Checklist: Before Moving to HTTPS

This is a checklist of tasks to do AFTER your SSL certificate has been installed, and BEFORE you start your site’s conversion from HTTP to HTTPS. When done correctly, the move to HTTPS will take a few hours. But you can reduce your headaches if you gather some information before you start.

To Use a Plugin or Not to Use a Plugin

I do not recommend using a WordPress plugin to implement HTTPS, as this approach adds an unnecessary of layer of redirects, inefficiency, and bad SEO juju. And if the plugin ever stops working, or is no longer supported, all the links within your database are still HTTP, so you’ve not really converted anything. OTOH, using a plugin can be a quick fix. I don’t have any particular plugin to recommend, as I don’t use them.

Checklist Before HTTPS Conversion

1) Make sure your SSL is installed properly. Right click on any image on your site, and open it in a new tab. Change “http:” to “https:” in the browser address bar, and make sure you see the green lock with no SSL certificate errors.

By the way, I am a big fan of asking your host to actually install your SSL certificate. There are so many small variations in the way that certificates are installed, I prefer not to get involved. And, I’ve never heard of a (decent) host that refused to help by installing a SSL certificate for you.

2) Make sure you have a backup plugin installed, because you should always have a backup before making any database changes. I use and recommend BackupBuddy.

3) Do you have access to your .htaccess file in the root folder of your site? If not, ask your host about it.

After you’ve completed your conversion from HTTP to HTTPS, you will need to edit your .htaccess in order to add 301 redirects from your old HTTP site to your new HTTPS site. Here’s some sample code that may work for you. Do not add this until you have completed your conversion, however:

4) Decide how you are going to do your search and replace of “http://” with “https://” in your WordPress database. Here are your options:

a) phpMyAdmin is one option, but I wouldn’t recommend it if you are not familiar with how a WordPress database is structured.

b) My favorite technique is using WP-CLI. But this might be a bit intimdating if you’ve not used the WordPress command line before. Here’s what a WP-CLI command looks like:

c) Easiest way is to use a search-and-replace plugin, but make sure you are using one that is GUID-aware. I use the premium WordPress plugin Better Search Replace Pro. I prefer it over the free version because I can view the replaced strings BEFORE the database is modified. But the free version will do the job.

5) Do you use a CDN for caching? If so, do they have a HTTPS url you can use? What is the URL? If not, you will not be able to use them when you switch to HTTPS. I use and recommend MaxCDN; they provide free HTTPS for your cached images.

6) Do you embed videos from YouTube, or content from other websites? Amazon? Vimeo? Badges? Awards? Affiliate images? Do they have a HTTPS URL you can use? Make a list of all the websites you embed from, and their HTTPS URL. Is it simply the same URL with HTTPS instead of HTTP? Or is the HTTPS URL slightly different?

7) Are you loading scripts from other servers? Ad scripts? Widget scripts? Fonts? Infographics? Do they all support HTTPS? You will not be able to use any non-HTTPS scripts after your switch to HTTPS.

8) Do you use a plugin for social sharing? Do they combine your old shares counts with your new HTTPS share counts? If this is important to you, you might need to switch to a new social sharing plugin. I use and recommend Social Warfare Pro.

9) Learn how to check your site for mixed content errors.

After doing all your search-and-replaces, you are bound to miss at least one resource that is still being served over HTTP and causing a mixed content error. Mixed-content means that not 100% of your content is being served over HTTPS. Keep in mind that sometimes these errors are not directly called by your site, but rather nested in scripts you are calling. You may be calling a javascript file via HTTPS, but it may be loading an icon over HTTP. That’s a mixed-content error!

The fast and easy way to check for mixed content is Why No Padlock, however this site is notorious for not being accurate. If it doesn’t work for you, I recommend learning how to use Chrome DevTools to troubleshoot mixed-content errors.