A step by step guide to switching an existing XenForo installation from HTTP to HTTPS aka from http://domainname to https://domainname
Step 1. SSL Certificate
The first step is to get an SSL certificate for the domain or sub-domain. Many hosts provide free SSL for one domain. Get in touch with the host to see if you are eligible for a free SSL certificate and if you aren’t you may need to first purchase the SSL certificate and install it on the server. Here is a guide to installing an SSL certificate.
Once the SSL certificate is installed for the domain, accessing the site HTTPS://DomainName shouldn’t display a security warning.
Step 2. XenForo Configuration for HTTPS
Make changes to the XenForo configuration as follows.
Change the forum URL at Admin CP > Options > Basic Board Information: Board URL from http://domainname to https://domainname.
For stylesheets search
Ideally, XenForo style should have used the image path either relative to the forum or via the @imagePath variable but to make sure there aren’t any static content directly linked via the HTTP-based url.
XenForo can contain HTML in descriptions. Verify there aren’t images embedded in them via a hard-coded HTTP based url.
- Forum Description – Forum description can contain HTML and often it may contain some forum sponsor banners or images. Check if they aren’t HTTP based url.
- Notices – Check all the notices HTML to see there are any buttons that are hard-coded HTTP URLs.
- User Upgrades – User upgrades can contain HTML and often contains banners for better conversion. Make sure those image URLs are all switched over to HTTPS
It should be enough for the home page and the forum pages to load HTTPS with a green padlock.
Step 3. Post Content
Users may have embedded content from the non-HTTPS and so one has to update the existing user content to replace the URLs of the old HTTP-based URLs to new HTTPS-based URLs. We will use the Post Content Find / Replace. A guide on how you can install the plugin is here.
The plugin adds an option under Admin > Tools > Replace In Posts.
- In quickfind use: http://domainname
- In Regular expression use: #http\:\/\/domainname\.com#siU
- In Replacement String use: https://domainname.com
Unticked “Save Changes” will only do a dry run. Once things look as expected, tick “Save Changes” to write the changes in the database. This should change all the reference to the http://domainname in each post to the https://domainname. There is no undo to this action, so “Save Changes” only when you are more than 100% sure about it.
We have changed the post content that embeds or links to our domain to an HTTPS-based URLs. Other domains may not always be on HTTPS and so to avoid mixed content errors for such embeds, XenForo provides an image proxy.
Enable Image proxy in Admin CP > Options > Messages > Image and Link Proxy: Proxy Images.
Provide a hard to guess “Image and Link Proxy Secret Key”. For HTTPS we only need to enable Proxy Images and don’t need to enable “Proxy Links”.
Step 4. Enforcing HTTPS
You don’t want the site to be accessible on HTTP://DomainName as well as HTTPS://DomainName. So you want the HTTP-version of the site to be redirected to HTTPS version of the site. Add the following line of code in the .htaccess file.
If you are using SEO friendly URLs, the above lines can be the at the beginning of the htaccess file.
Once you enforce the URLs, the non-https URLs will redirect to the https version of it and so you may need to update the site URLs for
- PayPal IPN – If you have a paid membership setup, a PayPal IPN notification is used for members PayPal subscription payment. The HTTP-based url in PayPal IPN should be changed to HTTPS-based URL or else the paid membership functionality may be broken and users upgrade may not function as expected.
- Social Media Integration – Each of FaceBook, Twitter and Google+ apps need a change in website URL from HTTP to HTTPS-based URL.
Finally, remember Google Webmaster Tools treats HTTP and HTTPS based website as different. So add https based website yet again as new web property in GWT.