If you are here, you probably got a warning from the Google Search Console regarding your site being penalized for not being secured with an SSL certificate.
Migrating WordPress to HTTPS (SSL)
This tutorial applies when you are running your site on a VPS with Ubuntu, Apache, Php, Mysql and requires command line operations on your VPS.
Migrating WordPress to https is quite time consuming, especially if we are talking about a large site. Here are the main steps:
- getting a SSL certificate and installing the SSL certificate in Apache
- fixing the mixed content warnings
- switching WordPress Admin to HTTPS
- redirect everything to HTTPS
- check the site for mixed content warnings using a tool
By far, the most complex step is fixing mixed content warnings. But let’s see all the steps.
Getting a FREE SSL certificate and installing the SSL certificate in Apache
SSL certificates can be bought from your hosting provider for prices ranging from $9 to $200. But even better you can get one for free from Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).
You better backup the files in /etc/Apache2/sites-available first as the script will change your site configuration files for Apache.
To get the certificate you have to login to your server console then run the following commands to install the program that generates the certificates in /usr/local/sbin:
cd /usr/local/sbinsudo wget https://dl.eff.org/certbot-auto
To use the script you have to make it executable:
sudo chmod a+x /usr/local/sbin/certbot-autoThen run the script to generate the certificate for your domain (the following line will get the certificate for both www and non www version of the site:
certbot-auto --apache -d yourdomain.com -d www.yourdomain.com
The script will start to run and it will identify where the Apache configuration files for your site are and will make changes to it. Here is how it looks when it attempts to change the Apache files (you should choose 1: Easy):
To apply the changes you should restart the server.
service apache2 restartIf everything goes well, you should be able to visit https://www.yourdomain.com/
Fix the mixed content warnings
Now, this is the hardest part of the entire procedure. Mixed content warnings appear when you visit a page via https and it contains http resources in it. It doesn’t matter if there are links to other sites with http, what matters is that elements that make the page content are included using https. This means we need to change 2 types of content:
- any hardcoded links to an image/script/embed in the PHP code. For example https://netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1 should be changed to https://netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
- any hardcoded links in the database should be changed to https;
Changing links from http to https in the code
This is usually not a problem. Make a backup of the files, then load the files in an code editor that can search for strings in all the files in a site. I’m using Aptana as an editor, so, first I backup the themes folder, then create a new project in Aptana and search for https://. You need to replace everything that is not a simple link to a different site with https://
Changing links from http to https in the database
By default, WordPress makes internal links with http. You have to look for these links in the database and change them all. We need help.
Backup the database. Then, download the Search Replace DB from Interconnect/IT and upload it somewhere on the server (create a folder on the same level with wp-content). Access the search and replace folder via a browser:
https://www.yourdomain.com/folder
You will see that the Search and Replace Script has the database connection filed, so you need to fill in the above fields with https://www.yourdomain.com to be replaced with https://www.yourdomain.com Hit the Dry Run button and have a look at what is going to be changed. If it makes sense, press Live Run. Repeat for https://yourdomain.com to https://yourdomain.com
Other things to update would be the embeds like https://player.vimeo.com/ to https://player.vimeo.com/ or https://img.youtube.com to https://img.youtube.com and https://www.youtube.com to https://www.youtube.com. Might be some others of you are using embeds from somewhere.
Note: as soon as you are done with the Search and Replace DB script you should delete it from the server.
What if you still receive Mixed content Warnings?
If you still get mixed content warnings, you should either use Firebug for Mozilla or use view source and search for HTTP links. If you find any, most likely you have to search in the files and make more replacements.
Switch WordPress Admin to HTTPS
This one is easy: edit wp-config.php and add:
define('FORCE_SSL_ADMIN', true);just after
define('WP_DEBUG', false);Redirect all WordPress links to HTTPS via .htaccess
If everything is working, we should let Google know we moved all the pages from http to https via a 301 redirect. To do so, edit the .htaccess file you can find in the WordPress root folder and the following lines just before </IfModule>
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]Check site for mixed content automatically
What is there are still pages with mixed content that you didn’t notice? The good news is that the guys from www.bram.us made a script that checks all the pages from your site for mixed content in the background. Let’s install it and see the output.
First you should install CURL on your server (if it’s not there already)
sudo apt-get install curlThen restart Apache with sudo service apache2 restart
Install PHP5-curl with
sudo apt-get install php5-curland restart Apache again.
To install the bramus script, there is an additional step – you should install composer and make it available globally:
sudo curl -sS https://getcomposer.org/installer | phpand make it available:
sudo sed -i '1i export PATH="$HOME/.composer/vendor/bin:$PATH"' $HOME/.bashrc
source $HOME/.bashrcLet’s install the bramus script (you can find more details here):
composer global require bramus/mixed-content-scan:~2.8Now we can run the script and save the links reported as mixed content to a file:
mixed-content-scan https://www.yoursite.com/ --output=./mixed-results.txt
If any links are reported, well, that’s more work for you!