Http to https: how to make sure your website is secure, right now

Those of you who are already on my email list or in my Facebook group have already heard, seen and read me bang on about the need to move your website from http to https as soon as possible. Here’s the post where I finally explain, once and for all, how and why you should make the move as soon as possible. Right now, in fact.

Http to https: moving to a safer web.

Back in 2014, Google expressed their desire – no, actually, it’s an order – for a safer web. They promised they would, and they’ve done it now: websites who don’t have an SSL (Secure Socket Layer) certificate installed are named and shamed as ‘Not safe’. Any website that has the ‘http’ protocol is not secure. In order to be marked as secure, the protocol needs to move from http to https.

Until a while ago, this only really mattered for websites asking for sensitive information such as credit card details. As of March, however, Google have gone the whole hog: *any* website without a basic SSL certificate is marked as unsafe as soon as you visit it. It doesn’t look that professional to a website’s visitors.

Your connection to this site is not fully secure.
This is what it looks like when you don’t have an SSL certificate implemented: Google will bad-mouth you to the whole world wide web. They will tell everybody that you are simply not safe.

When you move the protocol of your website from http to https – where the S stands for secure – you will finally see the green padlock of smugness, and the word ‘Secure’. We are safe!

SSL explained, in plain English.

What exactly does installing the Secure Socket Layer do for your website, besides changing the URL from http to https?

Here’s a quick and easy video explaining SSL, in clear and plain language. With many thanks to SSL.com for the video.

In a nutshell, here are the basic SSL facts stated in the video:

  • SSL (Secure Socket Layer) instantly encrypts text, like password and credit card numbers, into data that only the user and the website they are using can decrypt
  • SSL also ensures that this data remains unchanged
  • SSL authenticates websites too
  • HTTPS + padlock = secure website
  • Peace of mind and trust from your visitors
  • SEO ranking nudge from Google

Who should get an SSL certificate?

The answer is: everybody. And sooner, rather than later. Make that move, my friends! Change http to https, right now. Why? Here’s why:

  • All sites without an SSL certificate are branded with the ‘i’ of shame by Google.
  • It’s annoying to be bullied by Google as usual, but after all, it’s for everybody’s safety.
  • It used to be expensive but now, thanks to the Let’s Encrypt project, anyone can get a basic certificate for free.
  • Google are dangling the carrot of an SEO boost to websites who implement an SSL certificate. There are thousands of other factors so you’re unlikely to notice any seismic shift in rankings and traffic. However, at least it’s a small boon.
  • Do it NOW if you have social share counts that you care about. Read on to find out why.

How to get an SSL certificate.

So, do you have an SSL certificate yet? Even if your website does bear the ‘i’ of shame, you probably have an active certificate without knowing it. Just ask your host. If you are with SiteGround, for instance, you definitely already have a certificate.

If you don’t have a certificate, it’s not that difficult to get one. Get yours for free via Let’s Encrypt.

Different types of SSL certificates.

There are different levels and types of SSL certificates. However, all types of certificates work following the same encryption principle. This means that your basic Let’s Encrypt certificate keeps your website and its visitors’ data as safe as any other. The levels mostly depend on the method used to validate the identity of the applicant. They don’t affect the security.

The free certificate offered by our friends at Let’s Encrypt is a domain validation certificate (DV) which is usually perfectly adequate for most websites’ needs.

If you have a multisite set up or a big organisation website, then check out this article explaining all the different types of certificates.

Next steps after getting your SSL certificate.

When you get your SSL certificate, or find out that you do have one already, you need to take a few more steps to make sure that everything works as it should.

 1. Enable the certificate on your host. 

Even if your certificate is already active, you still need to enable it. Most hosts make this step extremely easy. My host, Flywheel, had a button I could simply push – and the certificate was enabled, just like magic. SiteGround is another web host that provides the same service to its happy guests.

If you are with a different host, get in touch with support and get them to enable the certificate for you. If they are unhelpful, then just move to SiteGround. Or even better, talk to me and I’ll host you on my fabulous Flywheel plan so you never have to worry about it ever again.

Should all else fail, here is an article on how to get your SLL certificate and enable it, the DIY way.  I think it might make you want to change hosts, if yours is not as kind as SiteGround or Flywheel.

2. Enable the certificate on your website.

From your WordPress website’s dashboard, go to the plugins’ page and upload and activate the Really Simple SSL plugin. This plugin makes sure that SSL is indeed enabled on your website. BEFORE you do this: make sure you back up your website. Just do it!

Really Simple SSL plugin activation screen
Really Simple SSL plugin activation screen

3. Fix ‘mixed content’ and rogue http links.

Hooray! You’ve moved from http to https. You’re safe! Now you want to make sure that your website’s URL is indeed showing as HTTPS and not HTTP.

There is always a small catch. Even though in theory this operation should have already been performed via the 2 steps above, when I visited my website after the push the dreaded ‘i’ was still there.

This can be for a number of reasons, explained quite clearly in this article.  No panic! It’s an easy fix. You basically need to make sure that absolutely every single link and image in your database has an URL that starts with HTTPS and not HTTP.

You might be tempted to use a link-fixing plugin like for instance Velvet Blues Update URLs. But you might be disappointed by the results. For some reason (I suspect, database-related reasons) simple link-fixing tools won’t work.

The go-to plugin to perform this essential operation is Better Search Replace. This great tool performs a search and replace in your database, and it just works. All you have to do is insert http in the ‘Search for’ field, and https in the ‘Replace with’ field. Make sure that all the tables in the ‘Select tables’ field are selected.

If you are vaguely paranoid by nature, like me, you can do a ‘dry run’, which allows you to check the results before committing to the changes.

The dry run will probably return THOUSANDS of http links. This should not upset you, especially if you have a reasonably-sized website. On the contrary, it should reassure you: here’s the reason why you don’t have the green padlock you yearn for, and you’re about to fix it.

So after the dry run, throw caution to the wind. You’ve got a backup of your website anyway, don’t you? So why should you care? Go on and click the ‘Run Search/Replace’ button. After you’ve done that, go visit your website and refresh the page.

Miracle! The green padlock is now there.

4. Set up a 301 redirect.

What is this, I hear you ask? Well, moving your website from HTTP to HTTPS basically means changing its URL. You need to make sure that all search engines are notified of the change in your website’s URL. This is what a 301 redirect does.

The magic button on my Flywheel dashboard also took care of this essential issue: re-directing all HTTP requests to HTTPS via 301 re-directs, so I simply ignored this step. SiteGround also does the same.

In case your host doesn’t pay you the same favour, you can use a plugin such as Simple 301 Redirects. Or go the recommended way and redirect via htaccess. This might sound like science fiction if you are an average DIY WordPress user. In that case, just use the plugin or move to a nicer host that will do it for you.

5. Inform Google of the change in your URL.

As said above, when we moved from http to https we changed the URL of your website. Therefore, you need to update the settings in your Google Analytics account, or it will track the wrong URL and you will get skewered data.  Here’s a nice guide on how to do this, and not harm your website’s SEO rankings.

6. Update any other external links to your website.

This means your email signature, links to your website from your Facebook business page or personal profile, or from Instagram, or any other social media profile that has your website’s address.

Help! I’ve lost my social share counts!

A post I published in January got shared 172 times (and counting) in just a few days – which was GREAT.

But social shares are measured by URL. So, when you push your website from http to https – that counts as a new URL. And you lose ALL your beloved social shares counts. On this lucky post as well as all any other articles or pages that have been shared by your fans.

I knew that after pushing my website to HTTPS, I would lose the social share counts on the post as well as the others. I had quite a few with a nice reach. My fault, really: I’d had an SSL certificate for years, but had been too lazy to implement it until Google bullied me into it – and that happened just days after my most popular article to date.

I was sure that I couldn’t be alone in having this problem. In fact, many people out there would have a much bigger problem than mine. For sites who get thousands of shares, 178 shares are peanuts! However, I was a bit surprised to find out that there weren’t that many solutions out there. On the bright side, there ARE solutions, and here they are.

1. Open Graph meta tags

At the time, I was using the free version of the Sumo social share plugin. So I got in touch with their support to find out what the solution could be.

They were helpful and efficient, and responded by suggesting adding Open Graph meta tags on the site, which would fix the issue of potentially losing the share counts. It would be a matter of editing the open graph tags, and they had a guide for that.  There are also WordPress plugins that help manage meta tags, that I could have used.

In layman’s terms, this means that you tell the social share counts plugin to consider http shares for that page as well as https.

This could have been a satisfactory solution, and you are welcome to try it out if you are using Sumo.

However, although I liked the plugin for a number of reasons, it was actually slowing my site down a bit. So I decide to look for other solutions.

2. Https Social Migration Pro

This plugin was created by bloggers who had exactly my problem: in the effort to make their website secure, they had lost their social proof. So they went and developed their own plugin.

HTTPS Social Migration Pro, a plugin that recovers your social share counts when you move from http to https.
HTTPS Social Migration Pro, a plugin that recovers your social share counts when you move from http to https.

Which is an excellent idea: with Https Social Migration Pro you don’t have to change social share plugin, and it takes care of all issues.

However, at the time I looked (February 2017) their prices were way too high in my view: one domain $97, 2 domains $155 and up to 5 domains $340. I could have tried to absorb the price by finding enough clients or colleagues who wanted to fix their share counts issue. However, in the end I just thought that it wasn’t worth the hassle, and decided to move on and find something else.

Interestingly, I don’t think I was the only one that felt the price was too steep: they have since considerably scaled down the ask. Now one domain is $50, 2 domains $80 and up to 5 domains $175. If those had been the prices at the time, I think I would definitely have gone for it.

3. Social Warfare

I left HTTPS Social Migration Pro behind me, and went looking for more affordable alternatives in my quest to finally move from http to https.

I didn’t find many but I did find one: Social Warfare is a great, lightweight social share plugin with a free version and a premium version. The premium version costs $29 and it’s the one that we care about: it has tons of great features, but above all, it has an in-built social share counts recovery screen. I installed it, and it was super-easy to work out how to recover my precious shares.

Social Warfare: social sharing plugin for WordPress.
Social Warfare: social sharing plugin for WordPress.

However, when I went to check my posts and pages after moving from http to https and having set up the plugin correctly, I noticed a marked decrease in the share counts. The post that had been shared 172 was down to 34.

So I got in touch with the excellent Social Warfare support guys, and they explained to me that the problem was squarely on Facebook’s and Twitter’s side: they have unfortunately changed their API (i.e. the app that makes them talk to other apps).

I decided that what mattered wasn’t the number now appearing in the share counts: no, the truly important thing was that the article had been liked and shared so many times anyway. I shouldn’t fixate on the little number beside it.
And anyway, only a couple of months after the move it’s already back up to 145!  So as popular as ever.

Blog post: The truth about why WordPress is better than Wix or SquareSpace.
The ever-popular Wix versus WordPress post.

A truly comprehensive cheat sheet.

If you want to know absolutely everything there is to know about moving from http to https, then you should check out this awesome cheat sheet by Matt Banner of OnBlastBlog.com. It’s very comprehensive and also understandable.

Conclusion.

I hope this helps you make your move from http to https if you haven’t done it yet. And if you have, please do let me know whether I have left anything important. I’d also like to know in case there is a better way of getting things done.

Should you understand how important this move is, but feel completely daunted by it: fear not. We are here to help. Please get in touch and I will be happy to help you.

Leave a Comment