STEP 1. Let’s Encrypt Certificate – This is a widely supported, FREE certificate. If you are not a big time eCommerce store, this will likely be good enough for you. Obviously, you need to do your research. Paid certificates can be had for around $150 a year. but here we are only looking at the free option, as it’s so easy to implement. Depending on your hosting company, it can be anything from fully automatic to easy-peasy to implement. Contact your host to find out how to enable that part.
STEP 2.Â Update the WordPress Address and Site Address URLS under Settings â€“ General. Once you have your certificate installed, you need to change the website urls to use the secure protocol. You must change both the WordPress Address URL and the Site Address URL. These can be found in the General section of the WordPress settings.
STEP 3. Better Search Replace. This is an awesome little plugin that can do a search and replace in the website’s database. This is the most efficient method for finding any instances of mixed content, by finding all instances of http://mydomain.com/ and changing them to https://mydomain.com/ It is quick and you only need to do it once. Then, you can deactivate and delete the plugin.
STEP 4.Â Force https via .htaccess file. There are several ways to force https, but editing the .htaccess file is the best approach. Forcing the site to be served via https ensures that every page, every visit, people are on an encrypted page. This is good for security and also peace of mind for the end user. There are also technical benefits from forcing the https via the .htaccess file, as it is a more efficient and reliable method than WordPress redirects using PHP. There is also the situation of old http links out in the wild that would not be served via https unless forced.Â There are also plugins, like Really Simple SSL, which do all of the above steps, and are quite popular, but the way I see it, if you do it the manual way, itâ€™s done, and you have no need of the plugin (and we can all do with fewer plugins on our sites). But if you are after a quick method, check it out.
STEP 5. Test the site and look for the padlock on every page. Generally, if you have followed the steps up to now, you will see the padlock on every page of your site. If there are issues, you can use a website like https://www.whynopadlock.com/ to troubleshoot. This website shows you in detail the mixed content or other issues that are causing the padlock not to show.
STEP 6.Â Update site in Google Analytics and Google Search Console. This is the most complex area, and needs to be done carefully. Google see a protocol change as a site move (see here for a google post on this), so you definitely need to update Google Search Console and Google Analytics. There are numerous guides and discussions around this part of the process. See HERE, HERE and HERE.
If this post doesn’t quite hold you hand enough, or you just want a more detailed overview of the whole process, this post from Cloud Living is awesome.
Also,Â this excellent post from infront.com goes over the importance of 301 redirects in some detail.