Enabling HTTPS in WordPress

An Upsurge in HTTPS Adoption

I recently had a few calls to help designers enable HTTPS (SSL / TLS) on WordPress sites.

Recent advances in free and self maintaining SSL certificates such as Lets Encrypt have opened up the use of secure connections to site-owners, web-masters and site-builders who are not developers or network administrators. These tools make obtaining and enabling the SSL protocols much easier and cheaper than it was in the past. Many hosting plans, e.g. SiteGround, now include SSL as a standard feature and include tools to enable SSL for your site.

I’m not going to discuss the benefits of SSL and HTTPS, that has been covered extensively elsewhere. Nor am I going to try to convince you to convert, if you are here you are probably already deep into a conversion and possibly wondering if it was a bad idea. It isn’t a bad idea, but it can be tricky.

The Problem

Telling WordPress to use HTTPS is easy if you are building a new site, but doesn’t quite work on an existing site. There are numerous resources that will tell you to just set the WP Address and Site Address values in Settings and you’re done. This will work if you don’t have any page links in your content or any images or documents. It’s a rare one page site that doesn’t have these.

WordPress uses fully qualified URLs for links within the site, so an image source is likely to be

http://example.com/wp-content/uploads/2017/05/my-photo.jpg

WordPress will attempt to fix these, but doesn’t get them all. This will cause the dreaded “mixed content” warnings and turn off the lock badge after you convert to HTTPS. These need to be converted. Such links can be found in the database and in the theme’s CSS files.

Some articles suggest using a search and replace to fix these. That won’t work if any of them are inside “serialized data”, you should use a plugin like WP Migrate DB, Backup Buddy or the Interconnect/IT Search and Replace that understands that format.

The Process

This process assumes you are comfortable editing system files like .htaccess and wp-config.php, making database backups and importing a database from a backup as well as WordPress maintenance tasks. No programming skills are needed.

  1. put your site in maintenance mode, this is especially important if you have e-commerce since you don’t want to lose orders when you import the database
  2. backup the database, I use the WP Migrate DB plugin, but this could be done with PHPMyAdmin or mysqldump
  3. backup the wp-config.php file
  4. backup the .htaccess file
  5. backup any .css files that have http: in them
  6. set the WP Address and Site Address values in the settings
  7. create a new database with the same user access as the existing database, you can find the database name in the wp-config.php file.
  8. convert the database to use HTTPS. This can be done using WP Migrate DB by setting the URLs to change http to https.
  9. import the converted database dump into the new database. You now have two databases, one with http and one with https.
  10. change the DB_NAME value in wp-config.php to use the new database
  11. add the line
    define('FORCE_SSL_ADMIN', true);

    to the wp-config to force the admin to always use HTTPS.

  12. save the wp-config.php
  13. add the rewrite rule to .htaccess
    # force https for all pages
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    

    This is the simplest version of the rewrite and will apply https to all URLs within the site. If you have subdomains that won’t be using HTTPS yet you will need a more complex rewrite condition that tests for the main domain.

  14. test the site looking for mixed content messages
  15. fix any CSS files manually
  16. remove the maintenance mode

If you follow these instruction carefully you will have a fully converted site and sufficient backups to revert to HTTP easily. Best of luck and happy encrypting.

An Alternative Approach

If your courage and skill set are a bit more advanced there is a quicker, but slightly more hazardous way to do this. It involves a different set of database tasks.

  • back up the database
  • install interconnect/it Search and Replace in a folder on your hosting
  • read the Search and Replace documentation!
  • navigate to YourSearchReplaceFolder on your site to update the database in place.