WordPress and HTTPS: Why your site needs encryption and how to migrate your site

Netscape created the HTTPS protocol in 1994 for its Netscape Navigator browser. Since then, websites across the Internet have slowly integrated SSL or TLS certificates to use the HTTPS protocol. More recently, though, HTTPS encryption has become increasingly important.

In 2015, Google announced that it would essentially punish websites that aren’t mobile-friendly in its search results. As a result, non-responsive website owners scrambled to make sure their sites were ready. At the time, this got a lot of attention — we’ve even previously published an article on how to be sure your site lives up to Google’s expectations. But did you know that a year prior, Google issued another ranking signal — HTTPS (an encrypted site) — that also affects your results in search engines? More recently, browsers have cracked down on insecure transmissions, displaying warnings to users when they visit sites using HTTP instead of HTTPS. For these reasons and others you’ll see below, it’s imperative to add an SSL/TLS certificate to your site so that you can have secure HTTPS data transmission.

What is HTTPS?

Without digging into details too deeply, websites that start with “https://” (the S stands for “secure”) use a type of security called SSL (secure sockets layer), or more recently, TLS (transport layer security), to ensure that data is transmitted securely. These types of connections encrypt communications between your browser and the computer serving you a website. Not only can you tell if a website uses HTTPS by looking for the “https” at the begging of a web address, but also many browsers place a lock icon in the address bar to make it additionally clear that the connection is secure.

Why do you need HTTPS?

First, it’s important to note that an encrypted connection (HTTPS) is different from password security. In case you haven’t read it, we’ve offered tips on that subject before as well. Password security, keeping your site up to date, and the other tips there are all important to keep hackers from accessing your data. However, even if you’re following the suggestions offered there, an unencrypted site is still vulnerable to data theft, but in different ways. Encryption protects data being transferred to and from your site from being stolen in transit — information people send in forms they’ve filled out, for instance — while the security tips we offered previously protect you from having your site hacked. While those are different issues, both are important!

Obviously, if you’re placing an online order or filling out a form with your personal information, using HTTPS is essential, but the fact that Google is using security as a ranking signal makes it essential for any website owner. Google began emphasizing the need for security in June 2014 when Google called for “HTTPS everywhere” shortly before officially designating it as a ranking signal in August of that same year. However, Google’s emphasis on mobile-friendly sites seems to have had a much bigger focus from the development community and tech media. So even if you don’t have a risk of having sensitive form data like credit card numbers or even email addresses stolen, it’s important to use HTTPS for SEO purposes alone.

This might sound like an unnecessary burden for sites that don’t need it, but it really isn’t a bad thing. It means that if your site uses HTTPS, you could see a noticeable spike in your Google search results since so many other sites aren’t doing the same. If anything, using HTTPS is an opportunity to set yourself apart from others.

How do you get HTTPS for a WordPress site?

If you’re interested in adding HTTPS encryption to your site, contact your hosting provider. Security certificates were very expensive when they first became mainstream, but now they are very affordable. Some hosting companies are even now including them to all hosting packages at no extra cost. If your hosting provider doesn’t offer secure hosting packages, 1&1 offers them very affordably. Read our article on site hosting if you don’t already have a hosting company for your site or want more information about hosting works. If your hosting provider doesn’t include a security certificate, Let’s Encrypt offers them for free. It’s a little more complicated as you have to set it up yourself, but it’s worth it to ensure your site is secure.

In WordPress, you’ll need to take a couple of steps after you’ve obtained your security certificate to ensure your traffic routes to the HTTPS protocol as it should. First, navigate to Settings → General in your WordPress Dashboard, and change http:// to https:// in the WordPress address (URL) and Site address (URL) fields. This ensures that when someone enters your website in their browser address bar without typing either one, they’ll be directed to HTTPS. Second, you need to set a 301 Redirect to send any HTTP traffic to HTTPS. This sounds complicated, but the Really Simple SSL plugin will take care of this for you. Install and activate the plugin, go to the new Settings → SSL menu that now appears in your WordPress Dashboard, click on the Settings tab, and check the Enable WordPress 301 redirection to SSL box. You may also want to check the Auto replace mixed content and Enable JavaScript redirection to SSL boxes to ensure all your content is using the HTTPS secure protocol. Go to the Configuration tab and the first four items should all have a green check box beside them. This means you’re good to go!

Possible issues with moving your site to HTTPS

Sadly, moving your site to HTTPS isn’t always headache-free. Because your content’s URLs are changing, the 301 redirect is an essential step to ensure previous links you’ve shared don’t break. If you don’t enable 301 redirection, any links you’ve previously shared using HTTP won’t work.

In addition, social media share numbers get reset when you transition to HTTPS because the URLs are different. If you use a plugin that displays the number of times your content has been shared on social media, those numbers will reset to zero and the fix either takes a decent amount of work or a premium plugin called Social Warfare Pro, costing $29/year. If you’d prefer to save the money and do it yourself, see step 8 of this detailed transition to HTTPS.

If you use Facebook comments on your website as ours does, you’ll also lose the comments on your site as well due to the URL changes. If you’re using a child theme on your site, just add the following code to the functions.php file in your child theme and you’ll get your comments back:

function rsssl_exclude_http_url($html)
{$html = str_replace('data-href="https://www.yourdomain.com', 'data-href="http://www.yourdomain.com', $html); return $html;}

Despite these possible issues, it’s a good idea to at least explore the option even if you don’t see a direct need to add HTTPS to your website. If this process seems overwhelming, we’re here to help. Contact us and we can help you migrate your site to HTTPS.

It’s absolutely worth transitioning your site to HTTPS to avoid the warning messages browsers are now sending your viewers, and for SEO purposes, it’s always a good idea to follow Google’s guidelines!