In almost all cases, you ought to use https instead of http for your website. To do this, you’ll need to add an SSL certificate to your website. It’s not a particularly difficult process, but there are a few steps to take, especially if you want to avoid errors and reduce the chance of losing search engine rankings.
In this post, I’ll cover the advantages and disadvantages of SSL, as well as the steps you should follow to properly set up your WordPress site with an SSL certificate.
Advantages of Switching to SSL
- Appearance of trust. Some web browsers, such as Chrome, show “not secure” warnings for sites that are not on https, especially on any pages containing forms, like contact forms or email opt-ins. Eventually, all browsers are expected to follow suit.
- Ability to take payments. Most payment services that process payments on your site, such as Stripe, require you to be on https.
- Better SEO. SSL is a long term ranking factor. Google has actually been penalizing non-https sites for some time now. However, you might notice a temporary drop (see #1 in Disadvantages below).
- Improved security. An SSL certificate encrypts the data transmitted from your site, which is important for security and compliance. However, it’s a misconception that simply installing an SSL certificate makes your site secure. It won’t block hacking attempts, and it’s not a substitute for security, regular maintenance, and following best practices.
Disadvantages of Switching to SSL
- Temporary SEO loss. Sometimes, you’ll see a temporary drop in rankings and search traffic because the URLs are changing. It’s not uncommon to see something like a 30% drop in organic traffic for a few months. Google claims to not penalize sites for switching to https, but that doesn’t seem to be true for most people who have made the switch. It’s commonly accepted that any time you redirect a URL, you lose a little bit of PageRank, and in this case, you’re redirecting every page on your site from http to https. However, in the long term, switching to https should be better for your SEO, so it’s usually worth taking care of it earlier rather than putting it off until later. If you follow the best practices and set it up correctly, that should reduce or eliminate the negative impact.
- Social share counts. Social shares are tied to the URLs, so you’ll “lose” all of your official share counts for each page. They are associated with the URL, and the URL is changing from http to https, so the new https URL will have zero share counts. The official share counts are recorded by the social sharing platforms, and you can look them up at SharedCount. If you’re using a social sharing plugin that displays the social share counts, and you have a lot of shares, then this is something worth considering. You may want to hide the counts permanently, or temporarily until they go back up to a reasonable number to display.
- Referrer data. If you have any advertisers or affiliates that you’re linking out to, and they are a http site and require referrer information (i.e. in Google Analytics), they won’t be able to identify traffic coming from your site. To get around this, you can add an extra meta tag to allow referrer data to pass from https to http (<meta name=”referrer” content=”unsafe-url” />). However, this tag is not supported by all browsers (mainly IE and Opera Mini). According to Can I use…, you’ll get about 74-94% coverage globally. Another option is to add UTM parameters to the URLs linking to your advertisers and affiliates, so they can identify the traffic as coming from your site.
Types of SSL Certificates
There are three main types of SSL certificates: domain validation, organization validation, and extended validation.
- With a domain validation or organization validation SSL certificate, you’ll get a padlock icon in the browser address bar. A domain validation certificate is easy to get and does not require paperwork for verifying a company or organization.
- An organization validation certificate is similar to domain validation, but it does require some paperwork. The higher level of verification means it’s more trustworthy, though there’s not a noticeable visual difference in the browser address bar between domain validation and organization validation certificates.
- An extended validation certificate gives you the green bar with your company name in the browser address bar. It’s the most trustworthy certificate, but it will cost more, and you’ll need to go through more paperwork.
How to Set Up SSL with WordPress
First off, it’s possible to only make some pages on your site use https. However, that can get complicated, depending on what you want to do. In most cases, you’ll be better off making everything https, and that’s what I’m covering in this post.
Most hosts offer free domain validation SSL certificates with Let’s Encrypt and an easy way to install them. With managed hosts like Flywheel or WP Engine, usually it’s just a couple of clicks and filling out a short form. With other hosts, you may need to go through more steps. And if you want a different SSL certificate than Let’s Encrypt, then you’ll typically need to purchase it from a 3rd party and go through the appropriate steps with your host to get it installed.
Once your SSL certificate is installed, you’ll want to do the following:
- Change your site URL to the https version. This can be done in your Settings > General menu in WordPress, or via your database.
- Force SSL / redirect http to https. If you’re using a managed host, there’s usually an option in your hosting account dashboard. On a shared or cPanel host, you’ll typically need to add code to your .htaccess file. If you do it this way, make sure they are 301 (permanent) redirects. If you don’t do this step, you could end up with duplicate content issues (which can cause an SEO penalty).
- In your database, replace http URLs to your site with https. It’s important to do a serialized search and replace. WordPress, themes, and plugins sometimes store data in serialized arrays, where a simple find and replace could make the array unreadable, and potentially break the page or your whole site. I recommend using the Better Search Replace plugin to do serialized searches and replaces.
- Check your pages to make sure the padlock icon appears in the browser address bar. If you have a lot of pages, you may want to just spot check key pages. If the padlock icon doesn’t appear, you might get a “Not Secure” message, or worse, a message saying the site may be compromised. You can use the free Why No Padlock? site to help diagnose broken pages.
- Update external services to use the https URL. For example, you’ll need to update your Google Analytics property with the https URL, or set up a new property with the https URL. If you’re using Search Console, you’ll have to set up a new property. Some services may continue to work properly, while others won’t recognize the http to https redirect, so it’s best to be safe and update them all.
- Update incoming links to your site to the https version. Existing links to the http version of your site can be redirected to the https version, so they’ll still work and pass PageRank, but since they go through a redirect, you’ll lose a little (as mentioned above). It also takes slightly longer to reach the site each time you go through a redirect, even though the delay may not be noticeable. You may not have control or influence over many of your incoming links, but I recommend you change the ones you do have control over, such as social media profiles, services that read your website feeds like podcast directories, links to your website in email marketing services, and links to your website in email signatures.
- Remember when adding new links. After you make the previous updates, you’ll want to remember to use the https links going forward, both when adding new incoming links to your site and adding internal links on your own site. Browsers consider any http links from your own site to another place on your own site to be “mixed content” and will show a security warning. WordPress seems to automatically fix some instances, but it may not catch them all.