How to add HTTPS and SSL to WordPress – Step by Step Guide!
/ / How to add HTTPS and SSL to WordPress

How to add HTTPS and SSL to WordPress

Some of the links in this post are affiliate links. This means if you click on the link and purchase the item, We will receive an affiliate commission at no extra cost to you. All opinions remain our own.

While the Internet has caused many superior issues, one-half of our lives which it has slowly eroded is privateness. Sharing every kind of detail about ourselves online has to turn into utterly regular.

I’m not simply speaking about the best way we now let everybody find out about what we had for lunch at this time (I had a massive salad, you?) but in addition the best way we give out data that ought to best be saved personal.

Credit card numbers, checking account info, to not point out the login credentials for the handfuls of websites you in all probability already signed into at this time.

It’s about time this info received the safety it deserves.

However, this is not your regular rant about shoppers needing to be extra vigilant with their knowledge, however, as a substitute, we are the sunshine at you as a website proprietor.

If your WordPress site handles delicate info, you completely want to ensure your guests and buyer can believe you with it. And there are some ways to take action.

However, moreover refraining from being a douchebag who sells delicate data to 3rd events (which we will assume you are not), one of the important steps is to discover ways to add HTTPS and SSL to WordPress.

What Are HTTPS And SSL?

You have in all probability heard these two acronyms earlier than. If not, possibilities are you might have seen them at work anyway.

You might have seen that every time you are interacting with a safe site (corresponding to your online banking portal) that the address in your browser bar has https:// in the entrance as a substitute of the standard http://.

In addition to that, most fashionable browsers will show a little padlock in the browser bar whenever you are linked to such a site.


In some instances, you may even see the complete firm identity displayed.


These are indicators that the site you are at the moment on has taken measures to guard their visitors and the privateness of their guests.

The instruments for that are the aforementioned HTTPS and SSL. They assist make communication on the Internet safer.

HTTPS stands for HyperText Transport Protocol Secure. It differs from regular HTTP in the best way that it makes use of an SSL (Secure Socket Layer) certificate to determine a connection between the browser and the server.

The protocol units up the connection between the 2 the place, as soon as the connection is efficiently established, solely encrypted data will be transferred.

That means all plain textual content info that might be read by any schmuck on the market will be exchanged with random letters and quantity strings that are not readable by people.

Should any hacker manage to intervene with the alternate of info, the encryption makes it a lot tougher to make any sense of it. Yay!

The SSL certificate used for such connection is hooked up to the website. Certificates are issued by a so-called certificate authority (CA) and are distinctive to the site they are getting used on.

While theoretically anybody can concern SSL certificates, browsers solely regard these from identified authorities as reliable. Consequently, the CA functions as a guarantee that you just are accessing a legit site.

Most fashionable browsers will warn you if the certificate doesn’t match for the reason that connection would then be considered insecure.

Geek Footnote: Encryption Standards

SSL and HTTPS include completely different encryption requirements. The oldest one is referred to as SHAo and is not in use. Its successor SHA1, whereas nonetheless in circulation, is at the moment being phased out. Google Chrome, for instance, will start issuing warnings for websites working on this customary by the start of 2016.

The present encryption customary for SSL protocols is SHA2. However, in some unspecified time in the future, it will give a method to SHA3 which is at the moment in growth.

Fun reality: SSL is truly not the right identity for the certificate anymore. The know-how was improved in the late 90s and its identity was modified to TLS (Transport Layer Security). However, the acronym SSL caught and is evidently getting used to today.

What Do You Need SSL And HTTPS For?

Learning methods to add HTTPS and SSL to WordPress is completely important should you run an eCommerce site and settle for payments. Your purchasers’ monetary info is nothing to be performed with.

However, the proposal can be used to shield different info corresponding to login credentials, address knowledge and related issues individuals want to maintain personally.

As a website proprietor, you may also think about including HTTPS for extra egocentric causes because it has to turn into a rating issue on Google and different search engines. While the impact is not nice for the time being, Google has introduced that the enhance will enhance over time.

Plus, since we are speaking about SEO: HTTPS will additionally assist your rankings as a result of it hundreds sooner. Don’t consider me? You can strive it out here. I in all probability don’t need to let you know that page loading time is a rating issue.

Making The Switch to HTTPS

The first step to transferring your website to HTTPS is buying an SSL certificate. They will be attained from many various sources.

An excellent place to begin is your hosting firm as they typically present certificates as half of or in addition to their hosting packages.

However, there are additionally several third-party suppliers on the market. For a thought about who to show to, you'll be able to verify the list of included certificate authorities in Mozilla Firefox.

Costs can differ a lot relying on the supplier, your quantity of (sub)domains, and different components. Unfortunately, particularly should you are working on some websites, it could get dear fairly shortly.

The cost issue is additionally one of the explanations why I'm ready for Let’s Encrypt, a coming free and open-source certificate authority (Automattic is among the many sponsors).

Once you might have settled on a certificate, you will have to observe the supplier’s directions. The process is completely different for everybody, so I cannot let you know the methods to do it right here.

After that, it is advisable to speak to your hosting supplier to implement the certificate and make the swap to HTTPS on the server facet. That’s additionally the reason why turning to your supplier for the certificate could be the simplest choice.

All accomplished? Good, now on to your half and making the required adjustments to WordPress.

How to Configure WordPress For HTTPS And SSL

Unfortunately simply including the certificate is not sufficient. You have to make extra changes to WordPress.

The following steps assume that you just need to use HTTPS in all places on your site, which is usually a good thought. Better save than sorry.

However, there are additionally use instances for underusing safe connections on elements of your site. We will get to that later.

1. Back Up!

As with every part that entails main adjustments to your site, your first intuition must be to create a backup. That method if issues go flawed, you'll be able to all the time revert to the earlier state. So do it now! I’ll wait.

2. Add SSL to The WordPress Admin Area

The very first thing we need to do is add an HTTPS connection to all pages in the WordPress backend. That method, when anyone logs into your site, all knowledge will be exchanged securely.

To realize this, it is advisable to add the next line of code to your wp-config.php file:

outline('FORCE_SSL_ADMIN', true);

Be conscious that this code must be inserted someplace earlier than the road that claims “That’s all, stop editing!”. Otherwise, it gained’t be executed.

Once you might have added the road, saved the file, and reuploaded it to your server, it’s time to run a fast take a look at it. Go to your login page (i.e. to verify if every part is working properly.

If all goes effectively, it's best to have a safe connection. However, should you run into a downside, take away the road from wp-config.php as a result of one thing, it is flawed and it is advisable to do some troubleshooting.

However, for now, we will assume every part is alright and we can transfer on to the following step.

3. Update Your Site Address

If your admin space has been efficiently moved to HTTPS, it’s time to do the identical for the remainder of the site. For that, we first want to alter your site address.

The is so simple as going to Settings > General and including http:// to each your WordPress address  (the place your set up resides) and site address (the address your guests kind into their browser).


Save and accomplished. You might need to log in once more afterward.

To make sure that your guests truly get to surf your site securely, you additionally need to arrange a redirect in .htaccess. Most individuals ought to have already got this file current on their server (make sure that your FTP is displaying hidden recordsdata) but when not, now is the time to set one up.

Inside .htaccess file, submit the next strains of code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Now all of your guests ought to mechanically be redirected to the safe half of your website. Much higher, proper?

Setting Up HTTPS On Single Pages Only

While I counsel to make use of SSL in all places on your site, there could be some of you who solely need to have it on singular pages.

A use case is for instance should you determine to implement safe connections just for delicate elements of your site corresponding to checkout varieties, buying carts, or related and go away the remainder because it is.

This aim will be achieved with the WordPress HTTPS (SSL) plugin. It lets you select the place to make use of HTTPS on your site.


While the plugin hasn’t been up to date in a whereas, respected sources say it is nonetheless safe to make use of. Should you encounter issues, an different is iThemes Security which has related capabilities.


In concept, the above must be greater than sufficient to maneuver your whole site to SSL. However, since issues aren’t all the time going easily, right here are a few troubleshooting suggestions.

1. Mixed Content Warnings

Mixed content occurs when elements of your content continue to be delivered by way of HTTP whereas the remainder of your site has moved on to the safer HTTPS.

In this case, fashionable browsers will show a warning, inflicting your users to view your site as insecure. This ought to of course be averted.

Use the free instrument SSL Check to scan your whole site for insecure images, scripts and CSS recordsdata and so on. With this info, you'll be able to then take corrective motion. A different to verify singular pages is Why No Padlock?.

You may look out for the padlock image in your browser bar whereas browsing your site. It will present a warning when you are visiting a half that has blended content on it.

2. Expired Certificates

When your certificate expires, guests get a sturdy warning about it and are suggested towards coming into your site. Consequently, you shouldn't let this occur. Always make sure that your certificate is renewed in time.

A similar warning can be given for self-signed certificates that haven't been validated by an exterior authority. Another argument for going with a respected supply to your SSL certificate.

3. Domain Name of Certificate Does Not Fit Site Address

Sometimes the reason your site doesn’t get the inexperienced mild from browsers is that the area identifies of the certificate and your site’s area identify are completely different. If that is the case, it is advisable to resolve it along with your area authority.

To discover out whether or not this error is the one you are getting, the aforementioned Why No Padlock? can assist. Another instrument for server evaluation is SSL Server Test by SSL Labs. It is additionally free to make use of and can provide you hundreds of details about your SSL configuration.

4. CDN Doesn’t Support SSL

If you are one of the various WordPress users who use content supply networks to hurry up their site, it is advisable to make sure that your CDN helps SSL earlier than making the swap. MaxCDN is an instance I hear good issues about with regards to HTTPS. If you are utilizing a completely different supplier, speak to them beforehand.

If you do determine to go along with MaxCDN, we have a unique coupon code that will provide you with a 25% low cost.

Summing up

If you are working on a WordPress website that deals with delicate knowledge, you will not get around implementing HTTPS. Without visitor's encryption, the chance of your purchasers’ info being intercepted is simply too nice.

Besides being an accountable service supplier, the added layer of safety is additionally a constructive sign for search engines. So should you don’t do it to your purchasers, not less than doing it for the rankings?

However, it is necessary to notice that HTTPS is not the be-all and end-all of WordPress safety. To maintain your site actually secure, extra measures are obligatory.

An excellent place to start is high-quality safety plugins because of the aforementioned iThemes safety, WordFence, or All In One WP Security. Considering a paid service like Sucuri is additionally not an unhealthy choice. Aside from that, some articles on safety can be discovered right here on WPKube.

Remember, an ounce of prevention is a price a pound of treatment. Take WordPress safety critically. Your guests and prospects will thank you.

Have you swapped HTTPS/SSL? Anything to add to the above? Please share your ideas in the comments.