Need a comprehensive checklist to follow when migrating a WordPress site to use HTTPS? The below is the list our WordPress agency uses to make sure our SSL / TLS migrations go smoothly and nothing gets missed.
If you want the nitty-gritty we also have a full guide to Properly Migrate a WordPress Website to HTTPS (SSL / TLS).
- [PRE] Take site speed test at https://tools.pingdom.com
- [PRE] Create WPENGINE install restore point
- [PRE] Acquire Let’s Encrypt or RapidSSL certificate
- [LAUNCH] [WPENGINE] Change the SSL settings to https://fewerthanthree.com/wp-content/uploads/2016/09/ssl-wpengine-settings-wordpress.jpg
- [LAUNCH] [SFTP] Change (hardcoded) site and home addresses in wp-config.php
- [LAUNCH] [SFTP] Find / replace any http references in .htaccess or redirect files
- [LAUNCH] [SFTP] Find / replace any http references in theme files, particularly style.css, functions.php – Change protocol agnostic to forced https
- [LAUNCH] [SFTP] Find / replace any http references in database (use Search Replace by Interconnect/IT)
- [SEARCH CONSOLE] Add new https property in Google Search Console
- [SEARCH CONSOLE] Resubmit the site’s XML Sitemap
- [SEARCH CONSOLE] Replicate any geolocation or disavowing done in previous Search Console
- [GOOGLE ANALYTICS] Connect new Search Console account
- [GOOGLE ANALYTICS] Change (2) URLs in admin and any filters to https
- [GOOGLE ANALYTICS] add annotation noting the https migration
- [CHECK] Is there a CDN that needs reconfigured?
- [CHECK] Ensure that any tracking scripts, ads in widgets, or other assets are being served via https
- [CHECK] Click around site to make sure everything seems correct
- [CHECK] Single hop 301 working from old versions? http://www.redirect-checker.org/
- [CHECK] Scan for errors with https://www.jitbit.com/sslcheck/ and get cert grade at https://www.ssllabs.com/ssltest/
- [POST-LAUNCH] Change URL in ManageWP
- [POST-LAUNCH] [CLOUDFLARE] change SSL / TLS settings in CloudFlare
- [POST-LAUNCH] [SOCIAL] if using MashShare or similar make sure the http/s sharecounts are being tracked
- [POST-LAUNCH] Flush any caches (WPENGINE, Autoptimze, WP Rocket, CloudFlare, CDN, etc)
- [POST-LAUNCH] Do another speed test at https://tools.pingdom.com/
- [POST-LAUNCH] update the uptime monitoring tools with new URL
- [POST-LAUNCH] Schedule week out check on Search Console
- Send client the post-move email as found in LimeCuda Process
Need convincing for why securing traffic with https is important? We’ve addressed that as well in: Why Your Website Needs to be Secured with HTTPS (in Layman’s Terms)
Did we miss something? Know a better method? Please comment and share!