How (and Why) to Redirect HTTP to HTTPS for WordPress

HTTP and Security

As early as 2014, Google announced that they would be making HTTPS a ranking signal.

Then, in 2016, with an interest in protecting personal information—such as credit card details and passwords—Google announced that they would require websites to have an HTTPS connection—effective as of the update of Chrome 56.

Websites that do not comply with this are now marked as ‘Not Secure’ on Chrome, which puts the non-compliant website at a distinct disadvantage. When Google tells searchers that a website is not secure, this can be understandably off-putting. In addition, website usability becomes compromised if you have yet to redirect HTTP to HTTPS because visitors may have to take additional steps to access the website’s content (by dismissing Google’s warning and clicking through anyways).

Before helping you understand how to redirect HTTP to HTTPS, let’s dive deeper into why Google is making such a big deal about HTTPS.

HTTP vs HTTPS: Defining the Difference

First, let’s focus on defining the difference between HTTP and HTTPS.

HTTP (hypertext transfer protocol) and HTTPS (secure hypertext transfer protocol) are both transfer protocols. These are languages that serve as the foundation of data communication for the world wide web. Web browsers and web servers use these languages to pass information between each other.

Whenever you visit a website, there is an exchange of data between the server and browser.

If it isn't secure, anyone who knows how to can hack and ‘read’ (or observe) the data exchange between your website and your visitor’s devices. This poses a threat to websites that collect sensitive information, such as passwords, social security numbers, and even financial information.

Although HTTP and HTTPs seem similar enough, it’s important to know the difference between the two. Here’s how it all boils down: HTTPS is secure, while HTTP is not.

The websites that have made the move to redirect HTTP to HTTPS appear with a padlock on the browser bar before the URL. Sometimes, this is even accompanied by the name of the company.

HTTPS Example

 

Essentially, HTTPS is just a version of HTTP—but with the addition of a Secure Sockets Layer (SSL) technology. SSL represents yet another internet protocol that was developed to make certain online transactions safer: especially those that require the transfer of sensitive information.

SSL encrypts the data being transferred by changing the plain text data into a series of random letters and numbers. This makes it harder to understand the sensitive data that hackers may be trying to access. Essentially, it provides an established and secure link between both browser and server.

Fun Fact: SSL is technically the protocol’s old name. This technology is actually correctly referred to as ‘Transport Layer Security’ (TLS)—but the name ‘SSL’ stuck.

Another difference between HTTP and HTTPS? HTTP operates on port 80, while HTTPS operates on port 443.

Redirect HTTP to HTTPs: Major Benefits

As mentioned, Google made HTTPS a ranking factor in 2014. This isn’t news but it’s worth mentioning again because Google clearly has been pushing webmasters to redirect HTTP to HTTPS for a long time!

Furthermore, when you redirect HTTP to HTTPS, the results speak for themselves. Brian Dean of Backlinko conducted a study of over 1 million websites and found that HTTPS websites rank higher on the first page of Google’s search engine results.

Though HTTPS is just one of over 200 ranking factors that Google takes into consideration (and some ranking factors have much more bearing than this), securing your website through the use of HTTPS is beneficial in the way that it protects your visitors’ data. Whether or not you require sensitive information from users, their data and privacy is still your responsibility.

Additionally, having a secure website can help improve the user experience. Without SSL, some third parties might try to duplicate your website and add malware and ads, or even redirect users to a different website. In situations such as these, the SSL certificate also serves as authentication that the visitor is at the intended site.

Finally, when you redirect HTTP to HTTPS, you’ll also find your page load speed improved. Websites with SSL certificates load 334% faster than those without! This (page load speed) is yet another important Google ranking factor to be aware of.

Wondering if you are on the path to SEO success?

Find out using our Small Business SEO Checklist.

How to Move Your WordPress Website from HTTP to HTTPS

Before implementing a major change like this on your WordPress website, you first need to backup your website. This is necessary in case something goes wrong—it ensures that you have an up-to-date working version that you can return to.

Another word of caution: there may be some risk involved when changing your HTTP website to HTTPS through the changing of bandwidths or CPU cycles. Check with your web host before getting started to help facilitate the process!

Once you’ve done a little research and have backed up your WordPress website, it’s time to get your SSL Certificate.

Where to Get an SSL Certificate

Put simply, you can get an SSL certificate from a Certificate Authority (CA).

Despite the popular belief that SSL certificates cost a lot, you can actually get one for free via Let’s Encrypt. That said, these SSL certificates are only valid for 90 days and you’ll have to renew once that time period has passed. Furthermore, if you’re not super tech-savvy, the costs associated with hiring a web developer to install your SSL certificate is something you’ll want to factor into your budget to redirect HTTP to HTTPS.

Thanks to free and budget options, more than half of all websites are now SSL-encrypted. There are also premium options for SSL certificates that come with a much higher price tag, such as Symantec, which charges as much as $1495-$1700 per year.

One notable difference between free and premium SSL certificates is that with premium SSL certificates, you can display your company name after the green padlock on the browser bar, as such:

WordPress SSL

 

Ideally, your web host will offer to move your website to HTTPS, but some hosts don't support or offer this option.

When implementing SSL, you’ll also need:

  • A web server with mod_ssl that supports SSL encryption. Apache is a great option.
  • A unique IP address. This is what CAs use to validate the secure certificate.

If you aren't sure if you have access to either of these things, make sure to get in touch with your web host!

After getting an SSL certificate and making sure that your web host supports the SSL certificate, ask them to approve your SSL certificate. This will ensure that when your web pages are accessed by users with the https:// protocol, they actually hit the secure server.

Adding HTTPS to the WordPress Admin Area

After your SSL certificate is available to use, you’ll next want to change your WordPress admin area to HTTPS.

To do this, all you have to do is add this line of code to your wp-config.php file:

define ('FORCE_SSL_ADMIN', true);

The wp-config.php file is in the main WordPress folder (often called wp-content), which can be accessed through an FTP program.

Once that’s done, try accessing your website with https://yoursite.com/wp-admin instead of http://yoursite.com/wp-admin.

And finally, you’ll want to start building up/backing up your web pages that need to redirect HTTP to HTTPS. The process is more or less the same as your normal HTTP page building—just make sure that you link to HTTPS. This is especially important when using absolute link paths to other pages on your website.

Adding HTTPS to Your Entire WordPress Site

After being able to access your website’s admin area using HTTPS, you’ll next want to move your entire WordPress website to HTTPS.

You can do this by changing the website URL to https://. You can find (and change) your website URL in Settings > General.

Now that your website is using HTTPS, you have to redirect all of your links as such. You can do this using WordPress plugins such as Better Search Replace or Velvet Blues. These plugins will search through your WordPress database to find HTTP URLs, then replace them with HTTPS.

Again, make sure to backup your website before using these plugins in case you break something. Do a trial run with a handful of links to ensure that you’re using the plugins correctly!

A few additional considerations when you redirect HTTP to HTTPS:

  • Update your website’s internal links to absolute paths, including links to images, audio, web fonts or iframes, internal links, and external sources—CSS sheets, Javascript files, and documents.
  • Check code libraries.
  • Update HTTP URLs and settings on tools like Google Search Console and AdWords. Don’t forget to update your social media profiles, too!
  • Create 301 redirects for your HTTP links to HTTPS links. To do this, first allow your FTP client to show .htaccess files (since they are invisible by default). If you don't have this file, create a plain text file, rename it to .htaccess, and upload it to the WordPress root directory. Then, add the following lines of code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Note: Make sure that the pages aren't available on both HTTP and HTTPS, which can be cause for an SEO penalty.

After updating your information, recrawl your website to ensure that all your pages and resources return the 200 Successful Status Code.

Should there be any issues or problems, Google’s Search Console Help page offers up a comprehensive checklist to help you with any technical implications.

Final Thoughts: How (and Why) to Redirect HTTP to HTTPS for WordPress

HTTPS is the current standard in secure web browsing. For those that operate with this protocol, expect additional benefits that include better SEO, faster page load speed, and an improved user experience, overall.

WordPress users win when they redirect HTTP to HTTPS. It’s really not that difficult or expensive to do! But if you do get stuck, get in touch with the SEO experts at Pathfinder SEO.

Overwhelmed by SEO? Try a
guided approach.

Maddy Osman

Maddy Osman

Maddy Osman creates engaging content with SEO best practices for marketing thought leaders and agencies that have their hands full with clients and projects. Learn more about her process and experience on her website, www.The-Blogsmith.com and read her latest articles on Twitter: @MaddyOsman.