How to Properly Migrate a WordPress Website to HTTPS (SSL / TLS)

• Blake Imeson
• 8 years ago
• Categories: Servers / Hosting

Learn the right way and steps to migrate your WPENGINE WordPress website to use HTTPS

Your website really needs to be secured with HTTPS! Making your site HTTPS is easy but there are some key steps to make sure this migration is done right! This guide assumes you’re on WPENGINE but the principles apply to other hosts.

BONUS: We’ve shared our internal checklist for the below process: Ultimate Checklist for Migrating a WordPress Website to HTTPS / SSL

I’m sure you always take a backup / restore point of your site before making any changes like this…

---

Approx. Time to Complete: 25-35min Tutorial Version 1.2

1. Enable / Install SSL on Your Website

We’ve written on enabling Let’s Encrypt SSL on Your WPENGINE Website but there are multiple options for purchasing an SSL.

2. Configure the WPENGINE SSL Settings

Make these 4 adjustments to the SSL settings after the certificate has been enabled. You have to click two different save buttons here!

You absolutely want to enforce SSL on the login and admin pages. It makes sense to go ahead and force the entire site to be always-HTTPS – you don’t want multiple versions of pages out there as it is bad for SEO.

3. Find / Replace URLs in Database

We like to use the Interconnect/IT Database Search and Replace Tool to find and replace the HTTP URLs with HTTPS. This will take care of things like internal links, image references, and canonical tags.
Replace: http://limecuda.com
With: https://limecuda.com

We like to hardcode the Home and Site URLs ) show up in WordPress Settings>>General.  So we would end up with this in wp-config.php

define('WP_HOME', 'https://limecuda.com');
define('WP_SITEURL', 'https://limecuda.com');

Note: there is bad advice out there that you should use protocol agnostic URL references for loading scripts. e.g. <script src="//limecuda.com/script.js"></script> If there is HTTPS available (and there should be) then it is best practice to explicitly require that version! So use the explicit URL <script src="https://limecuda.com/script.js"></script>

4. Changes in Analytics and Search Console

Google Analytics

• Change the Settings URLs and any filter URLs to HTTPS
• Add an annotation in the analytics noting that you’ve migrated the site to HTTPS. Might need to change the report date range to include today.

Google Search Console

• Create a new Search Console account for the HTTPS version
• Link the Google Analytics account to this new HTTPS Search Console  (found in Google Analytics Admin under Property Settings >> “Adjust Search Console”
• Replicate any geolocation or disavowing in previous Search Console account
• Submit the XML sitemap on the new account (if using Yoast SEO plugin then the url is /sitemap_index.xml)

Other Changes

• If you are using CloudFlare (we highly recommend) you can now enable “Full SSL (Strict)”
• Change any URLs in .htaccess or other redirect control areas
• Change any CDN settings
• Change any header scripts (like for ads or tracking)
• Change any absolute URLs in the theme files (particularly functions.php or style.css, robots.txt)
• Social Sharing counts may be affected. Some plugins will compile counts from both versions (Mashshare)

5. Change References to Your Site

If possible, it is helpful to change the URLs that send people to your site. Here are some possible places you can change the URL from HTTP to HTTPS

• Email signatures
• Social Media URLs like: facebook, LinkedIn, Twitter,
• Local listing sites (Google Local, Yelp)
• Wikipedia, Crunchbase
• Email blast tools you might use (MailChimp, ConstantContact, Aweber)

6. Review and Confirm

Flush / Purge Caches

Flush any caches (WPENGINE, Autoptimze, WP Rocket, CloudFlare, CDN, etc)

Are pages redirecting?

Make sure there aren’t any mixed content messages and that nothing HTTP is getting served under the hood.
Make sure any variations of your root (http:// http://www, etc.) all 301 (single hop) redirect to the same HTTPS version. Same with any post/pages that are accessed HTTP, these should all single-hop 301 to the HTTPS version. (Redirect Checker tool)

You can add this to .htaccess to make sure the pages are redirecting.

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://limecuda.com/$1 [R=301,L]

There is an easy plugin called Really Simple SSL that is supposed to be a great way to move the site to HTTPS

In the coming weeks…

Monitor Search Console and Google Analytics for errors. When you’re sure the migration is successful you can also enable HTTP Strict Transport Security (HSTS) for an additional speed boost. Test the load time using the Pingdom speed test.

We have compiled an extensive list of SSL-related tools, these can help you make sure you’ve properly configured your SSL.