How to secure your Wordpress site? Migrating from HTTP to HTTPS
It is now essential to secure your website with an SSL certificate. Search engines penalize websites in their SEO rankings if they detect that the site responds in plain HTTP. It’s even worse, almost all major browsers will now tell the user your site is not secure. You will need to follow the steps below to convert WordPress HTTP to HTTPS to fix this problem. Google Chrome will display a very visible “Circle Exclamation Not Secure”, right next to the website address as shown below.
Google Chrome 77 displays the “Not secure” message
Imagine how many people will see this message and close the tab to your website and never come back. This is what we refer to as a bounce rate, and you can now understand why your site has one.
If you run an eCommerce website, it is a MUST to secure your site with an SSL Certificate. It’s required by most credit card gateways and is the first step to PCI compliance.
Today I will show you how to secure your WordPress or Woocommerce website using an SSL Certificate.
Let’s assume you already have an SSL certificate installed on your server. You can buy an SSL certificate from any hosting company (including ours) or purchase it through a broker.
ENOUGH TALKING ALREADY, LET’S DO IT! !
Backup your website
You will need to back up your site before we can make any changes. There are two types of people who backup: those who do it and those who understand why.
There is no better backup plugin than “All in One WP Migration” from ServMark.
All-in-One WP Migration plugin
You can install this plugin by clicking on Plugins > Add New in the Admin Menu.
Add New Plugin from the Admin Menu.
Search for “all-in-one” and click “Install Now”. Click “Activate” afterward to activate the program.
Find the plugin by searching for “all in One”.
The next step is to perform the backup. Click the “All in One WP Migration” button on the Admin Menu.
All-in-One WP Migration link
Click on the “Export To:” menu and then click “File” to open it.
Export site screen. Click “Export to” and then “File”.
The backup will begin. It may take some time.
Back up is starting
Click the “Download” button to save the backup on your device once the backup has been completed.
Download Backup now
Change the address of your site in General Settings
In General Settings, we need to update the “WordPress Address” (URL) and “Site Address” (URL). Click the “Settings link” on the Admin menu.
Setting link in the Admin Menu
Click the “Save Changes button” after updating the “WordPress Address” and “Site Address” to “https”.
Set the URL for your WordPress site and address.
WordPress Site and Address Settings - HTTPS
You should see the “lock” icon in your browser’s address bar after you visit your HTTPS site.
Lock icon after securing your site
After you have confirmed that the “lock” icon is visible, it’s time to redirect all HTTP traffic towards your new HTTPS website. We strongly recommend against using plugins such as “Really Simple SSL”, which can accomplish this on the WordPress level. Since plugins are prone to breaking, the last thing that you want is your SSL redirect plugin going crazy and Google crawling your HTTP version. This is an SEO disaster in the making. This is a temporary solution, but it’s better to do this at the server-level.
Depending on your level of expertise and your ability to access the server, you may need to contact the WordPress hosting company to get help.
You can add the following lines to your “.htaccess file” if you are using Apache for web hosting:
RewriteEngine on + RewriteCond off + RewriteRule (. *)$ https://%HTTP_HOST%REQUEST_URI ‘LR=301’
Note: If you have ever seen the htaccess files that WordPress creates, it has its own rewrite rule in a block called “BEGIN WordPress”. You should not add anything to that block, as it will be overwritten.
When things go wrong, Mixed Content
You thought it would be simple. Instead of the lock icon, you’re seeing a mixed-content warning that looks like a padlock and a triangle.
Chrome Mixed Content Warning
You may ask, what is mixed content? When your site serves content from HTTPS and HTTP, it is called mixed content. How can this be… we HTTPSed the site just a few minutes ago? If you’re anything like most people, you probably use third-party libraries (like jQuery Google Ads Fontawesome) that can be served via HTTP. These links are not updated when you migrate your WordPress HTTP site to HTTPS. You will have to manually change these links.
You may find that the javascript libraries you are using are called from your theme’s footer or header. The first thing you need to do is open the “Theme editor” by clicking on the “Appearance link” in the Admin Menu, and then selecting the “Theme Editor” link.
Theme Editor in the Admin Menu
If you haven’t done so already, you can select the theme you want from the drop-down menu on the right and click “Select”.
Choose your theme
Select the header.php file in the list on the right. Look for any prefixes that begin with “http ://” and change them to “https ://“. Click the “Update Files” button once you are done. The same goes for footer.php.
You can edit your header and footer files
After you have finished, visit your homepage and check if the “lock icon” is now visible in the address bar.
Even though we have fixed the links on our theme’s footer and header, we may still receive the Mixed Content warning on certain pages of our website. A good rule to follow when converting WordPress from HTTP to HTTPS is to visit each page of your website and check that there are no mixed content warnings. This may sound impossible, but it is actually very time-consuming. Clicking the “Pages’ link on the Admin Menu is the best way to check the site.
Pages Link on Admin Menu
You can open multiple pages by hovering over the page list and clicking the “View” button.
Click on the View link while holding CTRL to open the page in a separate window
You can click the “Edit Page”, link located at the top, to edit and correct any links that have caused the mixed content.
To edit the current page, click the Edit Page button at the top.
The conclusion of the article is:
Congratulations!!! Congratulations! Your site is now completely secure with an SSL certificate and content served over HTTPS. It is only the first step. You will need to update your site map and external services so that they point to your website. Web Design Matrix will handle your WordPress HTTP to SSL when you host with us.