How To Add HTTPS Security To WordPress

Everything you need to know about how to add HTTPS to WordPress

With Google pushing all websites to switch to HTTPS, many website owners are making the jump to add HTTPS to WordPress. Here’s how to make the switch to HTTPS, step-by-step.

Step 1: Get An SSL Certificate

There’s very little barrier to entry when it comes to HTTPS. All you really need is an SSL certificate and about ten minutes. An SSL (aka Secure Sockets Layer) certificate is a piece of software that facilitates https encryption, and – depending on the level validation – can authenticate a server. When you install an SSL certificate you can begin serving your website over HTTPS instead of the standard and unsecure HTTP. HTTPS connections are encrypted, meaning that the data transmitted between a website and its users is secure- unreadable by anyone but the intended recipient.

Compare SSL Certificates

In the past SSL was seen as a product that only certain kinds of websites needed, namely the ones that collected personal data and financial information. Starting in July of 2018 though, Google will require every website to have a working SSL certificate installed and to have their websites running over HTTPS.

What SSL certificate do I need for WordPress?

There are a lot of different types of SSL certificates, and it can be confusing at first. Let’s narrow it down:

1. For basic encryption (moving one WordPress site to HTTPS) you’ll probably be fine with a basic DV certificate like Positive SSL.
2. If you have multiple subdomains (eg store.mysite.com, email.mysite.com) you’ll save money by getting a wildcard certificate like the PositiveSSL Wildcard.
3. If you want to demonstrate your site’s trustworthiness and activate the green address bar, get an EV certificate.

Tip for getting lowest price: Buy direct, not through your web host. Take a look at our range of SSL certificates, and remember if you find it cheaper somewhere else we’ll beat the price.

Step 2: Install The SSL Certificate

Once you’ve purchased your SSL certificate you’ll need to:

• Generate the certificate signing request (CSR) – click here to find our CSR signing guide for your hosting platform.
• Complete validation and generate your SSL certificate
• Install the SSL certificate or have your web hosting provider do it for you – click here to find our SSL install guide for your hosting platform.

We have a range of guides showing you how to install SSL certificates on all the most popular servers. Take a look at the links above, we probably have you covered.

Step 3: Switch WordPress To Use SSL & HTTPS

The next step in how to add HTTPS to WordPress is to update your WordPress configuration. The first thing you’re going to want to do is update your site’s URL.

To do this, you’re going to click on “Settings” in the dashboard and then “General.” On this Settings > General page, you should see the fields that let you change your URL. Remember, you’re only changing “http://” to “https://”.

Step 4: Redirect HTTP URLs

Now you’re going to need to set up redirects for your existing content. This ensures that users and search engines access your website via the correct HTTPS url. To do that you’re going to need to add the following code to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^mydomain\.com [NC]
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.mydomain.com/$1 [R,L]

If you’re using Nginx, use this code instead:

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name mysite.com www.mysite.com;
	return 301 https://$server_name$request_uri;
}

Of course, with each code snippet, you’ll need to replace mysite.com with your actual domain name.

Your WordPress site should now have working HTTPS!

There are still a few other little tweaks you can make in certain secanrios, such as forcing HTTPS on WordPress Admin urls. If you want to add HTTPS to your WordPress multi-site admin area or login pages, you’re going to need to update your wp-config.php file. Add the code below right above the line that says “that’s all, stop editing!”:

define('FORCE_SSL_ADMIN', true);

Step 5: Change HTTP References On Your Site

If your website directly references content (such as images or CSS stylesheets) using an HTTP url, the content will be blocked once you switch to HTTPS. If you have an image inserted using an HTTP src URL, you’ll see something like this:

If your CSS stylesheet is called using an HTTP url, it can break your entire page’s look at feel, like this:

There are a variety of reasons your content could be referenced via HTTP, including:

• Absolute links in your theme or plugins
• Images you inserted using HTTP urls
• A plugin that’s using HTTP urls
• A page builder that used HTTP urls

How To Fix HTTP/Insecure Content

How do you fix insecure content (mixed content) references after you add HTTPS to WordPress? The best way to fix this issue is to manually update each HTTP reference:

• You can do this manually in WP-Admin (and any relevant theme/plugin files, if needed). This can be a really hassle, so there are faster options…
• There are several search and replace plugins for WordPress that can make the process easier.
• Or, you can open your database in PHPMyAdmin and find and replace all http references (warning – be careful!).

If you’d prefer an even easier option, just install a WordPress SSL plugin like SSL Insecure Content Fixer – this will usually handle all HTTP to HTTPS WordPress issues. The drawback is that you haven’t permanently changed your site, so you’ll always need that plugin to keep your site working.

Step 6: Tell Google About The Change From HTTP To HTTPS

Most of us rely heavily on Google to send us new website visitors, so it’s important to maintain Google rankings for our WordPress sites after adding HTTPS. Here are a few quick tips:

• Be sure you’ve redirected all HTTP urls to the same page on HTTPS.
• Set up your HTTPS site version in Google Search Console.
• Submit your new WordPress XML Sitemap with HTTPS urls.
• Be sure that all of your canonical tags point to your HTTPS urls.
• Be sure that all internal links on your site point to your HTTPS WordPress URLs.
• As much as possible, update links to your HTTP site to point to your HTTPS site.

Keep in mind that:

• You’ll see traffic disappearing from your Google Search Console set up for your HTTP url, but the traffic should appear in your Google Search Console set up for your HTTPS url.
• It’s normal to see a short term drop in traffic as Google “recalculates” after you’ve redirected to HTTPS. Ensuring all your redirects are setup correctly will minimize this traffic dip.

For more details, see our article on Maintaining Your SEO Rankings When Migrating to HTTPS.

A Few Final Thoughts

That’s it! You now know how to add HTTPS to WordPress! May the force (of encryption) be with you!

While there is a way to add HTTPS to WordPress just on individual pages, you won’t find it here. That’s because best practice is to set up HTTPS Everywhere, meaning that every page is encrypted. Piecemeal encryption opens up attack vectors and is generally ill-advised. Because we want to promote encryption best practices, we recommend you install SSL on your entire website rather than picking and choosing whether to encrypt pages one at a time.