Learn the right way and steps to migrate your WPENGINE WordPress website to use HTTPS
Your website really needs to be secured with HTTPS! Making your site HTTPS is easy but there are some key steps to make sure this migration is done right! This guide assumes you’re on WPENGINE but the principles apply to other hosts.
BONUS: We’ve shared our internal checklist for the below process: Ultimate Checklist for Migrating a WordPress Website to HTTPS / SSL
I’m sure you always take a backup / restore point of your site before making any changes like this…
Approx. Time to Complete: 25-35min Tutorial Version 1.2
1. Enable / Install SSL on Your Website
We’ve written on enabling Let’s Encrypt SSL on Your WPENGINE Website but there are multiple options for purchasing an SSL.
2. Configure the WPENGINE SSL Settings
Make these 4 adjustments to the SSL settings after the certificate has been enabled. You have to click two different save buttons here!
You absolutely want to enforce SSL on the login and admin pages. It makes sense to go ahead and force the entire site to be always-HTTPS – you don’t want multiple versions of pages out there as it is bad for SEO.
3. Find / Replace URLs in Database
We like to use the Interconnect/IT Database Search and Replace Tool to find and replace the HTTP URLs with HTTPS. This will take care of things like internal links, image references, and canonical tags.
Replace: http://limecuda.com
With: https://limecuda.com
We like to hardcode the Home and Site URLs ) show up in WordPress Settings>>General. So we would end up with this in wp-config.php
define('WP_HOME', 'https://limecuda.com');
define('WP_SITEURL', 'https://limecuda.com');
Note: there is bad advice out there that you should use protocol agnostic URL references for loading scripts. e.g. <script src="//limecuda.com/script.js"></script>
If there is HTTPS available (and there should be) then it is best practice to explicitly require that version! So use the explicit URL <script src="https://limecuda.com/script.js"></script>
4. Changes in Analytics and Search Console
Google Analytics
- Change the Settings URLs and any filter URLs to HTTPS
- Add an annotation in the analytics noting that you’ve migrated the site to HTTPS. Might need to change the report date range to include today.
Google Search Console
- Create a new Search Console account for the HTTPS version
- Link the Google Analytics account to this new HTTPS Search Console (found in Google Analytics Admin under Property Settings >> “Adjust Search Console”
- Replicate any geolocation or disavowing in previous Search Console account
- Submit the XML sitemap on the new account (if using Yoast SEO plugin then the url is /sitemap_index.xml)
Other Changes
- If you are using CloudFlare (we highly recommend) you can now enable “Full SSL (Strict)”
- Change any URLs in .htaccess or other redirect control areas
- Change any CDN settings
- Change any header scripts (like for ads or tracking)
- Change any absolute URLs in the theme files (particularly functions.php or style.css, robots.txt)
- Social Sharing counts may be affected. Some plugins will compile counts from both versions (Mashshare)
5. Change References to Your Site
If possible, it is helpful to change the URLs that send people to your site. Here are some possible places you can change the URL from HTTP to HTTPS
- Email signatures
- Social Media URLs like: facebook, LinkedIn, Twitter,
- Local listing sites (Google Local, Yelp)
- Wikipedia, Crunchbase
- Email blast tools you might use (MailChimp, ConstantContact, Aweber)
6. Review and Confirm
Flush / Purge Caches
Flush any caches (WPENGINE, Autoptimze, WP Rocket, CloudFlare, CDN, etc)
Are pages redirecting?
Make sure there aren’t any mixed content messages and that nothing HTTP is getting served under the hood.
Make sure any variations of your root (http:// http://www, etc.) all 301 (single hop) redirect to the same HTTPS version. Same with any post/pages that are accessed HTTP, these should all single-hop 301 to the HTTPS version. (Redirect Checker tool)
You can add this to .htaccess to make sure the pages are redirecting.
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://limecuda.com/$1 [R=301,L]
There is an easy plugin called Really Simple SSL that is supposed to be a great way to move the site to HTTPS
In the coming weeks…
Monitor Search Console and Google Analytics for errors. When you’re sure the migration is successful you can also enable HTTP Strict Transport Security (HSTS) for an additional speed boost. Test the load time using the Pingdom speed test.
We have compiled an extensive list of SSL-related tools, these can help you make sure you’ve properly configured your SSL.
Tomas says
WPengine is a pain in the !@#$ sometimes mate. And, some plugin conflict with their configuration i saw. For fix some resource, one is working okay (force HTTPS): https://wordpress.org/plugins/force-https-littlebizzy/
Michael says
Hey Blake, thank you for this article concerning https migration on WPEngine specifically. This is what I was looking for.
Particularly for redirects, in the current layout of WPEngine’s user portal I chose “Secure All URLs” and “Allow HTTPS and HTTP”. That was sufficient for having any root variations, 301 redirecting to the HTTPS primary domain (it forces a 301 redirect to https for any request). I did not add any redirect rules in the .htaccess as this is used by apache, not nginx.
However I noticed that there was a two-step redirect for the http non-primary domain. It redirected first to the http primary domain and then http primary domain redirected to https primary domain (https://sailingheaven.com/). This seemed to happen as in the WPEngine’s user portal > Domains I had set a redirect from the non-primary domain (www) to the primary domain (non-www). The solution was to remove this domain level redirect in the “Domains” section and add a rule in the “Redirect rules” section similar to what you describe in your post: https://fewerthanthree.com/code-snippets/global-site-redirect-wpengine/, with the following variation:
Domain: http://www.thesite.com
Source: ^/(.*)
Destination: https://thesite.com/$1