Creating an SSL Deployment Strategy for Your WordPress Website
Since January 2017, Google has stepped up its enforcement of “HTTPS everywhere” by identifying websites that don’t have an SSL certificate as unsafe.
To make matters worse, the search giant has also changed its algorithm to give a slightly higher page rank to websites that have an SSL certificate installed.
If you haven’t yet made the transfer on your WordPress website, don’t stress! This simple SSL deployment strategy will help you get your WordPress website within good standing in Google Chrome without impacting your SEO.
What is SSL?
SSL stands for Secure Socket Layer. It comes with a verification that either the company and/or the domain is owned by a legitimate company or registered appropriately with a domain registrar. It essentially places a layer of code inside the root directory that encrypts the transfer of data from the web server to the web browser and vice-versa. It tells your website visitors that the information they submit through your website is done so in a protected manner.
Designate the Timing for Transfer
Keep in mind that adding an SSL certificate to your website will ultimately change your website address from http://www.yourdomain.com to https://www.yourdomain.com; so thinking through the deployment timing may be a critical step.
For example, if you are running a robust ad campaign currently driving traffic to your website, you might not want to pull the trigger on making the switch to SSL until the campaign is complete so you don’t impact your results.
Communicate the Change Effectively to Everyone
If you’re a developer, making sure your client is aware of how this will impact their backlinks is also important in the event they have upcoming events or online activities in planning. Additionally, making sure they’ve communicated this with their social media manager will also make sure that all scheduled article links to their website will be updated appropriately.
Take a Quick Backlink Inventory
Backlinks are an important part of your SEO strategy so you don’t want to lose them. Using a visual navigation of your website and your analytics, I recommend taking a look at your referral links for the past year. Those with the highest ranking should be verified after the SSL implementation. Anything that doesn’t work, reach out the site owner and suggest they check their links.
You’ll also want to make a list of third-party accounts that may need updating including social media accounts, email signatures or email marketing templates
Determine the Type of SSL You Need
There are several types of SSL certificates.
Extended Validations (EV) and Organizational Validation (OV) certificates require a background check on the company to validate they are in good standing with proper authorities. These imply a higher level of security based on the validation of the company’s information. They do require more paperwork and are often more expensive than others.
Domain Validation (DV) are the more commonly used SSL certificates and are also less expensive. It simply validates that the domain and email used to register the domain are valid.
Wildcard Validation and Subject Alternative Name (SAN) are options you’ll consider if you have multiple domains to secure. Wildcard Certificates cover one website and all subdomains (i.e. yourdomain.com; yourdomain.store.com) Subject Alternative Name SSL’s allow you to protect multiple websites (i.e. youdomain.com, yourdomain.net, yourdomainshop.com)
Buy Your SSL and Let Your Hosting Company Install
You can buy your SSL directly from an SSL provider; however, installing it on your own can be tricky. I personally recommend buying your SSL from your hosting provider. They will likely install it for you for free which saves you time and trouble. Once installed, there are other actions to take to get WordPress to display your pages correctly through Chrome.
For more information on where to buy an SSL certificate, check out our post The Top 5 Most Popular SSL Certificate Authorities Reviewed.
If you’re interested in using Let’s Encrypt’s free SSL service, you can read more in Install Fast and Free SSL and HTTPS in cPanel with Let’s Encrypt.
And we explain how to use your SSL on a Multisite network in our article How to Use One SSL Certificate for Your Entire Multisite Network.
Installing Your SSL Into WordPress
Before going any further, it is highly recommended that you take a complete back-up of your site files and database for recovery if needed.
Step #1: Add the “S”
Go to the General Tab and change the URL in both the “WordPress Address” and “Site Address” fields have “s” in the address.
Note: doing this will likely lock you out of your website, but don’t panic! We’ll fix that.
Step #2: Update .htaccess File
Go to the Server and find the .htaccess file in the root domain. Before doing anything further, copy all the content in your .htaccess file and save in a text file to create a manual “restore” document if needed. When done, enter the following command before the
# Begin WordPress statement and save changes.
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox - free!
Note: Be sure to update the primary domain name with your domain name!
Step #3: Update wp-config.php
While still on the server, in the root domain file, find the wp-config.php file. Just like earlier, I suggest copying the page content and creating a Notepad manual restore document. Just above the
That’s all, stop editing! (about line 70) add the following line:
Note: If at this point you get an error regarding “This Site Can’t Be Reached” you may need to check the IP address in the “A” record of the domain as the SSL is issued to a specific IP address. If it is different than what was previously entered on the “A” record, then it will need to be updated. If you don’t know what the correct IP address should be, call the hosting company that sold or installed the SSL.
Step #4: Check How Page Displays in Browser
If everything works, you’ll have the green lock; however, what happens more often is you see the “https:” but not a green lock. This likely means you have “Mixed Content” error which means that some links displaying as “http:” and others “https:” on your website.
To identify what links are specifically reporting wrong, use Google Developer Tools from your browser’s Settings menu.
Step #5: Fix Mixed Links
The easiest way I have found to do this is to install the Velvet Blues Plugin. In one simple step, it will change all your internal domains from “http:” to “https:” including pages, posts and media links. It will not, however, change the links in your widgets or theme settings (like the logo in your header, or links in your footer.) These will have to be changed manually.
When done, recheck the page in Google. Continue to update links that report in Developer Tools until all errors are resolved.
Step #6: Critical Actions to Maintain SEO
- Go to Webmaster Tools (or equivalent) in your browser (Google, Bing, Yahoo, Safari, etc.) and update your sitemap link. You may have to delete completely and resubmit.
- In Google Search Console, be sure you have a property listing for each potential version of your domain (http://yourdomain.com, http://www.yourdomain.com, https://www.yourdomain.com, and https://www.yourdomain.com). If not there, then add what’s missing.
- Create a SET and add a new member (each of the four properties created above). This will group all of your properties in one analytic report; however, you should still watch these properties individually for any errors that may arise.
Step #7: Cleaning Up Loose Ends
- Activate your SSL Validation Link and download banner from SSL provider to display in Footer showing your website is “Secure”.
- Deactivate and Delete Velvet Blues Plugin. For security reasons, it’s not a good idea to leave unused plugins active on your website.
- Update Backlinks. Circling back to your backlink inventory taken earlier, check some of the site links and make sure they’re working. If not, they need to be updated.
Congratulations! Your site should be SSL ready with minimal impact to your SEO!
Just make sure your SSL stays active through your annual renewal because forgetting and failing to renew your SSL each year will result in your “Secure” status changing.
This presentation was also video recorded at the St. Louis WordCamp and published on WordPress.tv.