If you have a website, there may be people who trust you with their personal information. That means you need to define strong security standards, and both of them play an essential role in making that possible. Fortunately, activating an SSL certificate in WordPress and enforcing HTTPS on the platform is quite simple, and can be done in just a few steps.
In this article, we will talk about:
- What is SSL and when should you use it?
- What is HTTPS and how does it work together with SSL.
- How to enable HTTPS and SSL through two different methods.
- Two common errors you may encounter when enabling SSL in WordPress, and how to deal with them.
We have an important topic in front of us and a lot of ground to cover, so let’s get to work!
What is SSL (and when should you use it)
Secure Sockets Layer (SSL) is a technology that creates a secure connection between a website and a browser. Websites that use SSL have “certificates” that let you know that your private information is secure during each transfer.
You can recognize most sites that use these certificates, due to the green padlock symbol that many browsers use to identify them:
For example, if you’re buying something online, you should only do so through websites that use SSL. Otherwise, hackers could read or modify your payment information as it is sent over the web.
As for your own website, the use of SSL is a must. There are a number of when doing it:
- If you have a website where you encourage users to register and share private information, their data will be more secure.
- Your website will be more reliable.
- An impressive green padlock will appear next to your web address in various browsers.
- You will have advantages in the .
To elaborate on this last point, search engines like , giving preference to secure sites in their results. That means you can protect your users’ information and possibly get a little more traffic at the same time.
Also, Google announced that Chrome will display an “not secure” warning as early as 2018. So now is a good time to harden your website security with an SSL certificate, if you haven’t already.
Currently, setting up an SSL certificate in WordPress is very simple. There are several types of SSL certificates, but you probably won’t need anything fancy unless you have a fairly large website or sell products online.
For all other websites, a free certificate will usually suffice. Plus, you can easily set up one that works with .
What is HTTPS (and how does it work with SSL)
When you set up an SSL certificate for your website, you’ll also need to set it up to transmit data using Hypertext Transfer Protocol Secure (HTTPS). Every site you visit uses HTTP or HTTPS as a prefix for its full URL, including :
HTTPS works the same as HTTP, but applies higher security standards. If you load a website that uses HTTPS, you know that your data is safe during transfer. However, for HTTPS to work, the website you are trying to access needs an SSL certificate.
If you try to access a site without SSL using HTTPS, you will see an error like this:
In other words, SSL and HTTPS work hand in hand. If you only use one, the information that users submit through your website will not be protected.
Therefore, your first step should be to obtain an SSL certificate and configure it to work with your website. When you have that, you need to tell WordPress to load using HTTPS instead of HTTP. Let’s see how that process works.
How to configure WordPress to use SSL and HTTPS (2 methods)
At this point, we will assume that you already have an SSL certificate set up for your website. When you’ve done that, you simply need to force WordPress to use HTTPS. There are two main ways to do it.
1. Use the WordPress dashboard and a 301 redirect
After you have configured an SSL certificate in WordPress, you need to configure your website to use HTTPS. This process is simple if you are starting a new website. However, if you’re adding an SSL certificate to a site that’s been around for a while, it’s a bit more complicated.
In any case, your first step is to go to your desktop and open the tab General adjustments. Inside, you will find two fields called WordPress Address (URL) Y Site address (URL). Your website address should be identical on both, and they should show HTTP.
What you have to do is replace the prefix HTTP by HTTPS in both fields and save the changes to your configuration:
That’s all you need to configure WordPress to use HTTPS. However, some users may have saved the old URL of your website and may have incoming links across the web. You need to make sure that those people access the HTTPS version of your site. For that, you can set up a URL redirect.
There are many types of redirects that you can use. However, it’s generally better to use a 301 redirect, which tells search engines that your website has permanently moved from one address to another. To implement this redirect, you must edit a file called which controls how your server interacts with WordPress, as well as its URL structure.
This will require you to access your site’s files directly, using a File Transfer Protocol (FTP) tool like . If this is your first time doing this, you can find all the details at .
After connecting to your website via FTP, go to the folder public_html and find the file .htaccess inside:
Select that file and right click on it, then choose the option View/Edit. This will open the file with your local text editor, and allow you to make changes to it. Do not modify any of the code inside .htaccess unless you know what you’re doing. Simply scroll to the bottom of the file and paste the following code snippet:
For this to work, you’ll need to replace the example URL in this code with the full HTTPS address of your website. This will redirect any connection coming in through port 80 to your new secure URL. As you may know, port 80 is the default for HTTP connections, so this will catch just about anyone trying to access your website via the old address.
After you have added the code with your URL, save the changes in .htaccess and close the file. FileZilla will ask you if you want to upload those changes to your server, which you’ll want to accept. If you try to visit your website using the HTTP URL, your browser should automatically redirect you to the HTTPS version.
2. Install a WordPress SSL plugin
If you prefer not to work directly with WordPress files, there are Easier ways to force the use of HTTPS on your web page. For example, you can install a WordPress SSL, which adds the same code that we showed you in the previous method.
While this approach is much simpler, it also carries additional risk. For example, if you run into compatibility issues with another tool, your SSL plugin might stop working and your website won’t load over HTTPS until the problem is fixed. That means you’ll want to choose your plugin carefully.
We recommend , as it is very easy to set up. All you need is an out-of-the-box WordPress SSL certificate:
When , it will scan your website for a WordPress SSL certificate. If it finds one, it will help you enable HTTPS on your entire site with a single click. To do this, simply visit the new tab Settings › SSL on your desktop and click the button Recharge with HTTPS. With that you are ready!
If you don’t like the Really Simple SSL plugin at all, there are alternative tools you can use to achieve the same results. Other great WordPress SSL plugin options include and .
2 Common SSL Errors in WordPress (And How to Fix Them)
At this point, you know how to make sure that all visitors to your site can use a secure connection. In some cases, however, forcing WordPress to load with HTTPS can lead to a couple of errors. Let’s talk about what they are and how to fix them, just in case.
1. Some items are not loading over HTTPS
After enabling HTTPS on your website, some of your files, such as images, may not load properly. That’s because WordPress still uses the HTTP prefix for them instead of HTTPS.
If you’re having this problem with your site’s images, CSS, or JavaScript, the easiest way to resolve it is to make a few additions to your file. .htaccess. However, this approach only applies if you used the manual method in the previous section. We’ll talk about what to do if you use a plugin shortly.
Access your website again via FTP and find the file .htaccess inside the directory public_html. Open it and locate the code you added earlier to force a 301 redirect, which should look like this:
What you are going to do is remove that piece of code and replace it with a more complete one. This is not necessary in most cases, as it is not that common to have problems with some elements not loading correctly. However, if you have this problem, here is the code to use instead:
What this code does is force all traffic to be loaded over HTTPS. It also includes rules for your WordPress files, so the code should take care of all the files that weren’t working. After adding it, save the changes to the file .htaccess and upload it back to the server.
If you have configured your website to use HTTPS via a plugin, you should not need to manually modify your .htaccess file. Instead, most plugins offer a workaround. For example, Really Simple SSL can scan your website for files that don’t load over HTTPS, and help you fix them. To use this feature, go to the tab Settings › SSL and then go to the tab Settings of the plugin:
There is an option called Automatically replace mixed content at the top of the screen. Make sure it is enabled and then save your changes to the plugin settings. This option will ensure that WordPress loads everybody your files over HTTPS, and not just your…
Facebook Comments
Disqus