How to transfer site to HTTPS

In this article I would like to talk about my own experience of transfer project from HTTP to trendy HTTPS.
A bit of theory: the main advantage of the HTTPS-connection to the HTTP is to support encryption. This is to protect transmitted traffic between client and server from possible interception for the purpose of decryption. Therefore, it is strongly recommended to use HTTPS on sites with a large number of forms filled in by users – from contact information to payment details.
Select of Certificate
The first thing necessary to determine the type of SSL-certificate. There are many articles detailing each of them, so I’m not going to repeat them, but just bring my findings.
Firstly, you can do this without buying certificates and generate it yourself, and then install on the server. However, at the first entry on this website every visitor in a browser will have warning about self-signed certificate, which can cause annoying pop-up notification. In my case, this option was unacceptable, because I wanted to give users confidence in the safety of work with the service.
Second, not all of the certificates could be used by individuals, and those that may have some limitations. Did you see beautiful green lettering in the browser address bar before the actual domain? This effect creates a SSL-certificate with option EV, but such certificates are not available to individuals.

As a result, for the project was chosen one of the cheapest certificates for individuals – Thawte SSL123.
Also, I write about some other types of certificates.
Individual certificates
Most simple and cheep. It takes me only 5 minutes to get it. You can use it for private needs.
EV (Extended Validation)
Such certificate has additional company validation. It’s better to use them for different registered trade marks and companies. It allows you to get name of company in status bar of browser (see image from mozilla above)
Wildcard
Such certificate is for all subdomains of main site. You should buy it if you have many local sub sites.
IDN support
It has support for local languages domains. For example, with cyrillic names
Install certificate
Next thing that you need to do – install certificate on server. Note, your server must support SSL. After installing certificate, check your site. It must be available with https:// Note. It takes some time to update DNS cache before you can see your site correct
Preparation on the site
After purchase of the certificate, you need install it on the server. According to the instructions received from the seller I could not do it, so I asked the tech support of my hosting and after 5 minutes everything functioned as expected.
Next, you need to change some things on your site.
Change inner static links
I will show you most common places where you need to change links.
First of all, go to Settings – General and change link of your site from http to https

Second. Many themes have theme option where you place your custom backgrounds, logos. Check all such static images, just upload again them (after you changed site url). Make sure that new links are with https

Then, go to your menu. If you have static custom links – check them and change to relative links
For example, absolute links – is http://site.com/article. Relative links – /article.
Next place – your theme functions.php. Many themes uses external links to scripts, for example youtube api, google maps. All of them must be without http

Inner content
This is most hard part if you already have many posts. When you inserted image to content, all of them are with http instead of https
You can change links manually in each post. If you have more skills, you can try to bulk change them in database. But I recommend to use plugin Search and Replace for WordPress. After installing, search http://yoursite.com and replace with https://yoursite.com (don’t forget to type your domain name instead of yoursite.com). Use table wp_posts
Change host name
If you have file robots.txt on site, you must have host with https:// link
Example,
Host: https://wpsoul.com
301 redirect
If everything is ok – you can create redirect which tell search spiders to index your new links. Set this code in .htaccess file in root folder of site
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
Important note
In most cases your .htaccess will be not empty, because wordpress added some important code to make permalinks work. Usually, you will have such code inside
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If you just place code for redirect on https – it will not work, so, you need to insert code inside. Correct example, will be
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
See, RewriteEngine On – at first. Then code for redirect, then other wordpress code
How to check
After all changes, open your site with https:// If status bar will be green – all is ok. If status bar is not green but site is opened with https – means that there are some resources on page with http protocol. You can simply check browser console to locate them. Usually, it looks like

Fix this
Underwater rocks
Six months have passed from the date of transfer of the project to HTTPS, and now I can tell a few problems that I encountered.
It is very important that absolutely all links to loadable content must be via HTTPS. These include scripts, files of styles, images and even web fonts. In the event that your HTTPS-site loads any file via HTTP-connection may be notified that the protection provided by HTTPS stopped working at 100%. Moreover, some browsers may not download the such mixed contents.
Quite suddenly found another problem. When I opened the Developer Dashboard in Firefox, to fix a couple of bugs in the layout, I saw repeated a warning about SHA-1
If you go to the specified link, you can see that the SHA-1 outdated and its use is currently insistently do not recommended. Currently, it’s not a bug and everything is working, but can be a problem in future. For readers of the blog I also recommend focus attention on this, at the moment of selecting the type of certificate – in any case, do not select the SHA-1.
Pleasant moments
Of course, HTTPS has many advantages. Personally, I was pleased to see even just a padlock icon in browser.
Another plus in my case it is possible to use links to pictures through the HTTPS-protocol. The fact that the project uses a system of notification of customers through e-mail – for example, a new ticket or a low balance. For these notifications, I made beautiful email templates. Mail agents impose a number of requirements to the graphics in the letters, one of which is a link over HTTPS. Recently, I need to use images from another image hostings, not, I can use links from my site