to the proper URL. Facebook has a section about that here: https://developers.facebook.com/docs/plugins/faqs#faq_1149655968420144
This means you’ll have to touch (some of) the code to get this to work.
I hope that this helps answer your question.
Excellent guide. Thanks for sharing all the related information and each details. This is so helpful.