Migrate WordPress from HTTP to HTTPS

Migrate WordPress from HTTP to HTTPS

Slides from presentation at WordPress Orlando Meetup on how to migrate WordPress site from HTTP to HTTPS.

As more sites transition to HTTPS and Google giving preferred ranking to secure sites, it became important to properly install a TLS/SSL Certificate.
The process of moving to HTTPS can be intimidating starting from obtaining certificate to migrating all content to HTTPS.
Recently, Let’s Encrypt started offering Free TSL/SSL Certificates. CloudFlare offers Free TLS/SSL with HTTP/2 protocol support.

We discussed how you can obtain a Free TLS/SSL Certificate, make your content HTTPS friendly, and how to migrate existing content to HTTPS.
We also went over the benefits of serving your pages over secure connection, common problems with transition, and how you can test your certificate configuration.


Irina Blumenfeld

April 19, 2016


  1. MIGRATE WORDPRESS TO HTTPS IRINA BLUMENFELD @irinablumenfeld #wporl https://www.netmagik.com/migrate-wordpress-to-https WORDPRESS

  2. WHAT IS HTTPS ▸ SSL first created in 1996 ▸

    SSL to TLS in 1999 ▸ Public and Private Keys @irinablumenfeld #wporl
  3. ▸ Authentication - am I talking to who they claim

    to be? ▸ Data Integrity - has anyone tampered with the data? ▸ Encryption - no more eavesdropping ▸ Better Ranking - Google gives preferred ranking ▸ HTTP/2 protocol support - (if host supports HTTP/2) BENEFITS OF HTTPS @irinablumenfeld #wporl
  4. HTTP1/1.1 - HTTP/2 HTTP1/1.1 HTTP/2 @irinablumenfeld #wporl

  5. HTTP/1.1 AND HTTP/2 COMPARISON Demo from Cloudflare Load Time: 1.95

    s Load Time: 0.33 s @irinablumenfeld #wporl
  6. SHA-2 Google, Microsoft and Mozilla will flag SHA-1 Certificates as

    Insecure on January 1, 2017 d029f87e3d80f8fd9b1be67c7426b4cc1ff47b4a9d0a8461c826a59d8c5eb6cd 0f01ed56a1e32a05e5ef96e4d779f34784af9a96 SHA-1 SHA-2 @irinablumenfeld #wporl
  7. EXTENDED (EV) SSL @irinablumenfeld #wporl

  8. HTTPS as a ranking signal in https://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html @irinablumenfeld #wporl

  9. HTTP sites will be marked unsafe in Google Chrome https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

    @irinablumenfeld #wporl
  10. https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure experiment in Chrome URL:
 chrome://flags @irinablumenfeld #wporl

  11. HTTPS ADOPTION Source: http://httparchive.org/ @irinablumenfeld #wporl

  12. AREN’T THE CERTIFICATES EXPENSIVE? @irinablumenfeld #wporl

  13. FREE SSL OPTION # 1 @irinablumenfeld #wporl

  14. LET’S ENCRYPT letsencrypt.org @irinablumenfeld #wporl

  15. LET’S ENCRYPT ADOPTION @irinablumenfeld #wporl

  16. LET’S ENCRYPT TLS/SSL In cPanel - Security widget @irinablumenfeld #wporl

  17. SNI - SERVER NAME INDICATION No Need for Dedicated IP

    Address @irinablumenfeld #wporl
  18. 1. Migrate Existing Content to HTTPS 2. Redirect all pages

    to HTTPS AFTER YOU INSTALL SSL @irinablumenfeld #wporl
  19. MAKE A BACKUP @irinablumenfeld #wporl

  20. LET’S ENCRYPT TLS/SSL ▸ Install SSL on the server ▸

    Install Really Simple SSL plugin - Activate it
  21. REALLY SIMPLE SSL PLUGIN @irinablumenfeld #wporl

  22. REALLY SIMPLE SSL PLUGIN @irinablumenfeld #wporl

  23. REALLY SIMPLE SSL PLUGIN @irinablumenfeld #wporl

  24. ▸ Images ▸ Javascript and CSS files ▸ Links ▸

    Widgets ▸ Third Parties - Ads, Analytics ▸ CDN MIXED CONTENT @irinablumenfeld #wporl
  25. MIXED CONTENT PROBLEMS @irinablumenfeld #wporl

  26. MIXED CONTENT PROBLEMS @irinablumenfeld #wporl

  27. FIXING MIXED CONTENT <script src="http://example.com/script.js"></script> BAD <script src=“https://example.com/script.js”></script> GOOD @irinablumenfeld

  28. <a href="http://example.com/bar"> Don't link to insecure pages!!! BAD <a href=“https://example.com”>

    GOOD FIXING MIXED CONTENT @irinablumenfeld #wporl
  29. HTTP/HTTPS ICONS @irinablumenfeld #wporl

  30. REDIRECT LOOP bit.ly/redirect-loop @irinablumenfeld #wporl

  31. FREE SSL OPTION # 2 @irinablumenfeld #wporl

  32. CLOUDFLARE FREE FLEXIBLE SSL cloudflare.com/ssl @irinablumenfeld #wporl

  33. ▸ CDN ▸ Optimization ▸ Security ▸ DDoS Protection WHAT

    IS CLOUDFLARE??? @irinablumenfeld #wporl
  34. CLOUDFLARE FREE FLEXIBLE SSL @irinablumenfeld #wporl

  35. ▸ Create an account on CloudFlare.com ▸ Change Nameservers in

    Domain Registrar (in DNS Settings)
 Example: bob.ns.cloudflare.com, lola.ns.cloudflare.com
 CLOUDFLARE FREE FLEXIBLE SSL @irinablumenfeld #wporl
  36. ▸ Choose Flexible SSL option CLOUDFLARE FREE FLEXIBLE SSL @irinablumenfeld

  37. ▸ In 24 hrs check if SSL has been issued

    (Free account) CLOUDFLARE FREE FLEXIBLE SSL @irinablumenfeld #wporl
  38. Before SSL is issued: CLOUDFLARE FREE FLEXIBLE SSL @irinablumenfeld #wporl

  39. ▸ Install CloudFlare Flexible SSL Plugin - Activate it In

    http://yoursite.com/wp-admin: CLOUDFLARE FREE FLEXIBLE SSL @irinablumenfeld #wporl
  40. ▸ Install SSL Insecure Content Fixer Plugin - Activate it

    In http://yoursite.com/wp-admin: CLOUDFLARE FREE FLEXIBLE SSL

  42. Browse to https://yoursite.com CLOUDFLARE FREE FLEXIBLE SSL @irinablumenfeld #wporl

  43. TEST TOOLS - WHY NO PADLOCK? @irinablumenfeld #wporl

  44. TEST TOOLS - CHROME DEV TOOLS @irinablumenfeld #wporl

  45. TEST TOOLS - CHROME DEV TOOLS @irinablumenfeld #wporl

  46. CLOUDFLARE FREE FLEXIBLE SSL In Page Rules section - new

    rule: *your-domain.com* @irinablumenfeld #wporl
  47. CLOUDFLARE STRICT SSL @irinablumenfeld #wporl

  48. VIEW SSL

  49. VIEW SSL

  50. UPDATE GOOGLE ANALYTICS https://support.google.com/webmasters/answer/6033049

  51. HSTS HTTP Strict Transport Security (HSTS) @irinablumenfeld #wporl

  52. HSTS <IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload” </IfModule>

    in .htaccess file HTTP Strict Transport Security (HSTS) http://bit.ly/enable-hsts @irinablumenfeld #wporl
  53. HSTS HTTP Strict Transport Security (HSTS) https://hstspreload.appspot.com Request Preload -

    Only if you support HTTPS for the long term @irinablumenfeld #wporl
  54. HSTS HTTP Strict Transport Security (HSTS) @irinablumenfeld #wporl

  55. TEST SSL https://www.ssllabs.com/ssltest @irinablumenfeld #wporl

  56. THANK YOU QUESTIONS? IRINA BLUMENFELD @irinablumenfeld #wporl https://www.netmagik.com/migrate-wordpress-to-https