I had to add SSL to WordPress recently. I’d tried it before without success, but this time it was surprisingly easy. My downtime was minutes, at most, and I saw a small bump in traffic within days.
My walkthrough assumes you are running WordPress on Linux and you have shell access. It will be different on other setups.
A word about SSL
SSL is technically obsolete, but most people understand SSL as shorthand for encrypted web traffic. The correct technology to use today is called TLS. Some people also say HTTPS, since that’s what they type into a web browser to force encryption.
Since SSL is the terminology people still use, I’ll use it here, since the only people who care about the difference are security professionals like me.
Many SEO experts warn you will take a hit in traffic right after you enable SSL and it can take weeks to recover, though you’ll come out ahead in the end. That wasn’t my experience. I don’t know if that means I did something right most people don’t, or if Google changed the rules. It’s probably the latter.
Benefits of adding SSL to WordPress
When you add SSL to WordPress, it encrypts your web traffic. I don’t think anything on this blog deserves encryption on its own merits. But it’s more difficult for hostile people to figure out what to surveil when we encrypt even mundane content about things like hobbies and DIY advice. That’s why SSL matters.
The problem was that when the only things we encrypted were things like credit card data and other sensitive personal information, that data looked special, so the bad guys knew what traffic to target. Once all content looks special, then none of it is special anymore. This is part of the reason Google encrypts all of its search traffic.
By reading encrypted content on my blog, you’re actually helping to keep random strangers safer.
Another benefit is that Google gives secure content a boost in search rankings. It’s not a huge boost, but I saw an increase in traffic of nearly five percent after I made the change. I don’t guarantee you’ll get the same results, but you’d probably welcome any boost in traffic, right? Removing dates from URLs probably gives you a bigger boost, but to me, that just means it’s a good idea to do both.
I also got fewer spam comments after switching to https. That sounds strange, but it does make sense that spambots might not include code for secure connections. As more sites switch that may change, but for now, that seems to be an unadvertised benefit. I get about 25-30% as many spam comments as I used to.
Is https faster?
Some people also tell you https is faster than http. That’s not completely true. Encrypting traffic does require more CPU power. That means if you’re running your web server on an old Core 2 Duo box like I was until recently, your site may slow down. If you’re running on something more modern, you may not notice the CPU overhead.
Now here’s the rub. The modern HTTP/2 protocol requires some form of encryption and it is indeed faster than HTTP 1.1. Encryption adds overhead but HTTP/2 removes enough overhead elsewhere to more than make up the difference. But not all Apache builds support HTTP/2, and getting HTTP/2 and PHP working together under Apache can be difficult. There are also security concerns about using compressed web content in conjunction with encryption. WordPress content tends to compress really well, so if you don’t go back and re-enable compression, you may very well see a decrease in speed.
If you have to choose security or compression, go with security. One of these days I’ll figure out how to get HTTP/2 to play nice. But not today.
Get your certificate from Let’s Encrypt
First, head over to Let’s Encrypt and get a certificate. I used their Certbot tool, and maybe two minutes later, I had a certificate running in OpenSSL. My Apache configuration had the https site pointing at /var/www/html and http site pointing at /var/www/wordpress, so I had to adjust my Apache configuration to change that. Unfortunately, that particular adjustment will differ based on what Linux distribution you’re running. It’s also possible yours may not exhibit that, in which case your site will work, kind of. Don’t worry, by the last step, it will work nicely.
The certificate you get from Let’s Encrypt doesn’t verify your identity, so it’s a second-tier certificate, but for blogging, it’s perfectly adequate. And you can’t beat the price. Be sure to test your connection using SSL Labs. I got an A grade right off the bat using the default builds that come in recent versions of Debian, which is nice. Hopefully other Linux distributions give similar results. The only way I’d get an A+ would be to use a certificate that verifies my identity, which costs a few hundred dollars.
Adjust your WordPress URL
Next, adjust your WordPress URL. This is normally in Settings > General, but it may be grayed out. Mine was. So I had to go into my WordPress directory and edit wp-config.php and scroll to the end of the file. Two lines, about six lines from the end, define the URL. My lines looked like this:
define('WP_SITEURL', 'http://'.$_SERVER['HTTP_HOST']); define('WP_HOME', 'http://'.$_SERVER['HTTP_HOST']);
I changed http to https, like so:
define('WP_SITEURL', 'https://'.$_SERVER['HTTP_HOST']); define('WP_HOME', 'https://'.$_SERVER['HTTP_HOST']);
And that was that.
If you don’t have any redirects, you can skip this section. If you don’t know what redirects are, you don’t have any, so you can skip this section. Odds are you do have redirects if you use an SEO plugin like Yoast.
I have hundreds of redirects. Some of them even exist for good reasons. Most of them don’t define an absolute URL, which is good. Those don’t need any adjustment. But if any of your redirects start with http, you’ll have to change them to https. I just exported mine, edited them, deleted the old ones, then re-imported. Potentially this meant some of my content was unavailable for a few seconds but that’s not too bad.
Adjusting my site’s internal links was the part of the job I dreaded most. Fortunately that was the easy part. There’s a WordPress plugin called Really Simple SSL that takes care of it for you. Just install and activate.
Adjust your site address in Google Analytics and Webmaster Tools
Really Simple SSL will tell you to update your site address in Google Analytics and Webmaster Tools (Search Console). You can’t actually update them–you’ll have to enter the https address as a new site. It took a few days for mine to take effect, so I lost a few days of analytics after the change. The bump in site traffic is worth it, though. The sooner you make the change in Webmaster Tools, the less data you’ll lose. So go ahead and do that on the same day you make your change over to SSL to minimize the loss.
If you’re not using Webmaster Tools, here’s why I recommend you start.
Disconnect and reconnect Jetpack
I use the popular plugin Jetpack to do a lot of things, including syndicate my posts to social media. Jetpack acted really weird after the change. It mostly worked, but one of the things that didn’t work was posting to social media. Here’s how to disconnect Jetpack. Right after you disconnect Jetpack, you’ll see a setting to reset the connection.
Once you disconnect and reconnect Jetpack, your posts will show up on Facebook and Twitter and wherever else you publish automatically.
Schedule your updates
Certificates from Let’s Encrypt expire after 90 days. On my Debian system, it created a script called certbot in /etc/cron.d. To run it daily, I issued the command cp /etc/cron.d/certbot /etc/cron.daily and it seems to work. I have a reminder on my calendar to check on things before it’s due to expire.
There are dozens of ways to check your certificate’s expiration date, but many are browser-specific. You can always run your site through SSL Labs again, as the expiration date is one of many things SSL Labs tells you.
And that’s the last step. It’s not as hard to add SSL to WordPress as it sounds, and it comes with plenty of benefits. You make the online world a safer place, and you’ll get a boost in traffic. Maybe it’s not the biggest thing you can do to improve your SEO, but it’s not the worst, either.