Since July 2018, Google started marking all non-HTTPS sites as “Not Secure,” thereby opening a can of worms for some websites. The best way forward is to move your website from the insecure HTTP to the secure HTTPS.
When you migrate to HTTPS, Google will remove the “Not Secure” sign which will boost visitor’s confidence on your website.
In the past, only websites collecting sensitive information or selling products or services had HTTPS installed on their website. Visitors would conduct business with the website without a single worry. But we strongly recommend all websites have HTTPS installed on them because otherwise their sites will be marked as “Not Secure.”
But moving WordPress from HTTP to HTTPS can be a bit intimidating for an inexperienced user. But you don’t have to worry about a thing. Just follow our guide in which we take you through all the steps for setting HTTPS on your website.
What is HTTPS?
HTTPS stands for Hypertext Transport Protocol Secure. It’s a technique that helps establish a secure connection between a visitor’s browser (say, Google Chrome) and your website server (say, Bluehost server). To further illustrate the technique, imagine this scenario:
You are logged into a shopping website on your Google Chrome browser. The shopping site needs you to fill in the details of your credit card. After you fill in details like your card name, card number, and expiry date, you will have to click on Submit. And once you hit the submit button, all your information is carried away and stored on the shopping website’s server.
Although all your details are tucked away safely, what if a hacker is able to snatch that information during its journey between your Google Chrome browser and the web server? (This type of attack is called the Man in the Middle Attack!)
That’s where HTTPS comes in.
HTTPS is a technique that ensures that no one can interrupt the flow of information between your browser and the shopping website server.
HTTP vs HTTPS: Difference Between HTTP & HTTPS
HTTP stands for Hypertext Transport Protocol and HTTPS stands for Hypertext Transport Protocol Secure.
It’s most important to note the terms “Transport” and “Protocol.” Because it tells you that there is a system for transferring information on a website to the visitor of the site (and vice versa). HTTPS offers a more “Secure” system of transferring information.The S at the ending of HTTPS just stands for Secure. Click To Tweet
Many of you must be wondering what information do WordPress websites transfer? Well, it could be anything from sharing private information to submitting credit card numbers.
Another major and quite visible difference between HTTP and HTTPS is in the URL of the website. HTTPS URLs begin with https:// whereas HTTP URLs begin with http://. Google Chrome is now marking all non-HTTPS sites as “Not Secure” regardless of whether you are collecting any kind of information or not. Besides providing security to users, there are other benefits as well. In the next section, we have addressed all the benefits of HTTPS.
What Are the Benefits of HTTPS?
There are 4 major benefits of using HTTPS on your website. Those are –
HTTPS ensures that the information passing between your visitor and your website remains protected. If your visitor is submitting credit card information to your site or if your website is offering critical information to the visitor, it’s being done is a safe manner. That is, no one is interrupting the passage of information and stealing it midway. Hence, HTTPS is absolutely vital for eCommerce websites. But these days HTTPS is increasingly used for entire websites because of reasons we have discussed in the next few points.
Trust & Credibility
When you type in an address on a browser, you’ll notice that HTTP or HTTPS is automatically added at the beginning of the web address. Websites without HTTPS is marked as “Not Secure” by Google Chrome. It’s making websites move from HTTP to HTTPS. Google wants to make sure its users know if they are visiting a website that has not taken HTTPS measures to keep their website safe. The end goal is to give the user the best browsing experience and keep them safe on the web.
That means websites marked as “Not Secure” are meant to discourage visitors from visiting a website. Even if you are not selling products, visitors will be skeptical to read the information on your website. Ask yourself – would you trust anything a website says when it’s marked as “Not Secure?” Chances are you won’t or at least you’ll be hesitant. This lack of trust is further illustrated by a GlobalSign survey where “77% are concerned about their data being intercepted or misused online” if there’s no green lock in the address bar. The green lock is a sign of HTTPS being enabled on a website. The green lock stands for “security.”
Moving to HTTPS will not only enable you to gain the trust of website visitors but also that of search engines. Google has stated officially that HTTP is a ranking factor. And the fruits of HTTPS is already showing. If you look at the data collected by analyzing 1 million URLs, it was found that there is a positive correlation between HTTPS and Google’s search rankings. Of the million articles analyzed, 33% of the URLs that were ranking in any of the first 3 positions were using HTTPS.
As you can see, migrating your site to HTTPS has many many benefits. And we’ll help you take advantage of these benefits through a step-by-step guide on how to move your WordPress site from HTTP to HTTPS coming up in the next section.Migrate your website to HTTPS because it has a whole lot of benefits that you should take advantage of! Click To Tweet
How to Move WordPress Site From HTTP to HTTPS?
To redirect HTTP to HTTPS, you will need to take 3 steps. If you browse through the steps then it can seem a little daunting but don’t worry. Just follow the instructions carefully.
Step 1: Take a Backup (If Required)
Do you have an existing website that you want to move to HTTPS? Are there a whole lot of posts and pages, plugins and themes? If so, then it’s best to take a complete backup of your WordPress website before proceeding.
To migrate your site to HTTPS, you’ll have to access the backend of your website and make modifications to WordPress files. This is a little risky especially if you’ve never done anything like this before. A tiny mistake can break your website or worse, you may end up losing some content or configurations by accidentally deleting a file or a folder. For any such worst-case scenario, having a backup of your website is absolutely mandatory.
And if you are looking for a backup plugin, then this article is the best place to start – Best WordPress Backup Plugins.
After you take a backup of your website, let’s proceed to the next section.
Step 2: Install an SSL Certificate
The first step of installing HTTPS is to get a WordPress SSL Certificate. SSL stands for Secure Socket’s Layer. Let’s just say this is what converts HTTP to HTTPS. Whether you are building a new website or you have an existing site, your site being with http://, the SSL certificate will help convert your website to https://.
If you Google for SSL certificates, you’ll find that some certificates come free of cost and for others you’ll need to pay. The security certificates can range from $5 to over hundreds of dollars.
Free vs Paid SSL Certificates
While the level of security that you are getting is standard across all the certificates, there are some substantial differences in other areas.
Free SSL Certificates: Anyone can install a free SSL certificate. Even though the SSL certificate is meant to send out trust signals, there’s no actual verification going on to prove that the websites are legitimate. And that whatever information the website contains comes from trusted sources.
Websites with a free certificate could very well be a scam. Who is to say!
Paid SSL Certificates: To install paid certificates, you have to have your business verified. It’s meant to validate your company or organization. Therefore, WordPress sites with paid certificates are legitimate. Having a paid certificate on your website is a cue for higher trust signals.
But how will the visitor know if a website free or paid certificate installed?
The answer is to simply look at the address bar.
There are different types of paid SSL certificates. Installing some will turn your address bar from white to green. Others will show the name of the company at the beginning of the URL.
To learn what are the different types of SSL certificates available and what kind of certificate will you need, read this guide – Different Types of SSL Certificates.
Moving on we’ll show you how to install and setup SSL certificate. There are 2 methods that you can follow:
- Installing Free SSL Certificate
- Installing Paid SSL Certificate
We will show you how you can use both methods for SSL certificate installation.
1. How to Install a Free SSL Certificate?
You can do 2 things – install a certificate through your WordPress hosting provider or do it using Cloudflare. We’ll show you both the methods.
Installing SSL Certificate Via Hosting Account
Many popular hosting providers like Bluehost, SiteGround, HostGator, Kinsta, and WP Engine offer free SSL certificates. We’ll show you the steps you need to take to install the certificate using 3 popular web host providers. Here goes –
- If you have an account on SiteGround, log into your hosting account and navigate to the cPanel.
- In the cPanel, there’s a section called Security.
- Here, there’s an option called Let’s Encrypt.
- Just select the option, follow the instructions and an SSL certificate will be installed on your website.
- On Bluehost, you will need to log into your hosting account and go to the cPanel.
- From the cPanel, go to Addons.
- On the Addons page, look for the option SSL Certificates. Click on the Learn More button located right underneath the SSL Certificates option.
- On the next page, head over to the option called WordPress Free SSL and click on the Get Started button.
- And then hit Install.
- Log into your Kinsta dashboard and click on the button Manage located next to the website you want to install the SSL certificate on.
- After that click on Tools and then select Let’s Encrypt.
- As soon as you click on Let’s Encrypt, a drop-down menu appears. From the menu, select Add Let’s Encrypt Certificate and then Generate Certificate.
We can’t cover all the hosting providers in this article. If your site is hosted with any other hosting companies, the first thing you need to do is inquire if they offer a free SSL certificate. If they do, you can proceed to install it on your site. If you don’t know how to proceed, then ask for assistance. You can send your hosting company an email or you can get on a live chat with them.
In case your hosting provider does not offer a free certificate, you can use Cloudflare to get one. We’ll show you how in the next section.
Installing SSL Certificate Using Cloudflare
Installing an SSL certificate with Cloudflare is extremely easy. Just follow our step-by-step guide below.
1. Create an account on Cloudflare.
2. After your account is created, add the website you want to install the certificate on.
3. Then you’ll be asked to select a plan. Make sure you are selecting the Free plan. Now your website has been added to Cloudflare.
4. In this step, you will be asked to update your NameServers. To do this, you need to login to your hosting account.
We recently moved one of our websites to HTTPS using Cloudflare. It was hosted on Namecheap. To change the nameserver on our NameCheap account, we logged into the account and clicked on the button Manage located next to the website we wanted to install the SSL certificate on. We then selected the tab Domain where we found a section called Nameserver. We then edited the nameserver and replaced the old nameserver with the new one.
5. After you have changed the nameserver, come back to the Cloudflare account and click on Continue. When you do this, the SSL certificate will be added to your website.
So now it’s just a waiting game. It’ll take 24 hours for your website to redirect from HTTP to HTTPS. Come back and check your website after 24 hours.
With this, we come to the end of how to install a free SSL certificate on your website. Next, we’ll take a look the how you can install paid certificates.
2. Installing Paid SSL Certificate
You can buy SSL certificates from your hosting providers or you can get it from SSL vendors.
Buying SSL Certificate From Hosting Providers: Many hosting providers offer free and paid SSL certificates. In Bluehost, you get a free SSL certificate no matter what hosting plan you choose. But you can upgrade your certificate from within the cPanel. SiteGround also offers an SSL upgrade if you pay a certain extra amount.
Hence, if you are looking for a paid SSL certificate, get in touch with your hosting provider. Enquire about the benefits of the paid certificate before proceeding.
Buying SSL Certificate From Other Vender: There are many popular certificate authorities from which you can purchase the paid SSL certificate. To name a few – Comodo, DigiCert, GeoTrust, and GlobalSign are the most trusted certificate authorities. Once you purchase the certificate, you will require the help of the vendor to install it into your WordPress website. It’s best to check with the vendor about what certificate your website requires and then take their help to install it into their website.
We have now installed an SSL certificate on your website. The next step is to make sure that your website is working properly.
Step 3: Post-Installation Measures
After installing the SSL certificate, you will need to move all your posts, pages, images to HTTPS. Luckily, you don’t need to do it manually.
- Just install and activate the Really Simple SSL plugin.
- After activation, select the option Go ahead, activate SSL! and it’ll ensure that your entire website has moved to HTTPS.
If you have Google Analytics, then you can update your site’s URL in Google Analytics. If you are using Google Search Console, you can change the website URL there too.
That’s it, folks! That’s the end of this lesson on how to move WordPress from HTTP to HTTPS.
It’s clear how HTTPS helps secure not just your website but also people who are visiting your website. But, we would like to warn our readers that having an HTTPS certificate alone does not guarantee that your website is secure from hackers.
To protect your website from hackers, you need to install a security plugin and we strongly recommend using a MalCare Security Plugin.
Besides using a plugin, you can take a few more security measures to protect your website from hackers. To help you take those security measures, we wrote a WordPress Security Guide.
Don’t Forget to Try MalCare Security Services!