This step-by-step guide will show you how to migrate your WordPress website from HTTP to HTTPS without losing rankings or SEO.
To complete the process, you will need an SSL certificate and FTP access to your website.
Before we get into the technical details, let us examine what we mean by ‘migrate your website to HTTPS’ and why it is important.
What Is HTTPS And SSL?
Let’s start with the basics:
What is an SSL Certificate? SSL stands for Secure Socket Layer. It is a security protocol that enforces encrypted communication between the web browser and the web server.
This means that any information transmitted between your website and web server, like usernames and passwords, credit card information, and any other data submitted by users, is secure and encrypted.
The information is submitted in plain text if an SSL is absent.
What is the problem with that? If a hacker intercepts the connection between your website and server, they can get access to the information.
What is HTTPS? Websites with an SSL certificate installed and configured can be accessed using https://www.example.com instead of the traditional non-secure way of http://www.example.com.
Is HTTPS a Ranking Signal?
HTTPS is not something new; it’s been around for years, but it wasn't until 2014 that Google decided to start an initiative to make the web more secure and introduced the slogan “HTTPS everywhere.”
They started by making all Google searches HTTPS and also announced that HTTPS websites would gain a very small ranking boost.
When Google says a lightweight signal, it means that, other things being equal, an HTTPS webpage will rank above a non-HTTPS webpage.
How to Move a WordPress Website From HTTP to HTTPS
Here are the steps to move your WordPress website from https to https.
Step 1: Install an SSL Certificate to your server
The first step is to purchase and install an SSL certificate on your web server. Google states you can use any modern SSL certificate if it supports 2048-bit key encryption.
A normal certificate costs approximately $50 per year and can be issued instantly by the provider.
The best way to get past this step is to contact your web hosting provider and ask them to install an SSL certificate on your server.
For most web hosting providers, you can purchase an SSL in their account dashboards (or cpanel).
Once they install the SSL, you can check that it’s working ok by navigating to your website using https.
Step 2: Change WordPress Default URL
The second step is to log in to your WordPress dashboard and locate the GENERAL option under the SETTINGS menu.
Ensure that both your WordPress Address (URL) and Site Address (URL) start with https.
Once you click the SAVE CHANGES button (located at the bottom of the screen), you will be locked out of WordPress and have to log in again.
Step 3: Add 301 Redirects to Redirect HTTP requests to HTTPS
So far, you have installed an SSL certificate on the server and changed the default WordPress URL to https.
This is not the end of the process. To gain the SEO advantage from HTTPS, your website must be configured to redirect HTTP requests to HTTP requests.
In other words, the default URL for all your posts should start with https and not http.
The easiest way to do this is to add the code below to your .htaccess file (you will need to access and edit the file using FTP).
What this code does is to redirect (using permanent redirect – 301), all http request made to your webserver to the equivalent https page. This way, you don’t have to create a page-by-page mapping.
# HTTPS redirect
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
Once you save your .htaccess file, open a browser window and perform a few tests.
First, try to access any HTTP URL and ensure it successfully redirects to the equivalent HTTPS URL.
Second, try different combinations, i.e., http://www.sampleurl.com and http://sampleurl.com, and make sure both redirect to the correct https URL.
Step 4: Use Search and Replace
The next step is to correct any internal links in your content to point to the https version.
For example, if your content has internal links starting with HTTP, you must change them to point to HTTPS. Otherwise, this will create mixed content warnings, and the browser will not show your website as secure.
The best way to do this is to use a plugin. Install and activate the search and replace plugin (it’s free).
Then go to TOOLS and select SEARCH & REPLACE.
Note: A database backup is highly recommended before running a search and replacing your website.
Click the SEARCH & REPLACE tab and adjust your settings as shown above (use your own domain in the SEARCH FOR and REPLACE WITH input boxes.
When you click the DO SEARCH AND REPLACE button, the plugin will change all URLs it can find in the database from HTTP to HTTPS.
Step 5: Check for non-https links
The next step is to check for any external links you have in the content and make sure that you start with https and not http.
You can do this by navigating to your website’s pages. If the browser bar shows that the page is not secure (like the example below), find the link that is not secure and change it to https.
There are 2 ways to find these links.
The first is to use Chrome’s developer tools. Right-click anywhere on the page and select INSPECT. This will open the developer tools.
Click the CONSOLE tab to find the URL that is causing the issue. Edit your content and change the URL to https.
Second, check your website using this free service. It will crawl your pages and give you a report on the links that need to be changed.
Step 6: Check for broken links
If you followed the above steps successfully, your website probably should be fully HTTPS with no mixed content warnings, and you won’t have to do anything else.
As an extra measure, you can ensure you have no broken links (HTTP or HTTPS).
You can use this free tool by Xenu to get a report of the links that need to be fixed.
Step 7: Add your HTTPS website to the Google Search Console
To maintain your current Google rankings and to officially inform Google that your website is now HTTPS, you need to add the HTTPS variations to your Google search console.
So, at the end of the process, you will have 4 website variations registered in the Google Search Console.
- http://www.example.com
- https://www.example.com
- http://example.com
- https://example.com
Note:
It is necessary to keep both the http and https versions in your Google Search Console since Google considers these to be 4 ‘different’ websites.
Repeat the same procedure and submit your https websites to Bing Webmaster tools.
Step 8: Re-generate your XML sitemap and submit it to Google
While managing your websites in the Google search console, it’s also recommended to re-generate your XML sitemap and make sure that all links are now https and re-submit it to Google.
This guide, ‘How to optimize your XML sitemap for maximum SEO’, will give you all the details.
Step 9: Check Robots.txt
Another check is to ensure that your ROBOTS.TXT file is not accidentally blocking search engines from accessing your https website.
Log in to the Google Search Console and view the Robot.txt report under Settings.
Step 10: Submit your HTTPS website to Google
The next and final step is to submit your new website to Google.
Although we resubmitted the XML sitemap and Google will know about the change in URLS, to speed up the process, you can use the URL inspection tool in the Google Search Console to ask Google to crawl your website.
Step 11: Change incoming links from HTTP to HTTPS
The process is now complete. Your website is configured to redirect any HTTP requests to the equivalent HTTPS, you have fixed any mixed content warnings, your sitemap is updated, and the website is submitted to Google.
If you want to help Google (and other search engines) update their index faster, you can edit all external links (that you can access) pointing to your website to HTTPS.
For example, you can go to Facebook, Twitter, Pinterest, and other social networks to add your website’s link and change it to https.
Don’t worry about the links you cannot change; the 301 redirections we added in the .htaccess file are responsible for informing search engine spiders that the links have changed to HTTPS.
Step 12: Monitor your rankings and traffic
The above procedure is straightforward, and your rankings will not be affected negatively under normal conditions.
Nevertheless, monitoring your traffic in Google Analytics and ranking positions (using your favorite keyword research tool) is always wise to pinpoint any issues and resolve them as quickly as possible.
Will My Rankings Increase After Migrating To HTTPS?
All websites we migrated to HTTPS saw a slight increase in rankings and traffic.
Remember that HTTPS is a low-ranking factor (at least for now), so don’t expect huge differences.
Don’t forget that you are adding the secure certificate to benefit from the ranking boost and increase user trust, which can prove more beneficial in the long run.
Conclusion
Migrating your WordPress website from HTTP to HTTPS is not difficult. The steps described above are all you need to do, and for most websites, the migration process takes only a couple of hours.
There is a cost involved since you will have to renew the SSL certificate every year, but for an online business that wants to stay in sync with the latest SEO developments and cares about data security, this is not an excuse for not migrating to HTTPS.
Have you migrated to HTTPS yet? Do you have a question that was not answered above? Let me know in the comments.