Back in 2014, Google made the announcement that HTTPS was officially a ranking factor for Google search. That one little decision took HTTPS from “thing that only eCommerce stores need to worry about” to “something every WordPress user should implement if they want to maximize their search rankings”. But as important as it is, WordPress HTTPS is, thankfully, also surprisingly easy to implement. Here’s how to add WordPress HTTPS to your website.
In this post, I’m going to show you exactly how to add HTTPS to WordPress using a live production site. I’ll cover everything from implementing HTTPS on your WordPress site to updating Google Analytics and the Google Search Console.
7 steps to move your WordPress site to HTTPS
Step 1: Add WordPress HTTPS by installing your SSL certificate
We’ve already discussed some sources for cheap WordPress SSL certificates, so you might want to take a quick detour there if you’re not sure where to get started. Because SSL certificates are what get you the HTTPS connection for your WordPress site, the two terms will be used interchangeably in this article.
If you’re using shared hosting, the easiest SSL certificate for you to implement is Let’s Encrypt. As Sufyan discussed, Let’s Encrypt certificates have the advantage of being both free and widely supported by hosting providers.
That second point is essential, because unless you’re hosting your WordPress site on a dedicated server, you’ll need your host’s support to install an SSL certificate.
So, to get your Let’s Encrypt SSL certificate installed, I recommend you contact your host’s support or consult their knowledge base. Unfortunately, I can’t give you exact instructions because the specific process will vary depending on your host.
For example, with SiteGround I just need to click one button in my cPanel, but your host might be different:
Once your SSL certificate is installed, you can verify that it’s active by going to
https://yourdomain.com. If the certificate is properly installed, you should see something like this:
Google is telling you that the SSL certificate is active, but the connection still isn’t 100% private due to some issues we’ll fix in the next step.
On the other hand, if your WordPress HTTPS is not properly installed, you’ll encounter something like below and will need to contact your host:
Step 2: Install and configure the Really Simple SSL plugin
Remember how I said you need to fix some issues to make your SSL certificate function properly? The Really Simple SSL plugin is the easiest way to do that.
Google gives that “connection is private BUT” warning because your WordPress site still includes images or other media which are inserted using the regular
http:// URL, rather than your new
https:// URL. To fix the issue, you need to go back and update every single image link to
Luckily, you don’t need to do that manually. The Really Simple SSL plugin will handle that for you. The plugin will also make two other important changes:
- It updates the URL for your site to HTTPS in the WordPress settings.
- It adds a 301 redirect to send all human and search engine traffic to the HTTPS versions of your pages. This is essential to avoid a potential duplicate content penalty in Google.
To handle all of this, install and activate Really Simple SSL.
After the activation, you should see a popup like this:
Click Go ahead, activate SSL! After clicking the button, you’ll likely get signed out of your dashboard and be asked to sign in again. Don’t worry – this is a natural consequence of changing your WordPress URL from HTTP to HTTPS. Just sign in again with your normal username/password.
You should see that the URLs in your General Settings now have HTTPS:
To make sure all the other SSL settings were properly updated, go to Settings → SSL. You should see green checkmarks next to all the settings:
Step 3: Verify WordPress HTTPS success on the front-end
Now, you should go to the public parts of your site and verify two things:
First, make sure that if you enter your URL as
http://yourdomain.com, it automatically redirects you to
Then, make sure that you see the “green padlock” on all of your site’s pages. If you’re using Google Chrome, it should look like this:
Step 4: Update your site’s URL in Google Analytics
To keep your stat tracking accurate, you need to change your URL in Google Analytics from HTTP to HTTPS. To do that, go to Admin → Property Settings. Then, change the dropdown from http:// to https:// under the Default URL setting:
Make sure to save your settings. The tracking code you added to your WordPress site will stay exactly the same, so you don’t need to update anything beyond this page.
Step 5: Create a new property in Google Search Console
Unfortunately, if you’re using Google Search Console, you can’t just simply change the URL for your site. So, to create an updated property, you’ll need to create a new version for HTTPS. Go to the Google Search Console site and click Add Property:
Notice how I have two versions for my portfolio site? That’s because I recently switched it to HTTPS.
Follow the steps to add your site. You should also add a sitemap for the HTTPS version of your site:
Once you’ve added the HTTPS version of your site, everything about Search Console will function just like before.
Step 6: Update CDN URL to HTTPS
If you’re using a CDN (content delivery network), you’ll likely need to update your URL in your CDN settings as well. Because the exact process will depend on the specific CDN you’re using, I can’t give you specific instructions.
You should contact your CDN or review your CDN’s support documents to determine if/how you can update your URL to HTTPS.
If you have no idea what a CDN is, you can totally ignore this step!
Step 7: Update any links you control to HTTPS
If you link to your WordPress site from any social media profiles or other external sites, you should update all of these links to point to the HTTPS version of your site. You can also email any friendly webmasters who link to you and ask them to update the URL to your site.
This isn’t an absolute necessity because the Really Simple SSL plugin added 301 redirects to automatically send HTTP traffic to HTTPS. But, it is a best practice, and eliminates the need for redirects.
If you want to force SSL and HTTPS on your WordPress admin area, you can add the following line in the wp-config.php file:
Will switching to WordPress HTTPS cause a temporary rankings dip?
Google has been pretty clear that SSL is a positive ranking factor. But, some people are worried that the actual process of switching to WordPress HTTPS might cause a temporary rankings dip.
I only recently decided to add WordPress HTTPS for my site, so I can’t say whether it will affect organic rankings from firsthand experience (Google hasn’t re-crawled my site yet). But I have read quite a bit about the subject and the general consensus seems to be that there is no significant temporary rankings dip. As far as URL changes go, this is a pretty minor one, and one that Google can easily understand.
If you have any further questions about how to add WordPress HTTPS, let me know in the comments, and I’ll try to help!