These days, everyone needs to have a secure website (one using the https protocol – https://en.wikipedia.org/wiki/HTTPS).
The next major version of Google Chrome will start marking HTTP pages containing forms as “Not Secure.” Is your site ready for this?

There are many reasons we need secure websites. If you have an eCommerce store, it’s critical that payments and details are being encrypted and not just going across the network in plain text. But that’s not the only reason. There are a host of them. It’s all about integrity, privacy and security. Have a look at this Google Post about Why HTTPS Matters. Even simple websites can also benefit from https, as Google is now using the protocol in their ranking algorithm. So even from an SEO point of view, it’s a sensible thing to do.

how to change your website from http to https

To achieve the https protocol, your website needs to use an SSL (Secure Sockets Layer) certificate. This protocol is now being phased out by the TLS protocol (Transport Layer Security) but that’s another story…

Basically, these protocols are the standard security technology for establishing an encrypted link between the browser and the server. in the last few years, SSL certificates have become cheaper and now there is a great FREE option that is suitable for most small websites.

Changing to https is not hard. But it is important it’s done correctly. Let’s look at the process.

In my examples, I’m using WordPress as the website CMS. If you use something else, there might well be different methods. I’d have no idea as I only use WordPress for my websites. 🙂

Four compelling reasons to change your website to HTTPS

SECURITY

SSL protects your communication between your site and its visitors. It encrypts data transferred over the Internet, like form submissions and credit card transactions.

SEO

Google has declared it’s time everyone got SSL, and they are now giving a ranking boost to secure sites. Don’t be left behind. Make sure you get your SEO boost by being secure.

E-COMMERCE

If you are processing any kind of payments through and eCommerce store on your website, SSL is not negotiable. It’s an absolute must to ensure confidence and legality when selling online.

AFFORDABILITY

With the advent of FREE Let’s Encrypt certificates, there are no more excuses. Even paid certificates are getting cheaper. So now that excuse is out of the way, what are you waiting for?

For more information on SSL certificates in general and why you should care, read this excellent post at PixelPrivacy 

Continuing on, we will now look at HOW to install SSL!

Step by Step – How to change your website from http to https

  • Step 1 – Install the certificate. (Let’s Encrypt is free and is available from most hosts)

  • Step 2 – Update the WordPress Address and Site Adresss URLS under Settings – General

  • Step 3 – Fix any mixed content issues with the plugin Better Search Replace and then uninstall the plugin

  • Step 4 – Force https via .htaccess file. (An example piece of code is included at bottom of this post)

  • Step 5 – Test the site and look for the padlock on every page

  • Step 6 – Update site in Google Analytics and Webmaster tools

Want More Details?

STEP 1. Let’s Encrypt Certificate – This is a widely supported, FREE certificate. If you are not a big time eCommerce store, this will likely be good enough for you. Obviously, you need to do your research. Paid certificates can be had for around $150 a year. but here we are only looking at the free option, as it’s so easy to implement. Depending on your hosting company, it can be anything from fully automatic to easy-peasy to implement. Contact your host to find out how to enable that part.

STEP 2. Update the WordPress Address and Site Address URLS under Settings – General. Once you have your certificate installed, you need to change the website urls to use the secure protocol. You must change both the WordPress Address URL and the Site Address URL. These can be found in the General section of the WordPress settings.

STEP 3. Better Search Replace. This is an awesome little plugin that can do a search and replace in the website’s database. This is the most efficient method for finding any instances of mixed content, by finding all instances of http://mydomain.com/ and changing them to https://mydomain.com/ It is quick and you only need to do it once. Then, you can deactivate and delete the plugin.

STEP 4. Force https via .htaccess file. There are several ways to force https, but editing the .htaccess file is the best approach. Forcing the site to be served via https ensures that every page, every visit, people are on an encrypted page. This is good for security and also peace of mind for the end user. There are also technical benefits from forcing the https via the .htaccess file, as it is a more efficient and reliable method than WordPress redirects using PHP. There is also the situation of old http links out in the wild that would not be served via https unless forced. There are also plugins, like Really Simple SSL, which do all of the above steps, and are quite popular, but the way I see it, if you do it the manual way, it’s done, and you have no need of the plugin (and we can all do with fewer plugins on our sites). But if you are after a quick method, check it out.

STEP 5. Test the site and look for the padlock on every page. Generally, if you have followed the steps up to now, you will see the padlock on every page of your site. If there are issues, you can use a website like https://www.whynopadlock.com/ to troubleshoot. This website shows you in detail the mixed content or other issues that are causing the padlock not to show.

STEP 6. Update site in Google Analytics and Google Search Console. This is the most complex area, and needs to be done carefully. Google see a protocol change as a site move (see here for a google post on this), so you definitely need to update Google Search Console and Google Analytics. There are numerous guides and discussions around this part of the process. See HERE, HERE and HERE.

If this post doesn’t quite hold you hand enough, or you just want a more detailed overview of the whole process, this post from Cloud Living is awesome.

Also, this excellent post from infront.com goes over the importance of 301 redirects in some detail.

Examples of code for .htaccess file

The basic code you need to force https is this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Here is a snippet of code courtesy of Brian Hochstein of Hawk’s Design, that goes way past that default snippet. As a precaution, I would recommend talking to your hosting company to make sure this will work on your server. Many hosts seem to have their own preferred code for this process.

# BEGIN Force www & https
# This should be the first rule before other rules
# Redirects example.com and www.example.com to https://www.example.com
# [NC] flag makes it so the url is not case sensitive so example.com will be treated the same as EXamPLe.com
# [R=301,L] flag makes it do a 301 permanent redirect which is recommended

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

——————————————————————————————–

# BEGIN Redirect to non-www https
# Redirect www to non-www https
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*) [NC]
RewriteRule ^(.*) http://%1/$1 [R=301,L]

# Redirect http to https
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END Redirect to non-www https