How to add WordPress SSL and HTTPS – Beginner’s Guide

What is SSL ( Secure Sockets Layer) and HTTPS?
SSL and HTTPS are internet protocols used to establish a secured connection between a user’s web browser and the server they are accessing. This is a great method to protect users from harmful attacks and malicious intentions over their internet use.
SSL provides communicational security when data passes from server to server. Similarly, HTTPS is a secured version of HTTP. HTTPS adds authentication for both the website as well as its server and helps establish a secured connection between them.
SSL and HTTPS are mutually inclusive. This means that they cannot exist without each other.
Why should we enable SSL and HTTPS?
In simple words, these protocols are used for both the user as well as website protection. SSL and HTTPS certification imply that your website is protected and trustworthy. Using this protection also lets you show a secured connection on your browser to let your readers and customers use your website without worrying.
Furthermore, SEO prioritizes websites with secured connections, so it is always a good idea in the viewpoint of SEO to have an SSL certificate.
SSL certificates are almost a compulsory thing to have when your website is dealing with online transactions. If your web servers aren’t protected, it is easier to steal customer data, credit card info and more as well. Similarly, customers are less likely to buy products from your website if they are not sure if your website is secured.
How to setup WordPress SSL and HTTPS?
First of all, in order to enable SSL/HTTPS on your website, you require an SSL certificate given to your specific domain. This SSL certificate identifies your website and tells browsers that your website is protected and trustable.
Similarly, if your website uses the wrong SSL certificate, then browsers detect your website as harmful and warns the user about it. Browsers may even block access to it.
Buying an SSL certificate
Some hosting providers provide an SSL certificate with their plans, especially premium ones. However, if that is not the case for you, it might be required to buy one from a third party website such as Bluehost, DigiCert, and GoDaddy.
Then, you are required to choose from different types of SSL certificates, depending on the purpose of your website. Organizations and companies might require an Organization Validation(OV) certificate while a personal website should be fine with a Domain Validation (DV) certificate.
Furthermore, you can buy a single certificate for multiple domains or a single certificate for multiple sub-domains using Multi-Domain and WildCard SSL certificates, respectively. If you want to read more about which certificate is the better choice, we request you take a look at this infographic by GoDaddy.com.
Setting up SSL and HTTPS on WordPress
Once you download your certificate by the required process, you can generally ask your web hosting provider to install it on your server. This can also be done by using the web hosting control panel provided to you as well. However, this process differs for different service providers.
Once your SSL certificate is installed, you must direct WordPress to use https.
This process is different from New sites and older sites.
For newer sites:
If you plan to use a new website then you can simply set the website to use SSL by just changing the website’s URL in WordPress settings.
For this, direct to WordPress’s admin page and access its General settings.
Here, you can set your WordPress address (URL) and site address (URL) to have HTTPS instead of HTTP as the prefix.
Remove the HTTP at the start and replace it with HTTPS.
For already existing websites
If you plan to update your website to start using SSL, you need to insert a few lines of code onto your .htaccess file. This instructs the website to redirect to HTTPS if someone tries to access your website using HTTP.
First, you need to open your server on an FTP and open the .htaccess file inside your WordPress installation.
This folder resides in the root directory of your WordPress installation and might be hidden by default. You need to enable your FTP client to view hidden files.
If you can’t still find your .htaccess file, you can create a new one by going to WordPress’s settings and clicking on Permalink. Then, click on Save Changes and it should be done.
Then once you can open .htaccess file, insert the following code onto it:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L] </IfModule>
Furthermore, if you want your login pages or multi-site admin area to use HTTPS as well, you need to add the following code to the wp-config.php file:
define('FORCE_SSL_ADMIN', true);
Once this is done, your website should be protected and should be using HTTPS. If you get an error regarding security, check your SSL certificates and whether or not they are installed correctly.
Fixing HTTPS mixed content
Even if you enable HTTPS and forced the browser to redirect to HTTPS, your website might still have HTTP content. Some elements might have a reference to an HTTP content which means that this content is insecure.
To fix it, you can manually change these elements to direct the URL to HTTPS.
You can use a WordPress plugin for this purpose to make your job easier. Furthermore, many of these plugins have features to fix the unsecured content on your website. These plugins will fix all the HTTP links/content and change it to HTTPS inside your website.
Some of these plugins are:
Really Simple SSL
These plugin sets up your website to automatically redirect to HTTPS as well as scans your website for insecure content. It is lightweight and very easy to use. Similarly, the plugin checks your SSL certificates and notifies you if there is an issue.
Really Simple SSL also fixes most issues WordPress has with SSL. The plugin also has a feature for forced HTTPS redirection so you can essentially skip the step above if you are having an issue with it.
WordPress HTTPS
This free plugin lets you detect and fix insecure HTTP content on your website. Furthermore, this plugin is compatible with various others plugins. This SSL mixed content fixer also works with Visual composer and Disqus and also fixes Google Fonts issues.
This easy to use plugin also lets you enable HTTPS for specified posts and pages exclusively as well while letting the rest of your site run on HTTP. WordPress HTTPS also lets you force HTTPS on your entire website as well as admin pages. You can skip the step above regarding .htaccess and wp-config files using these features.
SSL Insecure Content Fixer
SSL Insecure Content Fixer lets you detect insecure content on your websites. The plugin also automatically solves most insecure content by itself. However, it will notify the user about the issues on the website and direct the user to them to be fixed.
You can also choose the level of fixing the insecure content. You can define up to which level to fix, from simple to content to widgets and even scripts, stylesheets, and Ajax calls You can define up to which level to fix.
The plugin also provides fixes for specific plugins and themes.
Learn more/ Download
Using the plugins
In order to demonstrate how these plugins, we will be using WordPress HTTPS plugin as this plugin is extremely easy to use and lets you easily force HTTPS all over your website. The plugin also lets you enable HTTPS exclusively for given pages and posts, which will be explained as well.
First, install the plugin. If you are not aware of the process to do so, refer to here.
Then, direct to the plugin’s page through the sidebar on the Admin dashboard.
Now, click on the option that says Remove insecure elements. This will replace all HTTP content on your website with HTTPS. However, this might break some plugins if they use HTTP content exclusively.
Furthermore, you can force SSL on admin pages using Force SSL administration feature.
Forcing SSL exclusively
If you want to enable SSL on specific pages or posts, you can use the WordPress HTTPS Plugin to enable this as well.
For this, direct to the plugin settings. Then, click on Force SSL Exclusively to enable this feature.
To specify the posts and pages to use this feature, you can tick this button to enable HTTPS on the given post and its child posts.
This should enable HTTPS on the posts and pages where you’ve ticked this feature.
Concluding:
Thus, if you enable SSL and HTTPS on your website, you can provide secured content to your viewers and they can browse your website, buy your products and more with less concern. However, SSL isn’t the do-all answer to website protection and you can enable other such features to provide a more secure experience to your readers.
In order to learn more about these features and internet security, consider reading these articles.
- Enabling User roles in WordPress
- How to Password Protect a WordPress page or post
- How to make your WordPress website private