Securing a Woocommerce Website in 2022 Using Let’s Encrypt Certificate
For security, SEO and because it’s a Google requirement, securing a Woocommerce website using a Let’s Encrypt certificate is a job that should be done, like yesterday. I delayed because I’d seen many warnings against this move in the past: plugin conflicts, redirect problems and SEO risks but decided I had no choice. Take it from me, there’s nothing to worry about if you follow the steps correctly.
I’m referring in this step-by-step tutorial to any existing website rather than a brand new one – moving everything from HTTP to HTTPS. I’m also assuming you get a free certificate through your host and use cPanel. I secured quite a few of my sites in cPanel but my host has recently moved to DirectAdmin…however, the principle’s pretty much the same.
It is important to know that you will lose social share counts on all your posts and pages unless you use a plugin that supports share recovery.. for instance this free Social Welfare plugin. This is because your share counts function on an API that’s been based on the HTTP version and, unfortunately, you have no control over 3rd party social networks.
Depending upon the size of your website, be aware that it may take Google a while to re-crawl all of your new HTTPS pages and posts. During this period, you could see variations in traffic or rankings until things settle down.
All that being said, let’s tackle this move to secure your existing website….
1) Update all plugins and generally clean up Admin if you have’t done it for a while. If you have caching plugins, purge those caches. It might be an idea to turn off your CDN integration and disabling any caching plugins if you have them before starting as these could create problems but I have successfully converted from HTTP to HTTPS without disabling caching.
2) I you have anything that automatically runs on the site or is connected, e.g. scheduled actions like cron jobs with product updating or deleting or database cleaning, stop them all so that they can’t interfere with the changeover. If the timings are at least an hour ahead, you should be safe to leave as is (unless the doorbell rings!).
3) Log into cPanel. Go to Security > Let’s Encrypt and look for the website you’re working on in ‘Your domains with Let’s Encrypt certificate’. You may find that the site has already been issued one, in which case, click ‘Remove’. If a certificate isn’t in that section or you’ve just removed it, scroll down to ‘Issue a new certificate’, find the domain and click ‘Issue’. Select the urls and tick the boxes where you’d like HTTPS, click ‘Issue’. See image below.
You’re now finished in cPanel so you can log out.
4) Now you have your certificate installed but the website looks the same so you need a plugin to force the website visitors to be redirected from HTTP requests to your HTTPS. Go to Plugins > Add New and search for Really Simple SSL. Install and activate. There’ll be a lot of yellow warning dots but click ‘Activate’ anyway. Oops, you’re logged out – fabulous! If you check the top left of your browser bar, you’ll see the lock…success! (Note here if you have used DirectAdmin to install the certificate: there is a box to tick when you install it, ‘Force SSL with https redirect’ tick it and Save. This step eliminates the need for a plugin to force the redirect in WordPress.)
5) Go to https://www.ssllabs.com/ssltest/analyze.html – put in new domain url to check certificate has no errors. You should get an A score if everything’s set up right.
6) Now you need to go back inside your website and in the Really Simple SSL section, ‘enable 301 .htaccess redirect’.
7) Change all the pages on your website, i.e. update hard-coded HTTP Links. For this, use a plugin called ‘Better Search Replace’ and install. You’ll now find it in Tools section in Admin. Select all the tables that have any MBs (Megabytes) and check the box to create a dry run just to make sure the plugin picks up what to change and that you know you’ve put the correct urls in the boxes. This should have changed all site’s urls to https. You can now safely deactivate and delete this plugin.
8) Go to: https://www.jitbit.com/sslcheck/ This site will check up to 400 pages free for any non-secure content including images, script and css files. Here’s another site that does this too but it seems to check fewer pages: https://gf.dev/mixed-content-test.
9) Should you find any http content, you can use this plugin to fix the problem: https://wordpress.org/plugins/ssl-insecure-content-fixer/ (I haven’t actually used it as I didn’t discover any resources loading over http, even after securing 3 websites so well done Better Search Replace! However, please see note 13 below.
10) Make sure you update your site’s url to HTTPS in any external scripts that are running and re-enable them. In my case I had to update external cron jobs.
11) If you’re using Google Search Console and/or Google Analytics, you will need to add your site as a new property in GSC and add its site map too, normally something like https://sitename/sitemap.xml. In GA, go to your property and click the settings gear > Data Streams > Add stream and create a new Web stream with the new url.
I use the free Statcounter so that I get weekly total traffic emails and can monitor any changes so I amended the site url in the project Settings and Saved.
12) If you are running a comment plugin such as Disqus, you will need to migrate your Disqus comments over from HTTP to HTTPS.
Update Your URLs in your Email Marketing software
Update any PPC Ad URLs: AdWords, Bing Ads, AdRoll, Facebook Ads, etc.
Update Social Media Links (Facebook Page, Twitter Bio, Pinterest, Twitter, Instagram, etc.)
13) No doubt you’ll have plenty of blog content pages/posts that contain internal links. Although Better Search Replace plugin is brilliant, I’ve found the odd internal link still pointing to HTTP so, unfortunately, I advise that you go through all content posts and pages to double check – sorry to have to say this!
However, if you come across another easy but better way to change all the links from HTTP to HTTPS on your site, please do comment. I’m always learning!
CONCLUSION
In most of the articles I’ve read about securing websites, they warn about a decrease ranking of pages and therefore traffic. In my case, I’ve had the reverse happen and I imagine it’s because Google previously had a low opinion of my site. (Yes, I sometimes do think of this hugely important search engine as a person with feelings and emotions – quite wrongly of course!). I see more indexed pages and a steady traffic stream so securing a Woocommerce website is certainly worth doing.
I hope you get the same results.