Creating an SSL Deployment Strategy for Your WordPress Website

Creating an SSL Deployment Strategy for Your WordPress Website

Since January 2017, Google has stepped up its enforcement of “HTTPS everywhere” by identifying websites that don’t have an SSL certificate as unsafe.

To make matters worse, the search giant has also changed its algorithm to give a slightly higher page rank to websites that have an SSL certificate installed.

If you haven’t yet made the transfer on your WordPress website, don’t stress! This simple SSL deployment strategy will help you get your WordPress website within good standing in Google Chrome without impacting your SEO.

The WPMU DEV site has been secured with an SSL certificate.
The WPMU DEV site has been secured with an SSL certificate.

What is SSL?

SSL stands for Secure Socket Layer. It comes with a verification that either the company and/or the domain is owned by a legitimate company or registered appropriately with a domain registrar. It essentially places a layer of code inside the root directory that encrypts the transfer of data from the web server to the web browser and vice-versa. It tells your website visitors that the information they submit through your website is done so in a protected manner.

Designate the Timing for Transfer

Keep in mind that adding an SSL certificate to your website will ultimately change your website address from http://www.yourdomain.com to https://www.yourdomain.com; so thinking through the deployment timing may be a critical step.

For example, if you are running a robust ad campaign currently driving traffic to your website, you might not want to pull the trigger on making the switch to SSL until the campaign is complete so you don’t impact your results.

Communicate the Change Effectively to Everyone

If you’re a developer, making sure your client is aware of how this will impact their backlinks is also important in the event they have upcoming events or online activities in planning. Additionally, making sure they’ve communicated this with their social media manager will also make sure that all scheduled article links to their website will be updated appropriately.

Take a Quick Backlink Inventory

Backlinks are an important part of your SEO strategy so you don’t want to lose them. Using a visual navigation of your website and your analytics, I recommend taking a look at your referral links for the past year. Those with the highest ranking should be verified after the SSL implementation. Anything that doesn’t work, reach out the site owner and suggest they check their links.

You’ll also want to make a list of third-party accounts that may need updating including social media accounts, email signatures or email marketing templates

Determine the Type of SSL You Need

There are several types of SSL certificates.

Extended Validations (EV) and Organizational Validation (OV) certificates require a background check on the company to validate they are in good standing with proper authorities. These imply a higher level of security based on the validation of the company’s information. They do require more paperwork and are often more expensive than others.

Domain Validation (DV) are the more commonly used SSL certificates and are also less expensive. It simply validates that the domain and email used to register the domain are valid.

Wildcard Validation and Subject Alternative Name (SAN) are options you’ll consider if you have multiple domains to secure. Wildcard Certificates cover one website and all subdomains (i.e. yourdomain.com; yourdomain.store.com) Subject Alternative Name SSL’s allow you to protect multiple websites (i.e. youdomain.com, yourdomain.net, yourdomainshop.com)

Buy Your SSL and Let Your Hosting Company Install

You can buy your SSL directly from an SSL provider; however, installing it on your own can be tricky. I personally recommend buying your SSL from your hosting provider. They will likely install it for you for free which saves you time and trouble. Once installed, there are other actions to take to get WordPress to display your pages correctly through Chrome.

For more information on where to buy an SSL certificate, check out our post The Top 5 Most Popular SSL Certificate Authorities Reviewed.

If you’re interested in using Let’s Encrypt’s free SSL service, you can read more in Install Fast and Free SSL and HTTPS in cPanel with Let’s Encrypt.

And we explain how to use your SSL on a Multisite network in our article How to Use One SSL Certificate for Your Entire Multisite Network.

Installing Your SSL Into WordPress

Before going any further, it is highly recommended that you take a complete back-up of your site files and database for recovery if needed.

Step #1: Add the “S”

Go to the General Tab and change the URL in both the “WordPress Address” and “Site Address” fields have “s” in the address.

Note: doing this will likely lock you out of your website, but don’t panic! We’ll fix that.

You need to add an "s" so your URLs begin with "https" instead of "http."
You need to add an “s” so your URLs begin with “https” instead of “http.”

Step #2: Update .htaccess File

Go to the Server and find the .htaccess file in the root domain. Before doing anything further, copy all the content in your .htaccess file and save in a text file to create a manual “restore” document if needed. When done, enter the following command before the # Begin WordPress statement and save changes.

Note: Be sure to update the primary domain name with your domain name!

Step #3: Update wp-config.php

While still on the server, in the root domain file, find the wp-config.php file. Just like earlier, I suggest copying the page content and creating a Notepad manual restore document. Just above the That’s all, stop editing! (about line 70) add the following line:

Note: If at this point you get an error regarding “This Site Can’t Be Reached” you may need to check the IP address in the “A” record of the domain as the SSL is issued to a specific IP address. If it is different than what was previously entered on the “A” record, then it will need to be updated. If you don’t know what the correct IP address should be, call the hosting company that sold or installed the SSL.

Step #4: Check How Page Displays in Browser

Browser Bar Display in Google Chrome

If everything works, you’ll have the green lock; however, what happens more often is you see the “https:” but not a green lock. This likely means you have “Mixed Content” error which means that some links displaying as “http:” and others “https:” on your website.

Clicking the (i) next to the domain name reveals the problem.

To identify what links are specifically reporting wrong, use Google Developer Tools from your browser’s Settings menu.

Step #5: Fix Mixed Links

The easiest way I have found to do this is to install the Velvet Blues Plugin. In one simple step, it will change all your internal domains from “http:” to “https:” including pages, posts and media links. It will not, however, change the links in your widgets or theme settings (like the logo in your header, or links in your footer.) These will have to be changed manually.

When done, recheck the page in Google. Continue to update links that report in Developer Tools until all errors are resolved.

The “Security” tab in Google Developer Tools reveals the mixed links.

Step #6: Critical Actions to Maintain SEO

  • Go to Webmaster Tools (or equivalent) in your browser (Google, Bing, Yahoo, Safari, etc.) and update your sitemap link. You may have to delete completely and resubmit.
  • In Google Search Console, be sure you have a property listing for each potential version of your domain (http://yourdomain.com, http://www.yourdomain.com, https://www.yourdomain.com, and https://www.yourdomain.com). If not there, then add what’s missing.
  • Create a SET and add a new member (each of the four properties created above). This will group all of your properties in one analytic report; however, you should still watch these properties individually for any errors that may arise.

Step #7: Cleaning Up Loose Ends

  • Activate your SSL Validation Link and download banner from SSL provider to display in Footer showing your website is “Secure”.
  • Deactivate and Delete Velvet Blues Plugin. For security reasons, it’s not a good idea to leave unused plugins active on your website.
  • Update Backlinks. Circling back to your backlink inventory taken earlier, check some of the site links and make sure they’re working. If not, they need to be updated.

Congratulations! Your site should be SSL ready with minimal impact to your SEO!

Just make sure your SSL stays active through your annual renewal because forgetting and failing to renew your SSL each year will result in your “Secure” status changing.

This presentation was also video recorded at the St. Louis WordCamp and published on WordPress.tv.

Julia Eudy
I hope you found this strategy helpful! Have you set-up your SSL? If you have other tips or recommendations, share them in the comments below.