Google notified me repeatedly that my self-hosted WordPress websites weren’t secure, that they didn’t have the coveted “https:,” and that I should take care of it pronto.
I’m no WordPress expert, just a freelance writer and product creator who runs blogs. So I dread these sorts of things and put them off as long as reasonably possible, especially since I have several of my own sites, and I manage a few others for family members and nonprofits, so it can be quite a hassle. Well, last week I finally decided to tackle the project.
Caveat… as I just said, I’m no WordPress expert. I’m just a DIY guy who tries to do things himself first, and then hires an expert when necessary. So here’s what I did, and it worked for me, and I hope it will work for you. But if it doesn’t, I’m not a good source for help.
Why Does Having a Secure WordPress Site Matter?
There are at least three good reasons:
1. Google says that it is one of the many SEO signals it uses for ranking sites in web searches, meaning that having a secure site may improve your search results and thus the traffic you get from search.
2. Visitors will feel safer viewing your site and clicking your links, and especially entering any information into forms, meaning they are more likely to hire you, or buy your products, or just read your posts.
3. Browsers show whether or not your site is secure, leading back to #2 above.
How I Did It
Full Backup!
First, of course, I did a full backup of all the sites, just in case something were to go dreadfully wrong.
Use Let’s Encrypt to Secure the WordPress Site
Next, I called my hosting company, A2 Hosting, to ask what I needed to do. I assumed I’d have to pay money, and perhaps a lot of money, but it turns out they (and many other hosts) have a free option: Let’s Encrypt.
How do you set up Let’s Encrypt? Turns out it’s something the hosting company can do easily, which A2 Hosting did while I was on the phone.
Install the Really Simple SSL Plugin
And it was really simple. I installed it and followed the easy instructions to get it working.
Unfortunately, it didn’t do the trick for several of my sites: no “secure,” no “https.” (Note: This is not the fault of the plugin, which is highly rated and has been updated regularly.)
So I called A2 Hosting again. They recommended I…
Use WhyNoPadlock.com, If Necessary
The website WhyNoPadlock.com goes through your site and shows you which files are still just “http” instead of “https.”
It turns out that the problem sites had one or two image files that hadn’t been converted by the Really Simple SSL plugin.
Once I knew the exact files, I logged into cPanel (server software that allows you to add, delete, and edit files, along with the ability to do a ton of other things) and I manually changed the offending file names by adding the “s” after the “http.”
There are plugins that will supposedly change the file names for you, but I didn’t want to trust them.
The Cost
Absolutely nothing = nada, zilch, free! A2 Hosting didn’t charge me to set up Let’s Encrypt, and Really Simple SSL is a free plugin.
The Only Problem: Feedburner
On a few the sites I still use Feedburner to automatically notify subscribers of new posts. Well, after the change to secure https:, Feedburner sent subscribers a notification of the most recent post, or in one case a list of the last ten posts.
Your Take
Have you made your WordPress site secure yet? Any problems making it https:?
After a link is changed using the tools you mention, if someone has the old link and they try to use it, will they be automatically redirected to the new one?
Again, I’m not an expert, but that’s been my experience so far.
John, thanks so much for this information. I’m going to work on securing my site this evening.
I hope it goes smoothly, Marcie!
@Christine
I don’t know those plugins, but often there is a little bit of redirecting that is required to ensure http goes to https. There are many walkthroughs on the web showing how to do that depending on what kind of server you have.
Also, you need to remember to tell Google Search Console which version of your site you want to use. There is a setting in GSC that enables you to select https rather than http.
You’re right to be concerned to ensure the http versions are redirected to https otherwise links won’t work and the ‘link juice’ Google assigns will be lost as well.
Cheers.
Mark is correct. You do need to tell Google that you switched to https.
I ‘bought’ the free ssl certificate that my host, BlueHost offers. After some problems and needing a plugin that will force ssl it’s been fairly easy, except when it isn’t. I applaud Google for forcing us to secure our sites and I think they did it 6 months too soon… or maybe we needed to go through all the confusion. I think it is a requirement now and it will get easier.
Yet it’s interesting how many sites still aren’t “secure.” While reading the news online this morning, I noticed that both BBC.com and Univision.com still haven’t made the change.
Nice post. I am also working on my site security. I use many way and security system to save my site. Thanks for sharing.Keep it up.
Hi John,
Great post. Currently, SSL is indeed very important factor; Google chrome shows “not secure” on non-SSL websites. Luckily, my hosting company SiteGround offered an easy solution with Let’s Encrypt.
Thanks for sharing!