Learn how to switch from HTTP to HTTPS for more secure WordPress forms.
How to switch to HTTPS for secure WordPress forms?
WordPress itself is written to accommodate sites that use both HTTP and HTTPS. Fortunately, making the switch from HTTP to HTTPS is not generally complicated. Even though each site’s host, theme, plugins and custom code are going to be different, the process itself is pretty much the same across the board.
Read more: What is HTTPS, SSL, and TLS for WordPress
It may get more complex if you have additional modifications to your site behavior in your .htaccess, php.ini, Nginx config file, etc.
Without such additional site modifications, these are the steps you’ll want to follow to ensure a clean switch:
Step One: Contact your Host
In order to transition to HTTPS, you will need a Dedicated IP Address and an SSL certificate. Individual setups will vary, but your host will be able to provide guidance on how to best transition given your setup as far as the server is concerned.
Most hosts will offer SSL certificates (for free or for purchase) and many hosts will even install it for you for a fee. You can get one for free through Let’s Encrypt, but it will require a bit more technical understanding to set up. It may be worth it to purchase your SSL certificate through your hosting provider to have installation performed by their staff.
If your host will not be installing your SSL certificate or you simply choose to install your own SSL certificate, do your research, and continue to step two.
Essential reading before implementing your own HTTP to HTTPS switch
Google’s Protect your site and your users
Google’s Move a site with URL changes (HTTP to HTTPS requires a URL change)
SSL Labs SSL/TLS Deployment Best Practices (for more advanced reading)
Step Two: Make a complete backup of your site
Backup plugins are convenient, but should your site become inaccessible during the process and you aren't able to access the Dashboard, rolling back changes can become more problematic. For backups, I always feel better after making a complete copy of the WordPress home directory, exporting a complete copy of the database, and saving both on my laptop (off of the server). I'll admit it is a bit extreme, but it's the safest approach.
Step Three: Updating WordPress Settings
- From the Dashboard, go to Settings > General. Change your WordPress Address (URL) and Site Address (URL) from http to https.
- Open your wp-config.php file. Just above the line that reads: That's all, stop editing! insert this line: define('FORCE_SSL_ADMIN', true);
- Go to Settings > Permalinks. Click Save Changes.
- Insert a 301 redirect so that any traffic coming to your site over HTTP will be redirected to the HTTPS version. There are plugins that can handle this for you. For the more technically inclined, this can be done by modifying your site’s .htaccess, php.ini, or Nginx config file, as applicable.On FormidableForms.com, we added this to the beginning of our .htaccess to force all pages to use HTTPS:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://formidableforms.com/$1 [R=301,L]
</IfModule>
What do I need to do for Formidable to work on HTTPS?
Here's the good news: You don't have to change anything in your Formidable settings for your forms to work over HTTPS. As long as your WordPress site changeover has been properly made, any data transmitted to and from your site will be secure. Please note that HTTPS will secure data in transit, but it does NOT add an extra security layer to stored data.
What if my transition to HTTPS doesn’t go well?
Here are a few troubleshooting tips:
- Instead of simply re-saving your permalinks in Settings > Permalinks, try changing the permalink structure to Plain, saving, and then changing them back to your desired structure.
- Do you have any custom code that references the HTTP address for the site that will need to be adjusted to HTTPS?
- If you replace the default WordPress index.php with one that just says “hello”, do you see any errors, or do you see the HTTPS padlock in the address bar? If the padlock doesn’t appear, is likely the trouble is with the actual the SSL setup, and not your code.
- Do you have any server-side or CDN-based caching in place? If so, these may need to be flushed or have their settings updated to work with your new setup.
- Sometimes certain interactions between plugins and themes can make the transition more complicated and more likely to generate unexpected errors. Should this be the case, try changing your theme to Twenty Sixteen (or another WordPress default theme), deactivating your plugins, making the switch, and then re-activating your plugins and switching back your theme.
How will my search rankings be affected by the switch from HTTP to HTTPS?
Google’s Change of Address Tool for webmasters does not yet support the HTTP to HTTPS transition. This can negatively affect your search rankings temporarily because your site will need to be re-crawled and reindexed. While Google states that you may not see an obvious change in your rankings, there is debate around the web about whether the switch has a negative or positive effect.
The upcoming changes in January could have a bigger impact on the trust your visitors place in your site, which could in turn reduce your traffic and your rankings.
When it was originally announced that Google would be taking HTTPS into account for rankings, they made it clear that this would not affect everyone. In fact, it was reported that this update would initially affect less than 1% of searches, but its impact may grow. Since then, the push for an encrypted internet has grown from within the industry, but also from without, as internet users become more concerned about leaked information, traffic snooping, and their online safety in general.
Switch to HTTPS for Secure WordPress Forms
The future of the internet lies within secure, encrypted transmission. For WordPress websites, that means HTTPS. Fortunately, transitioning your site to HTTPS is easier and cheaper than it has ever been. In addition to the SEO and user trust benefits, switching is something that requires little time, no backlinks, no marketing strategy meetings, and no artwork with cool fonts (though we are huge fans of cool fonts). Switching to HTTPS is something a site owner can check off the list and only have to think about once a year. Get it done. A safe internet will thank you for it.
Thank you, I follow your steps, I hope it will work well
You have a slight problem with the htaccess redirect. The way it's written, it will redirect either http or https urls to the https. As a result, it will cause a redirect loop if someone accesses https. The corrected code is:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://dev1.victorfont.com/$1 [R=301,L]
Good point! Our redirect is slightly different because of our hosting setup with Pagely. The example you provided would work well in most cases, making this a great example of why it is important to contact one's host to make sure that the appropriate edits are made.
Thanks for the feedback!