Have an old website and want to switch from HTTP to HTTPS? Want to know how to set up SSL on your WordPress website? You’re in the right place!
We’re going to show you how to set up SSL, register a certificate and switch your WordPress website properly from using HTTP to HTTPS.
We’ll also walk you through troubleshooting a couple of common issues website owners can face when switching.
What is SSL and why HTTPS?
First let’s tackle the basics. What is SSL and what’s the difference between HTTP and HTTPS?
SSL
SSL, Secure Sockets Layer, is a well established technology that allows secure communications between two entities. In our case, a web server and web browser.
SSL isn’t actually SSL anymore, as it was replaced by Transport Layer Security (TLS) but everyone still calls it SSL.
It encrypts all traffic between your WordPress website and a visitor’s browser. That means, anyone snooping on the site or on the connection will not be able to access the data you’re sending, which is a much more secure way to use the internet.
To use SSL, you need an SSL certificate. Certificates are only provided by trusted companies called Certificate Authorities (CAs). These companies will verify the owner of a website and provide a unique certificate to them.
This is what gives the certificate its power.
Once installed onto your web host, the certificate tells visitors you’re legitimate and will automatically trigger the HTTPS protocol in a visitor’s browser.
HTTP and HTTPS
HTTP (HyperText Transfer Protocol) is how the web works. It enables web browsers to communicate with websites and transfer data between them.
The trouble with HTTP is that it’s insecure. All data transferred between a website and a browser is ‘in the clear’. This means anyone who can intercept that traffic will be able to see exactly the traffic being sent to and from the website.
This has obvious security implications, especially for online banking, eCommerce or anywhere that requires a login!
Enter HTTPS. The extra ‘S’ stands for Secure.
HTTPS uses encryption to secure all data sent between a website and a web browser.
Now, if someone intercepts the traffic, all they will see is an encrypted mess they won’t be able to read.
As you can imagine, using HTTPS makes the internet far more secure for everyone, which is why it is now the default way to work.
All websites should use HTTPS regardless of type. Google Chrome, Firefox, Safari and other browsers flag all non-HTTPS websites as insecure.
You don’t want that for your website!
How does HTTPS work?
The principle behind HTTPS is actually quite simple. It uses TLS to set up a secure connection between the website and the web browser using an asymmetric public key.
It looks a little something like this:
- A browser contacts your WordPress website and sees an SSL certificate present
- The browser recognises the certificate and starts an SSL handshake so it can establish a secure connection
- The web server sends the browser a public key and a copy of the SSL certificate so it can set up the connection
- The browser verifies the SSL certificate and identifies the highest level of encryption it supports
- The browser sends an encryption request to the web server
- The web server responds and a secure session using HTTPS is created
- The web browser encrypts all data sent to the website using the public key
- The website uses its private key to verify the data and encrypt any data it sends the browser
The principle of asymmetric public key is both simple and complex and outside the scope of this post. It’s a fascinating subject though so we recommend reading this post over at Cloudflare that goes into much more detail.
Set up SSL on your WordPress website
So, we covered the what and the why, now let’s get into the how. How to set up SSL on your WordPress website.
Many web hosts will set up SSL for you when setting up a new website. But, if you have been with your host a while, you may have to do it yourself.
Here’s how.
You’ll need an SSL certificate to complete this process. Your web host may provide one as part of your hosting plan, otherwise you can buy them from your host or from a Certificate Authority.
Install the SSL certificate on your web server
Unfortunately, it’s difficult to show you how to install an SSL certificate on your web server as every host does it differently.
We will outline how our own web host does it using cPanel. It should give you an idea of how it works.
- Log into your cPanel account
- Select the SSL/TLS Manager within the Security section
- Select Manage SSL Sites under Install and Manage SSL for your website (HTTPS)
- Copy the code from your certificate into the Certificate: (CRT) field on the page. Include —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– code
- Select Autofill by Certificate
- Paste the intermediate certificates (CA Bundle) under Certificate Authority Bundle (CABUNDLE). This may happen automatically, otherwise just copy and paste
- Select Install Certificate at the bottom of the page
Once complete, you should see a message that says something like ‘SSL Host Successfully Installed’.
As mentioned, different hosts have different methods for installing SSL certificates. This is just one of many.
Configuring WordPress to use SSL and HTTPS
There are two main methods to implement HTTPS and SSL in WordPress. You can use a plugin or manually configure it.
The plugin method is easier but means installing another plugin on your website.
The manual method requires a little editing but doesn’t use a plugin.
We’ll show you how to use both.
Configure WordPress to use SSL and HTTPS using a plugin
Configuring WordPress to use SSL and HTTPS with a plugin is easy. We recommend using the Really Simple SSL plugin as it genuinely lives up to its name.
Install the Really Simple SSL plugin into WordPress and activate it, then:
- Select Settings and SSL from the left menu of the WordPress dashboard
- Select the “Go ahead activate SSL!” option in the centre of the screen
The plugin will check your website for mixed content, links to HTTP content that cannot be automatically updated to HTTPS. If it finds no mixed content, it will show a success message and take you to the plugin dashboard.
If the plugin does find mixed content, it will alert you and request you correct them before proceeding.
We discuss mixed content in Troubleshooting, so won’t repeat ourselves here.
Configure WordPress to use SSL and HTTPS manually
Configuring SSL manually isn’t difficult but it does require some file and changing some settings.
If you’re comfortable with that, here’s how to do it:
- Select Settings and General from the left menu of the WordPress dashboard
- Change the WordPress Address (URL) and Site Address (URL) address fields to read HTTPS instead of HTTP
- Save the change
- Log into your web hosting control panel’s file manager
- Open the .htaccess file in the root directory (right click, Edit in cPanel)
- Add the following code to the end of the file and save
Code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
- Right click and select Edit on your wp-config.php file, also in the root folder
- Add the following code to the end and save
define(‘FORCE_SSL_ADMIN’, true);
- Log out of WordPress and back in again using HTTPS instead of HTTP. Everything should work and pages and posts display as normal.
You should see a padlock icon in the URL bar or your browser and/or https:// before your URL.
This shows that SSL is working correctly.
Troubleshooting SSL in WordPress
There are two issues you might come across when switching to SSL in WordPress. Let’s tackle both of them here.
The first is mixed content errors within your WordPress content and the other is mixed content within your WordPress theme.
Mixed content errors are caused by images, internal links, videos, embeds and other data within posts and pages that still link to HTTP resources.
As the browser expects all content to use HTTPS, it will show an error when it comes across an HTTP link.
This will cause browsers to still flag your website as insecure, or show a specific mixed content or insecure content warning.
We don’t want that, so let’s fix it.
Fixing mixed content errors in WordPress
The easiest way to address mixed content warnings within WordPress is to use a plugin.
There are lots to choose from but we rate Better Search Replace or SSL Insecure Content Fixer.
Both are free and both make short work of cleaning up mixed content errors in WordPress.
We’ll use SSL Insecure Content Fixer for our walkthrough.
- Install and activate SSL Insecure Content Fixer on your WordPress website
- Select Settings and SSL Insecure Content from the WordPress menu
- The default settings work fine, ‘Simple’ and ‘standard WordPress function’
- If you make any changes, select Save Changes
The plugin will automatically fix any mixed content links within your website. If you had some flagged before using the plugin, recheck the links and they should now work fine.
If they don’t, clear your WordPress cache if you use a caching plugin and everything will work!
Fixing mixed content errors in WordPress themes
The second mixed content error is to be found within your WordPress theme. Good quality WordPress themes won’t cause these errors because they don’t use absolute paths.
But, if you use an older or free theme, you may find they do, which can throw up mixed content errors.
Fortunately, there’s a fix for that.
First, you’ll need to find where those errors are.
You can use your browser’s Inspect option or websites like SSL Check or WhyNoPadlock.
The browser method:
- Open your website in your browser and use F12 or CTRL + Shift + I in Windows or Cmd + Opt + I in MacOS
- Make sure you’re in the Console tab and you should see HTTP errors in red
- Identify the pages on your website and manually change any links to HTTPS
Use the website method:
- Visit SSL Check or WhyNoPadlock, we’ll use SSL Check
- Enter your URL into the box and select Check for SSL Errors
- You’ll see a display underneath the box with your pages
- Identify those with SSL Issues in red and work your way through them in WordPress to change the URLs
Those URLs could be images, video, audio, embeds or links. The display will give you a clue but otherwise, it’s a case of opening the page in WordPress and checking everything on the page.
It’s a laborious job but it has to be done!
So that’s the what, why and how of setting up SSL on WordPress. It may seem a complex process but it’s actually very straightforward.
If you join a new web host, they will likely take care of this for you. Otherwise, the steps within this post outline exactly how to install and configure SSL and troubleshoot mixed content errors if any appear.
Do you know any other ways of implementing SSL and HTTPS in WordPress? Have any tips for readers? Share your thoughts in the comments below!