Enabling SSL & HTTPS on WordPress

Posted in ,
0 Shares

Encryption, the ability to protect data as it is transferred across the internet, has entered the public debate and it’s not going anywhere. In fact it’s becoming more and more clear that as we transfer so much of our lives online, we have to think about privacy and security in ways like never before.

This is doubly important for those of us that have websites, whether personal or business. Internet traffic is moving from HTTP to HTTPS, with the S standing for Secure. While we’ve been transferring our website data over HTTP for decades now, by enabling a level of encryption referred to as SSL/TLS, we’re now able to protect our websites and our site visitors from receiving any malicious or corrupted data.

All websites, even personal blogs and mom-and-pop storefronts, need to start thinking about taking the simple steps to turning on the encryption. A quick caveat, this article will focus on the ins and outs of enabling SSL & HTTPS specifically for WordPress sites.

Why HTTPS/SSL

Even if you don’t have a pony in the security/privacy race, there are a number of other benefits to enabling SSL:

SEO (Search Engine Optimization) – Google has been giving a boost in search ranking to sites served over https:// for a few years now.

Security – If you’re offering any sort e-commerce or donation option on your site, there’s a good chance SSL is already enabled. But if not, you should probably change that now.

Visitor Comfort – There’s something pleasing about seeing that green lock (or other similar) icon when you visit a site. It adds credibility to an author and legitimacy to a business.

Future-Proof – While I doubt that we’ll see it happen anytime soon, Mozilla announced their plans to stop serving websites that are not encrypted. There will be a global push towards security and privacy for consumers, and browsers taking political stances like this are important stepping stones.

Installing SSL Certificates

Depending on your hosting provider, this can be either simple or complex, free or expensive. These days, an SSL certificate is available for free using a service like Let’s Encrypt. However, the process to create and install that certificate by yourself is not always easy. If you go that route, browse their documentation and make sure that you feel comfortable with using command line tools and opening up SSH access to a server.

If not, you can usually get SSL certificates through your hosting provider. I recently transferred to SiteGround for hosting, which offers a free one-click SSL installation in their CPanel. So far I haven’t had any issues and have enabled SSL on a number of add-on domains. While many providers are still charging for SSL, I think we’ll start to see most of them transition to free certificates as time goes on. Contact the support team at your hosting provider and they’ll be more than happy to walk you through it or even set it up for you.

Enabling SSL Redirection

Once we’ve installed our certificate, we should be able to visit our website at https://example.com and see that sweet encryption. However, how can we ensure that all of our visitors are sent to the correct URL? For this we need to enable some redirection, a set of rules that inform any visitors visiting http://example.com to instead jump over to https://.

There’s two ways to go about this. If you have FTP access to your server, you can jump into the root directory and find the .HTACCESS file and modify it yourself. (If this sounds scary, then jump down to the next paragraph. If not, keep reading.) Open the .HTACCESS file in a text editor and add the following lines of code to the top, making sure to change your domain to match.

# Force HTTPS
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

Save the file and test. If you have any issues, delete the lines from the file and put it back.

For the more non-technical users among us, there are a few decent WordPress Plugins that can handle this for you. One that I’ve used successfully a number of times is Easy HTTPS Redirection. I’ve only once had a site that didn’t work with this plugin, as it caused a number of redirect errors when viewed on Mobile Safari. So be sure to test your site on a number of browsers after using this plugin.

Dealing with Mixed Content Warnings in WordPress

Often we’ll go through the process of setting up SSL only to discover that we’re not getting the full ‘green lock’ on every page. Click on the lock icon in your browser and you’ll usually see a Mixed Content Warning. Here are a few tips for checking for mixed content.

Outdated Links – Because your site address has changed, all of the embedded links throughout will need to be updated. Rather than browsing the entire site by hand, grab a plugin like Better Search Replace and have it update your database automatically.

Site Url – Visit Settings > General and make sure that the WordPress Address and Site Address have the new https:// in front of it.

If you have any trouble loading parts of your site after switching to HTTPS this is usually the root of the issue. If you cannot access your Dashboard, you can change these options through FTP by editing the wp-config.php file or your theme’s functions.php file. Alternatively, you can access your MySQL databases through PHPMyAdmin. Find the wp_options table to edit the records manually. Read more about changing the Site URL.

Custom Theme/Plugin Issues – If you are using a custom theme/plugin, it is possible that your web developer hard coded some assets (like images or stylesheets) using HTTP urls. If that is the case, it is best to contact the developer and ask them to make the updates to the theme files for you.

If you developed a custom theme/plugin yourself, be sure to use your text-editor’s search-and-replace feature to search your theme files for any http://example.com urls. In the future, try to rely on WordPress functions like get_theme_directory_URI() and get_stylesheet_directory_URI() to get any URLs.

 

There are certainly other issues, but those three troubleshooting steps usually clear up the most common ones and help you lock in the green lock icon.

Further Reading

0 Shares

2 Comments

  1. Roberto on October 26, 2017 at 11:26 am

    Hello Brian why don’t use plugin? can for Apache, eg https://wordpress.org/plugins/force-https-littlebizzy/

    • Brian Coords on October 27, 2017 at 8:25 am

      Definitely a good option as well! In fact I include a link to one such plugin in the post. Typically I prefer handling it manually just to have a little more control over it, but both ways work.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.