How to Add SSL & Move WordPress from HTTP to HTTPS – Security Boulevard

The Home of the Security Bloggers Network
Home » Security Bloggers Network » How to Add SSL & Move WordPress from HTTP to HTTPS
Making sure your website uses HTTPS should be a top priority for any webmaster 
In fact, recent statistics show that over 42% of site administrators across the web use WordPress, and many of these sites still don’t have an SSL certificate installed.
The Importance of SSL
For the past several years, SSL has become increasingly important. Not only is SSL crucial for securely transmitting information to and from a website, but also in terms of search engine visibility. Having SSL installed can lower the chances of being penalized by website authorities, and should always be a part of a website’s security posture.
Protecting Data In Transit
SSL certificates essentially protect the integrity of the data in transit between the host (web server and/or firewall) and the client (web browser). They work as a barrier to prevent data visibility or modification. An SSL certificate doesn’t protect websites from being hacked however.
SSL works only to protect the data in transit. 
If you’d like to understand more about how SSLs work, feel free to check out our short webinar: Is SSL Enough to Secure Your Website?

How HTTP Sites Are Penalized
Website authorities such as Google have been known to penalize non-HTTPS sites for some time now. Back in 2017, Google changed its approach to handling HTTP websites. Having an SSL certificate has been an important factor for SEO and security, but now it shows that the site takes security more seriously than a non-HTTPS site generally would.
In version 68 of Google’s Chrome Browser, released in July 2018, it shows a “Not Secure” warning for websites that don’t have an SSL certificate.

Better SEO Rankings
HTTPS websites generally tend to rank better on search engines such as Google. Since 2014, SSL has been a ranking signal for SEO and has been one of the site’s characteristics that determine its position amongst search engines. 
According to Yoast,
“It’s inevitable that we are moving to an all-HTTPS web.”
How to Add SSL to a WordPress Site
In order to install an SSL certificate on a WordPress site, you’ll first need to either purchase one through a Certificate Authority, such as GoDaddy, or use a free certificate from Let’s Encrypt.
Some hosting companies provide SSL certificates to their customers as well. We advise contacting your hosting provider before proceeding, since they may be able to provide support with the installation & management of your certificate.
If you choose to go with a free Let’s Encrypt SSL certificate however, we’ve written an extensive guide on how to add one to your website here.
If you’re using the Sucuri Website Firewall (WAF) and you don’t currently have an SSL certificate on the origin server for your site, an SSL will still be enabled on the firewall server by default. This ensures the data between visitors and pages they view are still encrypted, via the firewall server.
How to Install SSL/HTTPS in WordPress
Before Installing SSL/HTTPS in your WordPress site, you’ll need to have a valid SSL certificate uploaded to your server or CDN. You can reach out to your hosting or CDN to ask for assistance with this step.
Below are the steps for installing SSL/HTTPS to a WordPress website. You can either do it manually, or use a plugin to help. If you choose to add an SSL to WordPress manually, you’ll need to modify some files and troubleshoot certain issues.
Before starting this process, it’s highly advised you save a backup of your website in a secure location. Make sure to have a complete copy of your website files and database. This way, the website can be restored if any of the following steps break the website.
One of the most used plugins to move from HTTP to HTTPS is the Really Simple SSL Plugin. This plugin automatically detects new website settings, and configures it to run over HTTPS. You can download this plugin from the WordPress official repository.

Really Simple SSL Plugin
You can also install this plugin directly from the WordPress admin dashboard. You’ll just want to go to Plugins > “Add New.”

Activate Really Simple SSL Plugin in WordPress
The plugin should automatically detect the SSL certificate installed, and then set WordPress to use HTTPS with it. You’ll first need to open the plugin inside your admin dashboard, then navigate to Settings > SSL.
Once you select the option “Go ahead, activate SSL!” your WordPress site should now be running on HTTPS.

Activate SSL Button
After clicking on the “Go ahead, activate SSL!” button, you may need to login to WordPress again.
If you’re seeing mixed content warnings, read this “really simple ssl” article for further instructions.
PS: If you’ve decided to use the plugin you can skip step 8.
In your WordPress dashboard click on Settings > General.

Update URL Address
Now, replace your website address from http:// to https:// and click on Save Changes.
After making these changes, logout and back into WordPress again.
Next you’ll want to force HTTPS by editing your .htaccess file by adding this code to your file:
To force HTTPS within your WP admin dashboard you’ll want to edit the wp-config.php file with the following line:
In order to avoid mixed content errors, you can simply edit all URLs in your database that still show under HTTP.  
You can also use a plugin that searches and replaces URLs for you, such as Better Search Replace. You’ll want to open the plugin and search for, and then replace it with instead. Now click on Run Search/Replace.

Better Search Replace
Add and verify the new HTTPS site in Google Search Console now.

Add a Property in Google Search Console
After this, Google will re-crawl the site once a new XML sitemap including the HTTPS URLs is submitted. 
For many SEO elements such as “rel=canonical” and Open Graph tags, it’s advisable to use an absolute URL. Absolute URLs are read externally by social media sites and search engine crawlers. 
It’s important to note there’s a period of normalization after applying an SSL, but ultimately, it’s a confirmed ranking signal according to Google. 
Similarly, social sharing counters for older content will likely become invalid. This is because there’s now a new URL starting with HTTPS instead of HTTP, and many tools count each as a separate URL with its own engagement metrics.
In Conclusion
SSL protects the information in transit, allowing a site to be accessed over HTTPS. The data sent is encrypted between visitors and the web servers. However, having a HTTPS website doesn’t mean the website is protected against website attacks and infections. It’s essentially only a piece of the website security puzzle.
If you’d like to take a better look at the state of your website security, you can install our free Sucuri security plugin.

Sucuri Security – Auditing, Malware Scanner, and Security Hardening
In case you’d like peace of mind, we recommend checking out how our website security platform detects, protects, and cleans site malware. You can also activate SSL/HTTPS via our cloud-based WAF that’s included in our platform.
*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Ashley Sand. Read the original post at:
document.getElementById( “ak_js” ).setAttribute( “value”, ( new Date() ).getTime() );
More Webinars
Security Boulevard Logo White


Leave a Reply

Your email address will not be published. Required fields are marked *