SECURITY

A Comprehensive Guide on Adding SSL and HTTPS to WordPress site

Last Updated: 8 mins By: Sijal Shrestha

The Internet has evolved, it is now a hub of websites that are spreading across the web plains like Wildfire. As the massive infrastructure of sites has increased, so has the risk of attacks have significantly also increased. Hackers are now at an advantage because web applications do not offer you as many security layers.

One common web application which we usually come across while surfing the Internet is WordPress. It is a Content Management System (CMS) and not just any CMS, but the most popular CMS in the world. WordPress holds the lion’s share in the website world. Hence, the more popular you are, the more you are at risk. WordPress has become an attractive target for attackers across the world.

Among various techniques of making a site secure, the most renowned and efficient way is to encrypt the communication between a browser and the server, that’s called SSL encryption. In layman’s terms, Whenever a user enters their information on a site may it be for e-commerce purpose for e.g when purchasing an online product or simple user login, SSL makes sure that the information that we enter is transferred securely and is not being compromised.

For those of you who aren’t well aware of what FREE SSL for WordPress is, here it goes:


What is an SSL?

SSL is the abbreviation for Secure Socket Layer. It is a standard way to create an encrypted communication channel between a web browser and a web server. It ensures encryption and data security between the two.

To provide a much secure web browsing to individuals, Google prefers SSL certified websites in its SERP. Also, the internet browser giant, Google Chrome marks NON-SSL script handling pages as NOT-SECURE. This can create a strong barrier between your potential customers and your online web store.

SSL Warning in Google Chrome

The purpose of SSL certificates mainly encircles securing confidential information of users on the internet. These may include credit card details, registration, login and other types of forms.

While you are surfing the Internet, you may find a number of SSL Certificate Providers. However, in my article, I am going to discuss the FREE SSL Certificate offered by Let’s Encrypt.

So without any further Ado, let’s begin.

What is Let’s Encrypt?

According to the official Let’s Encrypt website:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).”

The project was initiated back in the mid of 2016. Within a year, it gained incredible popularity and issued certificates to more than fourteen million domains. Since, the project is a non-profit project, within a short period of time a number of sponsors came forward to support the cause.

Let’s Encrypt Support on Web Hosting Provider

Besides regular installation of paid SSL certificate providers, most of the hosting providers now support Let’s Encrypt too. If you can’t find any knowledge base or tutorial on your respective hosting provider. Ask their support how you can do that.


Adding FREE SSL Certificate to WordPress

Adding a Let’s Encrypt FREE SSL to a WordPress website is pretty easy. Most of the hosting providers (Including cPanel) allow installing Let’s Encrypt in just a single click. Popular WordPress hosting companies like SiteGround, A2 Hosting, Dreamhost, HostGator etc. support adding free SSL certificate via Let’s Encrypt. In my example, I have installed SSL certificate in just 1-click on Cloudways. You can simply contact your host about this and if they provide this feature they will be happy to install the free SSL certificate for you.

This article is mainly focused on further configurations which are required on your WordPress site after adding free SSL certificate from your hosting provider.

Test SSL Certificate

To test SSL Certificate, there are a number of online tools on the Internet. They can verify whether the SSL certificate is properly installed and configured on your website or not. In my opinion, SSL Server Test by SSLLabs stands top among them. I have just added the certificate and tested my domain via the mentioned tool and here is what I got!

Verify SSL Certificate

This confirms that the domain can be served via HTTPS now. I have tested by visiting my domain with http://domain.org and https://domain.org. As you can see, my domain is serving with and without SSL.

With HTTP (NON-SSL)

Without SSL

With HTTPS (SSL)

Site with SSL

You might be thinking, why my domain is not serving via HTTPS only? The reason is, I didn’t force my domain to be served via HTTPS only.

Redirect HTTP to HTTPS

To redirect my domain from HTTP to HTTPS, I need to create a rule in WordPress htaccess file that will be redirecting my site to HTTPS. To do that, I logged into my Cloudways hosting account via FTP, navigated to my WordPress root directory and opened the .htaccess file with a text file editor. At the beginning of the file, I have pasted the following lines just below “RewriteEngine On”.

1

2

3

RewriteCond %{HTTPS} off

RewriteCond %{HTTP:X-Forwarded-Proto} !https

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Now, if anyone will visit my website, it will automatically be served via HTTPS even if someone tries to visit via http://domain.org.

Change All Internal URLs to HTTPS

Since my website is already live, having a lot of content. All internal URLs should also be replaced with HTTPS. To do that, I navigated to Settings -> General, and replaced HTTP with HTTPS where it says: WordPress Address & Site Address and clicked on Save Changes at the bottom of the page.

Change Site Address

All my new and existing URLs will now be served as HTTPS.

Mix Content Warning in WordPress

All internal URLs should be moved to HTTPS. But, there is a possibility that few of the content URLs are still on HTTP. Those pages must have an info icon ⓘ instead of a green padlock. They are to be identified and their respective HTTP URLs are to be replaced with HTTPS. To identify them, there is an excellent online tool by JitBit that will scan the complete site and detect pages that have HTTP URL/s.

JitBit SSL Check

Fix Mix Content Warning in WordPress

To fix above detected URLs, there is a plugin named as Velvet Blues Update URLs that can search and replace all URLs. Install & Activate the plugin, and follow the screenshot below.

Update URLs in Velvet Blues Plugin

After replacing URLs, let’s check HTTP URLs once again. And here is the result.

SSL Check by JitBit


All in One Solution for SSL on WordPress

There is another excellent plugin “Really Simple SSL ” that automatically detects your site settings and configures your WordPress site to run over https.

You can Install & Activate the plugin from WordPress admin dashboard. Then navigate to Settings -> SSL -> Settings tab. Configure it in accordance to your preferences.

Really Simple SSL Settings

Once done, Save it and then navigate to Configuration tab.

Really Simple SSL

And there you go, you are done with configuring the plugin! If you still encounter any problems, then the best way is to resolve them manually as discussed above.

Configure HTTPS URLs in Google Analytics

The last and most important step is to configure HTTPS URLs in Google Analytics so that you can track your visitors.

To do so, navigate to your Google Analytics account and then navigate to Admin. Select your specific property and click on Property Settings and change Default URL to HTTPS. Refer to the image below.

Change Default Property URL

Now, get into the view tab by going one step back, and then select View Settings. Change Website’s URL to HTTPS.

Change Website URL in Google Analytics

And that’s all! Today, I have guided how you can easily integrate Let’s Encrypt FREE SSL Certificate to a WordPress website and how you can track site visitors. One more thing to notice, if your site has third party integrations, like the Facebook page, Twitter account etc. Make sure that all of them are having HTTPS URL.

Important note: You might be thinking, SSL certificates can completely secure a WordPress website. Actually, it’s not, it only encrypts the communication between your web browser and server. However, if you are seeking to secure your online store, then here are a few WordPress security tips that can help you with securing a WordPress site too.

If you have any question in mind, feel free to ask. I would love to answer.


Author Bio

mustaasamMustaasam Saleem is a WordPress Community Manager at Cloudways – A Managed WordPress Hosting Cloud Platform, where he actively works in learning and sharing knowledge with the WordPress Community. When he is not working behind his computer screen, you can find him playing squash with his friends, or defending in Football and listening to music.

(This is a guest post. View guest posting guidelines.) 

Sijal Shrestha

Love to read and socialize. This ThemeGrill author is free for all forms of criticism and advice. Yearning for new topics to learn and discuss.

4 thoughts on “A Comprehensive Guide on Adding SSL and HTTPS to WordPress site

  1. Thank you Mustaasam, I rarely leave comments when I read blogs. But you Sir, have made my life easier by summarizing everything about SSL in one page. THANK YOU.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top

Pin It on Pinterest