Converting to HTTPS/SSL is one of the scariest tasks out there.
It feels like SUCH a big project with a billion little details. Feels like you need to hire a programmer or server expert or someone to make all the edits on your website, webserver, and Google accounts.
Here are some simple steps to manually set up HTTPS and HTTPS-redirects instead of using plugins (further slowing down your site). This will give you the proper URLS and fast speeds.
STEP 1 – Install SSL certificate
Either you do this on your own from cPanel or your webhosting panel. (It’s also possible to get free shared SSL from CloudFlare. But you should still be doing it the proper way, which is from your webserver/webhost.)
- Can’t do it yourself? Ask your webhost, or programmer or server guy to do it.
- SSL’s are free now! – thanks to LetsEncrypt. Don’t let anyone fool you into thinking you need to pay for it! (Yes, it’s true that not all SSL certificates are the same and that some big stores may prefer the fancier kind that shows your brand name in the address URL. Most sites don’t need this.)
STEP 2 – Change WordPress URL to HTTPS
Go to your WordPress settings and change the website address and site address to HTTPS. If you can’t get in there for whatever reason, you can edit wp-config.php.
STEP 3 – Update your database URL’s
This is the part where most people either get lazy or don’t know how to do it. They’ll use a plugin like some “Really Simple SSL” that forces HTTPS or enable the feature from their security plugin. I HATE THIS…don’t install another plugin just for this basic function!
The best way is to do it manually from your database so that all your asset URL’s and internal links use native HTTPS instead of wasting server resources to reload the links in HTTPS.
How to update your database URL’s manually:
- Install Better Search Replace (by Delicious Brains)
- Back up your database if you’ve never done this before.
- Enter “http:” in the top field and “https:” in the bottom field. Please write it exactly as I say…otherwise, if you put only “http” and not “https:”, you risk jacking up all the entries that already have “https”.
- Select all tables.
Honestly, editing database URL’s manually is very easy to do but also very easy to completely screw up your site if you don’t know what you’re doing. Please be careful and make backups.
STEP 4 – Update Google Search Console
Update your website settings in Google Search Console and also Google Analytics to use your new HTTPS address!
STEP 5 – Apply HTTPS redirect in your htaccess file
This is the last step. Put whichever code fits the address you want your users to redirect to….HTTPS with or without WWW? Then relax and you are done!!! WOOHOO! (Don’t have htaccess or you’re not on Apache/LiteSpeed? You probably don’t have to worry about this, but do ask your webhost.)
WITHOUT www (all visits go to “https://domain.com”):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
WITH www (all visits go to “https://www.domain.com”):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
STEP 6 – Resolve any problems (if needed)
Everything should be working. But just in case, here are a few diagnostic steps you can do if the HTTPS doesn’t show green of you don’t get that padlock.
- www.whynopadlock.com – this should be your first order of business. Check here and it will tell why you’re not getting a full HTTPS status.
- Google Chrome > Developer Tools > Security – another way is to right-click anywhere on the page, then click “Inspect”, then “Security” TAB. Then reload the page.
Most likely, you may still have some assets loading from HTTP instead of HTTPS. Use the search-replace tool again or go through all your theme/plugin settings.
JB Sidey
In Step 3, which Tables do I select? All? Is there a chance unnecessarily/incorrectly changing an https: to an https:?
Johnny
Select all tables! Thanks for asking; I’ve clarified it in my guide now.
Nguyen Minh Hung
In step 5, is it only done on apache web server?
Johnny
Yes, I already clarified that you don’t have to do that if you’re not on Apache.
Pedro
Hello Johnny
Thanks for the tutorial.
About step 3, with links to external sites that still do not respond to https, it is not recommended to search for https://domain.name and https://www.domain.name and replace it with https://domain.name or https://www.domain.name, depending on whether you use www or not at the site address? This would only change the internal links, leaving the external links as they were when they were created. Makes sense?
Looking forward to your feedback.
Thank you
Johnny
IMO, you should just change them all to HTTPS so that you don’t have any mixed-requests on the page. If the external site doesn’t respond to HTTP, let their server rewrite the URL. 🙂
Jake
This is most probably a really newb question, but in step 3 you mention
Enter “https:” in the top field and “https:” in the bottom field. Please write it exactly as I say…
does that mean I should leave out the domain name and only enter “https:”? All the other info I find on the Search and Replace plugin states to add the domain name as well (ie https://domaindotcom), and a warning to NOT add a ‘/’ at the end.
Henk Bekker
Step 3. 3 — Shouldn’t it be “http:” in the top field and “https:” in the bottom field?
Johnny
OMG!! ARGHHH! GEEEEZ. It’s probably been wrong for so long. But now fixed thanks to you.