⚠ Note: In 2014 Google started to use HTTPS as a ranking signal. HTTPS can also help make your site more secure and is required if you accept payments on your site.
You can purchase an SSL certificate from many places. You can also get a free one from Let’s Encrypt. Setting up an SSL certificate manually is not a simple task. For that reason, I recommend you go with a host that offers to set it up for you such as WP Engine or SiteGround. They make the process much easier since it’s basically automated and if you encounter any issues you can contact their support team for help.
Once you set up an SSL certificate don’t forget to take the following steps:
Your hosting service may have some HTTPS configurations that need to be set up. For example, if you use WP Engine, make sure to check all the boxes in their SSL settings for both versions of the domain; www and non-www. There are a few settings I recommending reviewing in the screenshot below if you are using WP Engine.
⚠ Note: Do not use any type of Force SSL plugins if the site is hosted at WP Engine.
You’ll also want to make sure that your WordPress settings are correct now that you’ve installed an SSL certificate on the site.
In WordPress, go to the “Settings” tab and then click on “General”. Make sure the “WordPress” address and “Site Address” both include the https:// version of the site.
Some hosts will lock this area and it will appear “grayed-out” and not let you edit it. I believe you can contact the host for help or update the wp-config.php file to fix this.
In Google Analytics, you will want to review the “Default URL” in the Property Settings and in the View Settings. If there are multiple “Views” in the View Settings, you will want to review all of them.
Inside the Property Settings and View Settings in Google Analytics you can see which version of the URL is being tracked. Make sure it’s set to the new https:// version.
If you make any changes here, I highly recommend viewing live traffic data in Google’s “Realtime” report to make sure Google Analytics is still tracking properly.
This one is also very important. If you have set up Google Search Console by verifying individual properties (aka URL Prefix), then you will need to make sure to verify the two new versions of the domain; both https:// and https://www.
If you have set up Google Search Console by verifying the entire domain, then this section does not apply to you.
Crawl the site with the software of your choice. I use Screaming Frog to make sure all internal links on the site are now HTTPS.
In Screaming Frog, under the “Protocol” section, click on the “HTTP” tab to see any internal links on the site that are still HTTP.
You can use a Search and Replace plugin to update HTTP links in bulk. But be very careful. It’s super easy to mess things up using a search and replace plugin.