SEO

HTTPS Everywhere

Recently I've made the decision to switch Paulund onto HTTPS. I've been thinking about this decision for a while now, ever since Google announced that HTTPS is going to be added as a ranking signal back in August 2014.

HTTPS as a ranking signal

The reason they decided to add this as a ranking factor is mainly security. When you add HTTPS to your website you need to first purchase an SSL certificate for your website, in doing so you're giving away the information about either your company or website to be verified so that you're granted the SSL certificate. As there is no entry criteria to having a website an SSL certificate is some form of verification that you are who you say you are. This means that if your website has an SSL certificate it makes your content slightly more reliable than a website that doesn't.

Google recognised this and wanted to start a movement called HTTPS everywhere. I can see the benefits of having your site on HTTPS but because there is some extra work needed to make your site HTTPS and an additional cost they realise that many people won't move their site over to HTTPS. So Google needed to give some form of incentive to moving your site over and this is why it's now been added to the search engine rankings. If web owners get a little boost by going HTTPS then it's worth them to move over.

I hope to follow this post up in a couple of months to show you if switching to HTTPS has made an impact to my search engine rankings either positive or negative. Search rankings for Paulund have been quite consistent over the past couple of months so I will be able to know if HTTPS has made any sort of impact.

In this article I'm going to go over the steps it takes for you to make your site HTTPS everywhere.

  1. Buy a SSL certificate
  2. Install the SSL certificate
  3. Force HTTPS in WordPress admin
  4. Redirect HTTP to HTTPS
  5. Change images/JS/CSS to use HTTPS

Where To Buy SSL Certificate?

You can buy your SSL certificate from many domain registers, personally I use reg-123 they are cheap, fast, have helpful support and for SSL certificates they have a wide range to choose from. Many over company only provide you with one type of SSL certificate to buy but reg-123 give you a choice of 4.

  • 123-SSL - £29.99
  • Domain SSL - £49.99
  • Organisational SSL - £69.99
  • Extended SSL - £249.99

SSL-reg

Buy A SSL certificate

The difference between these different levels is the validation checks that company goes through and to show their users the level of SSL certification they have. For example the most expensive level on reg-123 will do additional vetting checks on your domain and business to confirm that this business do in fact own this domain. This will guard against people buying close match domains and pretending to be you, for example you could buy a domain for paypol.com and pretend to be paypal.com but if you navigate to paypal.com you will see a greenbar appear in the address bar that will tell you what company this domain is assigned to and will allow you to find more information about the SSL certificate.

paypal-ssl

Now we know this domain is owned by PayPal Inc and will be safe to enter my credit card details as this will be going to paypal and not some copycat site.

Buy A SSL certificate

Install Your SSL Certificate

Once you have your SSL certificate you can now install this on your server. When a request is made for your website there will be an additional check on your SSL certificate to make sure it's correct and will allow you to securely connect to your website.

I could go through all the steps to install the SSL certificate for you but DigitalOcean have an excellent article where you can work through each step to install your SSL certificate.

How To Install An SSL Certificate

Force HTTPS in WordPress admin

As Paulund is built on WordPress I needed to first make sure that we force the admin area to use SSL, so any URL that is in the admin area will automatically be redirected to SSL. To do this you simply need to add a setting into your wp-config.php file.

define('FORCE_SSL_ADMIN', true);

When you have this working then you can focus on the rest of your site.

Change HOME URL and SITE URL In wp-config.php

WordPress gets the URL of your site from the settings in the wp_options table these settings are home_url and site_url. When before you were on HTTP these URLs will look something like

http://example.com

This value is used anywhere in your theme where you're linking to something using the home_url() function. When we switch to HTTPS we need to change these to HTTPS so that all your links on your theme will point to the correct protocol.

To change the home url and the site url you can either change these values in the database or override these by value with additional wp-config.php settings.

define('WP_HOME', 'https://example.com');
define('WP_SITEURL', 'https://example.com');

Relative Protocol URLs

When you switch your site from HTTP to HTTPS all of your images, CSS files JS files that are still on HTTP will not load in the browser as they are defined as unsecure so you need to change these assets to be HTTPS.

But you can simply replace http:// with // this way the browser will pick up the relative protocol of the page and load the assets with this.

<img src="//example.com/image-1.jpg" />

Change Images To Relative Protocols In WordPress

If you're using WordPress then you can use the following MySQL query to go through your existing content and change the images to relative protocols.

UPDATE wp_posts 
SET    post_content = ( Replace (post_content, 'src="http://', 'src="//') )
WHERE  Instr(post_content, 'jpeg') > 0 
        OR Instr(post_content, 'jpg') > 0 
        OR Instr(post_content, 'gif') > 0 
        OR Instr(post_content, 'png') > 0;

Search And Replace Custom Meta

If you have URLs in your post custom meta data then you can use the MySQL query below.

UPDATE wp_postmeta 
SET meta_value=(REPLACE (meta_value, 'iframe src="http://','iframe src="//'));

Force HTTP To HTTPS In .htaccess

If you're using apache then you need to add the following to your htaccess file so that any requests to your website on HTTP will be redirected to your domain on HTTPS.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://paulund.co.uk/$1 [R,L]
</IfModule>

Force HTTP To HTTPS In NGINX

If you're running on Nginx then you can add the following to your site config this listens for any requests coming to your site on port 80 with is HTTP, then will redirect the user to the request page on HTTPS.

server
{
        listen 80;
        server_name paulund.co.uk www.paulund.co.uk;
        rewrite ^/(.*) https://paulund.co.uk/$1 permanent;
}

SSL Gotcha

When you're looking to change over to HTTPS you need to look out for these small but common mistakes.

First you need to make sure the port 443 is open on your server firewall if this is closed it will block all requests on this port and nothing will show on your website.

When registering your SSL certificate you need to set a common name for your website which will normally be your domain so example.com. This must also match your server name you give in your server configuration, therefore if your website uses www. subdomain then make sure you register the SSL certificate with www.

Conclusion

I hope to follow up this post in a couple of months with an SEO article to see if moving to HTTPS has improved the search ranking of the website. If it hasn't then at least Paulund is going to be ready for HTTP/2 so if you want to get ahead of curve why not switch your site to HTTPS today, start by getting your a SSL certificate.

Buy A SSL Certificate

Back to top

Fastest WordPress Hosting With WPEngine

Stunning speed, powerful security, and best-in-class customer service. At WP Engine.

Risk free for 60 days