On October 31st, 2018, I have implemented an SSL certificate for NBRplaza and from that moment on this site has switched to HTTPS. In this article I will tell you why I did that (and why it might be a good idea for you too) and how I did it (so you can do it too, even if you are not very tech savvy).
A safe website with SSL and HTTPS: why should you?
Whenever you are browsing the web, you will notice that a growing number of websites have a little lock in the location bar. The web-address of these sites begins with HTTPS (in stead of HTTP). That lock says that you have a safe connection with that website and that the data that you exchange with that site cannot be tapped. When you want to give a safe experience to your visitors, for example when you have a web shop, it is important that your site will be transferred to HTTPS. If a visitor uses a free and public WiFi hot-spot and fills in a form on your site, it will be impossible for someone to eavesdrop.
Better Google ranking with SSL
But there is another important reason. Google uses the security of your site as a ranking signal. In other words, if you don’t have a secure site, you will drop in the search results and you will notice that in your visitor numbers. SSL is not a compelling ranking factor, but it still counts.
The pros of SSL are therefor: security and privacy for your visitors, and it is good for your Google ranking. Besides, you will get better data in Google Analytics.
If this is sufficient reason for you to switch, read on. I will not abuse you with technical details, but I will explain how you can make the transition. You might need a little technical knowledge, but I’ve tried to minimize that. If I can do it, so can you. The entire process took about 2 to 3 hours for me.
What is SSL?
SSL stands for Secure Sockets Layer and is an encryption protocol to protect your website. I will not explain what it is exactly and how it works technically. It comes down to that SSL ensures a safe and encrypted connection between your visitor and the website.
All data that will be exchanged between the browser that you use and the server that contains the website will be encrypted and cannot be intercepted. Further more, SSL will ensure that you are actually connected to the website that you think you are visiting (authentication).
Websites that use an SSL certificae are recognizable, because of their address that doesn’t start with HTTP but with HTTPS. On top of that, browsers will point out that the website is secure, for example with an icon of a lock in the location bar.
Are there any cons in SSL?
There are two cons in switching to SSL/HTTPS. First, it is a lot of technical hustle and if you don’t do it right, your site will become slow or it will stop working all together. The transition is not a matter of a simple push of a button. Especially when you have an existing website or blog, there are a lot of things involved. En when you make a tiny mistake (which can be as simple as forgetting a ‘;’ or missing a step) it may well happen that your site stops working.
On top of that, an SSL certificate costs money. The costs may differ, because there are many providers and different tyoes of certificates. For this website, however, I made use of a free service that was offered by my web hosting party.
HTTPS will make your site a little slower, but if you do it right, it is hardly noticeable. There are some WordPress plugins for SSL integration, but I don’t recommend them. They are very easy to use and it requires little technical knowledge, but those plugins will definitely make your site a lot slower.
No guaranties
When you use WordPress (chances are you do, or you wouldn’t be reading this), you are using Themes and Plugins. Some older Themes and older Plugins don’t work well with SSL. Even if you do everything right, it can be that some plugins will not work any longer. When that happens, you will need to look for alternatives. It may also happen that embedded content, like YouTube movies (that have been embedded the old way) will stop working.
STAP 1: Obtain an SSL certificate and (let) install
To transfer your website to HTTPS you first need an SSL certificate for your domain. Most hosting parties that support WordPress, have off the shelve products for that. That’s why you should always first contact your hosting provider. In my case it was just a matter of just one e-mail and the SSL was installed free of charge.
You can buy your certificate somewhere else, but that will only complicate things. First, there are different types of certificates and you will have to install them yourself in the DirectAdmin-area at your hosting provider. So if you have no clue what kind of certificate you need, or how to install it, don’t even think of doing it, I would suggest.
Just ask your hosting provider for help or seek help at a friend who knows a thing or two and is willing to do it or you.
The result of this step is that your WordPress site is now accessible with both http://www.yourdomain.com as with httpS://www.yourdomain.com.nl.
Stap 2: Migrate your WordPress website to HTTPS
It is best practice to make a back up of your site, before you start making any major changes. If something goes wrong, you can always restore your old site.
You’re not supposed to have two ‘versions’ of your website (one with HTTP and one with HTTPS). All links in WordPress, like the links from images, CSS files, JavaScript files, are based on the installation URL of your site. After you have installed the SSL certificate, you should go to the admin part of your WordPress site. Now change the WordPress address (URL) and Site Address (URL) by adding an ‘s’ behind ‘http’. Don’t forget to save your changes.
3. Adjust .htaccess and wp-config.php files
Next you need to make some changes to your site. First you need to change your wp-config.php file.
The first adjustment is needed to make sure your admin is also transferred to SSL. You may approach your wp-config.php via an FTP-program. Transfer the file to your local computer and make a copy that you rename to wp-config.old for instance. When something goes wrong, you will always have the original file to restore your site.
Now edit the wp-config.php file with a notepad editor. Copy the following code and paste it after the “<?php”:
- define(‘FORCE_SSL_ADMIN’, true);
After editing you must restore the adjusted wp-config.php file with FTP. Check if your site is working. If not, restore the old file and try again.
Now you must assure that all old URLs refer to the new URLs. This is called a ‘301 permanent redirect’. This will ensure that your visitor always come to the correct page and also Google will now see where your pages are. That is important to keep your current Google ranking.
You can create a 301 redirect for your entire site at once by adding the following code to your .htaccess file:
- RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
On the web you will find different lines of code to do this, but I used this one. With this redirect-code you will make sure that your website will not be approachable both with HTTP and HTTPS, but only with HTTPS. You can change your .htaccess file the same way as your wp-config.php file, but I did it with the YOAST plugin, that I also use for SEO optimization (YOAST SEO -> Extra -> file editor).
As an extra, you may want to ad HTTP Strict Transport Security (HTST). Hen you implement HTTP Strict Transport Security (HSTS), any browser will remember to switch to HTTPS automatically for your website. This will cause to skip the redirect and that will make your site slightly faster.Besides, Google will know that your HTTPS website should be indexed.
To enable HSTS on your website you must paste the following code in your .htaccess file:
- <IfModule mod_headers.c>
Header set Strict-Transport-Security “max-age=31536000”
</IfModule>
4. Changing all internal links and links of images to HTTPS
NBRplaza existed for over 10 years when I decided to switch to SSL. Therefor, I had thousands of internal links that all contained HTTP in the URL. I was so not going to change them all manually!
Now, you may think ‘big deal, I have a redirect?’. That may be true, but some browsers will notice that you have ‘mixed content’ and that may cause them to see your site as potentially dangerous. Some browsers will show a warning sign next to the lock.
I installed the ‘Better Search & Replace‘. That enables you to search for ‘http://www.yoursite.com’ and replace it everywhere with ‘https://www.yoursite.com’. Always do a ‘dry run’ so you can find potential issues that first need resolving. When the dry run goes well, you can start the search and replace. You may also want to do the same without ‘www’ (so search for http://yoursite.com and replace with https://yoursite.com).
5. Google webmaster tools and external links
Well done! Now your almost finished. As I said before, this is not guaranteed to go well and everything will work perfectly. It did with me. But if you run an old theme or some old plugins, they just might not work well. Check your site to see if it works.
A great tool to help you track insecure content is whynopadlock.com. Just fill in your site’s URL and the tool will perform a check.
After you completely switched your site to HTTPS you should register the HTTPS version of your website at your Google Webmaster tool. Google makes a difference between HTTP or HTTPS websites and will consider them to be two totally different sites. In the webmaster tool you will be able to see that the HTTPS site is indexed and your HTTP site will slowly disappear from Google’s indexes.
Finally, I recommend you to adjust as many external links as possible. So if you have any referral links, for example from your social media accounts, change those to HTTPS. The more external links refer to your HTTPS address, the faster Google will index your new site.
My personal experience
In the end it took me about 2 hours of my life to finish all the steps above. Especially changing the wp-congig.php file went wrong a couple of times, causing my site to go offline for some time.
Ask your hosting provider for help. It will save you a lot of time ad frustration. My hosting provider (Ikoula) was very supporting.
UPDATE
A number of Plugins that I used, seemed to be unable to work with SSL. The plugin ‘prevent registration spam’ for instance, blocked my blog altogether. After removing the plugin, the site was back on air.
UPDATE
Almost directly after the implementation of SSL / HTTPS, my traffic dropped. AT first I thought I might have done something wrong. Several SEO and WordPress experts audited my blog and couldn’t find anything strange. I had followed all the steps correctly.
After a bit of googling, I found out that several sites had the same experience. When you transfer from HTTP to HTTPS, your old (HTTP) site will disappear from search results, faster than your new (HTTPS) pages will appear. After about one week, my traffic became to grow again. Some sites claim that it took about 180 days before traffic was at its old numbers again.
Should this be a reason not to transfer to HTTPS? For now, I still assume that it is inevitable to implement SSL. Google will valuate site without encryption lower than those with SSL. We’ll see if my predections will be correct. Time will tell.
UPDATE
Next to changing your sites in Google Webmaster Tools, you should also not forget to change your site in Google Analytics. Go to Google Analytics, then to Admin (the little gear wheel on the left). then ‘property settings’ and then change ‘http’ in ‘https’ and press ‘save’.
- The hottest videos: Three women and one man - 18 April 2025
- Sex toys for men: what you need to know and how to choose one - 18 April 2025
- The 8 best anal lubricants - 11 April 2025