Convert your WordPress blog to use SSL or: How I Learned to Stop Worrying and Love the Padlock

It’s time to use SSL on all blogs, everywhere. Google prefers SSL and, historically, would confer its blessing on sites that used SSL. Google has taken it one step further and is now planning to penalize sites that do not use SSL. With that in mind, now is the time to take the plunge and protect your blog with an SSL certificate.

Luckily, this process can be pretty straightforward. We’ve put together the steps for ordering and enabling an SSL certificate, and making the necessary changes in WordPress to use it everywhere on your blog. Read through these steps or, if you’d prefer, save yourself the hassle, contact us, and we’ll do everything for you for $50 per site.1

  1. Enable SSL in Virtualmin. Log in to your Virtualmin account (check your welcome email for your custom URL), select your domain from the dropdown, and click Edit Virtual Server. Under “Enabled Features”, make sure SSL is checked:
    Enable SSL
  2. In the left menu bar of Virtualmin, click on “Server Configuration” and locate “Manage SSL Certificate”:
  3. On the “Manage SSL Certificate” screen, select the “Let’s Encrypt” tab. All of the default settings are fine; just click “Request Certificate”:

    The Let’s Encrypt process should kick off and return a success screen. Anything other than the following might be an error, and would require follow-up investigation:

    At this point, your site is SSL-enabled, and you should be able to load the home page and locate the green “Secure” padlock in the browser bar:

    However, while your site is able to use SSL, you’ll still need to inform WordPress that it should always use SSL. The easiest way to do this is via a couple of plugins… however, let’s take a quick break here and do the thing that WordPress always recommends (but almost no one ever does)…
  4. Take a backup! We’ve posted about this before, so head over there, read about Updraft Plus, and take a full backup of your database! (You won’t be changing any files, so it’s unnecessary to backup your uploads or other files this time. But the database is critical to back up at this juncture, so please don’t skip this step!)
  5. Install the “Really Simple SSL” plugin. It looks like this:

    Upon installing and activating it, you will see an alert at the top of your WordPress admin area:

    Click “Go ahead, activate SSL!” and log in to your WordPress admin area again as necessary.
  6. Change settings for Really Simple SSL to use your .htaccess file to force SSL.2 Click on Settings in the left menu bar and click SSL, then click the “Settings” tab to access the “Really Simple SSL” settings. Click “Enable 301 .htaccess redirect” and save:
    Everything should now be redirecting to SSL, but we want WordPress to be more self-aware and generate SSL links by default. There’s one more plugin:
  7. Install the “Better Search Replace” plugin. It looks like this:

    Upon installing and activating it, you will have a new option in your Tools submenu on the left menu bar:
  8. Click on “Better Search Replace” to get to the options screen. Type in your site URL with http:// in the “Search for” box and your site URL with https:// in the “Replace with” box. Select ALL tables (protip: click the first table, scroll to the bottom of the tables list, hold Shift and click the last table, and that will select all tables for you!), ensure “Run as dry run?” is checked (so that no changes are made), and click Run:
    You will see the results: “N tables were searched, M cells were found that need to be updated, and 0 changes were made.”
    Your site is probably much larger and Better Search Replace will find many more cells in many more tables, but in any case, it should always read “0 changes were made” at this point. Feel free to click the link to review the results of the proposed changes.
  9. Assuming everything looks right from the previous step, leave the form untouched except to uncheck “Run as dry run?” and click “Run” to actually make the changes.

At this point, you should be done on your site. Your blog will load with SSL (using https:// on the front of your URL), it will redirect non-SSL links to SSL (preserving SEO by using 301 permanent redirects), and WordPress will generate SSL links for all new content. The only thing left for you to do is to log in to your Google Analytics account and make sure you’re tracking your site properly using the https:// URL. (Configuring Google Analytics is beyond the scope of this article, but we can help with that too. 🙂

If you had any trouble, or if you’d prefer that we handle everything for you, please contact us and we’ll be happy to take a look!

Footnotes

  1. Discount applies to AGhosted clients only. Non-AGhosted clients pay $150 per site and are subject to availability of the required tools (e.g., Let’s Encrypt).
  2. This isn’t strictly necessary, but it will allow Really Simple SSL to do its job much more efficiently. The default is to redirect using PHP, which requires your server to spin up the entire WordPress environment for a simple 301 permanent redirect. Conversely, redirecting via .htaccess uses almost no system resources and, thus, is much faster.

Leave a Reply

Your email address will not be published. Required fields are marked *