HTTPS and SSL on WordPress

Guide:  How to Enable SSL On WordPress

Almost every day, we share our own personal information online, from simply logging in to a website to making an e-commerce purchase with a credit card. All of these activities must be protected by using a secure HTTPS connection. HTTPS helps prevent intruders from passively listening to or accessing communications between a website loaded on your browser, and the hosting server.  In this post we’ll show you how to add SSL on WordPress to make your URL show HTTPS and a padlock in your visitors web browser.

What is an SSL Certificate?

Secure Hypertext Transfer Protocol (HTTPS) is an encryption method that secures that connection and each site using HTTPS requires a unique SSL certificate for identification process. If a server is using HTTPS without a matching SSL certificate, most modern browsers will display a warning to users visiting the website.

If your website has e-commerce features (such as WooCommerce) that collects payment information, then you absolutely need a SSL certificate. Also, most payment merchant services such as Stripe will require you to have a secure HTTPS connection.

Once you have an SSL certificate setup on your website (usually purchased from your web hosting provider), you can enable the secure HTTPS connection on your WordPress dashboard so all visitors will be forced to use the secure version.

Step 1:

To update your WordPress website URL to use HTTPS everywhere:

Change the “Site Address” under General Settings in your WordPress dashboard to include “https://“ in WordPress Address and Site Address.

Enable SSL on WordPress

Step 2:

If you’re adding SSL to your existing website, you should setup an SSL redirect for all resources from HTTP to HTTPS. Add the following code in your .htaccess file and replace domain.com with your real domain name:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.domain.com/$1 [R,L]

Step 3:

In some cases, you may notice that after making the change to SSL, your browser has detected some HTTP assets loading on a HTTPS page (this may not affect ALL of your web pages). This situation is not ideal, as it will result in a a browser messaging stating “your connection is not fully secure”.

Secure SSL on WordPress

The easiest way to determine which elements are not secure is to open the source code (View Page Source, or View Source in most modern browsers) and search for “http://“ text in the source code.  This will point you to exactly which elements need to be updated.   You can also use Why No Padlock which is a free tool that will scan your website and tell you what content needs to be fixed.

Often these are elements that you have embedded from a different website, such as images, centralized CSS/JS files, etc. Use relative URLs (/img/image1.png) instead of hard-coded (website.com/img/image1.png) if possible.

Lastly, you can download a Free WordPress Plugin called SSL Insecure Content Fixer which will scan your site and auto fix any mixed content.

ssl-content-fixer

There you have it, you can now enable SSL on WordPress and secure your pages showing a padlock.  Once you have SSL enabled your address bar URL will show as https instead of just http.