This is how I set up SSL/HTTPS for WordPress, based on my experiences as a marketer and non-server administrator. This guide has been updated to reflect lessons learned.
What is HTTPS/SSL?
Let’s begin with some definitions.
HTTP1_ SSL stands for “Secure Sockets Layer”. It is the standard security technology to establish an encrypted link between a browser and a web server.
tells a browser that it should use SSL to retrieve the files. SSL, in other words, is what your browser uses for a website over HTTPS.
The HTTPS connection guarantees that only the browser and the server can see the information being transmitted.
It would be similar to 2 people going into a vault and exchanging data, but it would not be public.
The mechanism of HTTPS is complex (but fascinating), but it is essential to understand that in order to serve a webpage via HTTPS – each file must be encrypted.
Moving your website to HTTPS requires that all information is available over HTTPS. It’s almost pointless if it doesn’t.
Why not use HTTPS sitewide?
Many eCommerce website owners know how to make their checkout pages SSL. Credit card processors require them to encrypt all data.
Moving your entire website, not just the checkout pages, is a new best practice.
Every website has its own good and bad reasons to use HTTPS sitewide. These are my thoughts –
There are positive aspects to going SSL
- I want my site to be used as intended. If someone comes to my website, I don’t want any hotel Wi-Fi system or toolbar to define their experience.
- Increased user credibility The Internet is littered by spam-hustlers’ websites. An SSL can be used to indicate to users that the website is legitimate and reputable.
- The Future of The Internet The Internet’s Powers have set HTTPS as the standard. Most major browsers will warn you if you don’t have HTTPS.
- The Future of Your Website If I ever want to take payments or encode information, these pages must be SSL. Sitewide SSL will allow for future expansion. It would take a lot of time to build a new site architecture and go SSL.
- Google Organic Boost – I doubt this ranking factor has the same weight as promised but it is a best-practice. Google stated that HTTPS is a quality signal within their algorithm.
- Nerd cred: Going SSL can still be daunting. However, it is worth a small Nerd Gold Star.
Negative Consequences of Going SSL
- Price* Basic SSL certificates are quite affordable. Extended Validation certificates can be more expensive. Both certificates must be renewed each year. Both require a time investment to put into practice. HTTPS is technically not necessary if you are willing to accept encrypted information.
- Technical Problems Implementing SSL is simple but can be complicated. These can lead to annoying bugs (I lost Event Tracking temporarily during the process) or make it impossible for you to access your site temporarily.
- Unknown Return – SSL is an unneeded cost and should be considered an investment. There are very few studies that show SSL implementation alone is a good investment. Although SSL/HTTPS has been proven to increase organic traffic, very few SEOs have seen significant increases in this traffic.
In fairness, many hosting companies now offer SSL certificates as part of their plans. WP engine and siteGround offer a free LetsEncrypt SSL. InMotion also recently offered free Comodo SSLs to all hosting plans.
After you have weighed all factors, here is how to make HTTPS with SSL.
How to Setup SSL / HTTPS for WordPress
Step 1: Plan & Prep Your Website
Before you buy your SSL, here are some things you should do to make the transition to HTTPS/SSL smooth and without any traffic drops or errors.
To identify files not loaded via relative URLs, look at the page source. These files include scripts, image files, and 3rd-party CSS. Internal links would also be included.
All file paths can be temporarily changed to relative URLs. This can be, depending on your site’s size and technical confidence,:
- Each page can be manually edited
- Hire a VA for a site comb and edits
- Hire a WordPress developer for find and replace in your database
- Running a WordPress replace and find plugin
Next, I will explain how search engines crawl your site. Moving to HTTPS is similar to moving to a new site . All traffic and bots must be permanently redirected at your new URL.
It’s possible to have both secure and insecure versions of your website co-exist with HTTPS migration. It’s better to keep the transition brief for both user experience and duplicate content risk.
This will be easier if you migrate all of your internal links to relative URLs. Instead of bots/users going through redirects, they will be directed to the page on whatever connection they are on.
Relative URLs that don’t replace WordPress’ default functionality should not be your permanent solution. Since the Google Analytics by Yoast plugin doesn’t identify full URLs, I lost my event tracking.
Once the migration is complete, you can use full URLs within images and links again. You will need to use relative URLs during the transition because you can’t serve secure content over insecure connections. This will cause browser warnings. You can also try to deliver insecure content over a secured connection, but this will remove your HTTPS and cause redirects.
You can also identify other items before you make the transition:
- Your hosting company may have policies regarding SSLs.
- How SSLs work in your hosting plan. If you’re on a shared web hosting plan, I recommend moving to a VPS server first before looking into SSL. If you’re trying to migrate to HTTPS/SSL from a shared server you should stop reading and talk to your hosting company. This complicates things.
- Use your FTP credentials to log in to the server and make edits.
- TextEdit, Notepad, or TextWrangler – set Plain Text UTF-8.
Step 2: Get your SSL
You now need to purchase your SSL. There are many types of SSL certificates. There are hundreds of SSL sellers. It can be confusing.
Only a few companies hold Certificate Authority. They either sell SSL certificates directly or resell them to retailers.
Namecheap was the first place I got my Extended Validation SSL SSL. I love Namecheap – that’s where I get all my domain names. Namecheap sells SSLs for the same price as I would get from Comodo because SSLs are tied directly to domain names. I have since removed Extended Validation from my site due to the tedious verification each year and the fact that it does not accept user-submitted data.
Namecheap was the best place to purchase and manage my SSL. Check out their SSL prices.
It is possible to get an SSL from almost anyone (err… not all), but hover does a great job as well as other registrars and your hosting company. Be sure to choose the right type of certificate, customer service, and product management, not just on price.
Everyone is selling the same thing. If you choose one company simply because it’s cheaper, there may be something wrong with what you’re purchasing.
It is therefore important to fully understand the product you are buying.
SSL Categories and Considerations Weighed
Each SSL has two attributes: domain use and validation level. There are three basic options for each of these attributes.
Domain Use
One domain – You can use the SSL only on one subdomain. This option can only be used in conjunction with Extended Validation.
Wildcard domain This allows you to use the same SSL across all subdomains within a single domain. This is helpful if you have content in a Content Distribution Network or on any subdomains. One of these was purchased for my CDN.
Multiple domain This certificate uses Server Name Identification technology to protect multiple domains. This option is offered by most hosting companies. It’s not supported by older Internet Explorer versions or the BingBot. These considerations should be balanced with convenience. This is why I chose a third-party SSL.
Validation Level
Domain validation You will need to prove that the person who runs your server is also the owner of the domain. These can be quickly and cheaply issued. A basic green lock is included in browsers.
Organization validation You must verify that your organization exists. A basic green lock is given to browsers.
Extended validation You must validate domain and organization, provide government documentation, and have consistent Names, Addresses, and Phone Numbers across all business data providers. These can only be used on one domain. These can take many days to issue and are very expensive. My own took over a week, with some back-and-forth on my business data. You must renew them every year using the same process. You will be awarded a conspicuous green bar and a lock for browsers as a reward.
Namecheap lists all options by type and brand here.
Purchase and Activate your SSL
After you have decided on the right SSL for you, you can go ahead and buy it. You can skip the next section if you have decided to purchase a shared SSL from your hosting company.
I purchased a Comodo Extended Validation for larryludwig.com from Namecheap and a wildcard subdomain SSL to use with larryludwig.com.
You will need to generate a Certificate signing request (CSR) from your server in order to activate it. Contact support. You can also look in your account management panel for this option, or navigate directly to your cPanel.
If you’re going HTTPS sitewide with each CSR, make sure to enter the correct root domain (ie no www) and not subdomain.
After you have generated your CSR, log back into your SSL registrar to paste your CSR in order to activate it.
The verification process will then be initiated. The Issuer will contact you to obtain copies of your business information if you are applying for an Extended Validation certificate. You’ll receive the documents within minutes if you have a Domain Validation certificate.
Your SSL will be issued once it is complete.
Step 3: Install SSL on your Server
You can contact your hosting support team to install SSL on your server. InMotion installed my SSL in less than 5 minutes.
It can also be installed via cPanel by you.
InMotion Hosting offers a complete tutorial on installing SSL via cPanel.
To verify it is installed correctly, you can run your domain via SSL Labs once it’s been installed.
*note You can have multiple SSLs on one server. In my case, I installed the Extended Validation Certificate and the Wildcard.
You should be able access your website through both HTTPS or HTTPS if they have been installed correctly.
You can try them all in your browser’s address bar.
You can proceed to the next section if anything loads via the HTTPS connection.
Step 4: Create WordPress Admin SSL
WordPress’ administration area can handle SSL. It is a good idea to set it up first.
Log in to your server via FTP. Open the file from your root folder.
[php]define(‘FORCE_SSL_ADMIN’, true);[/php]
Type in https://[yoursite.com]/wp-admin and see if it loads over HTTPS.
If the URL doesn’t load over HTTPS, you should remove that line from your WordPress wp-config.php. This is a problem that you need to fix.
If you are successful, log in. You will see the green bar in your admin area.
Step 5: Create one (1) URL SSL and remove errors
Next, you need to make sure your themes, plugins and front-end work well. Download the WordPress SSL plugin. This will allow you to force SSL on a single page and troubleshoot without causing interruptions to other users.
*Note – although there is an “outdated plugin warning”, it worked perfectly for my WordPress 4.3 install.
After installing the plugin, go to a test page using a standard template and Force SSL. You can load the page using Chrome browser.
To find insecure elements, use Inspect Element. Navigate to your Dashboard and fix each one. Make sure you check every page (ie. with all widgets, headers, and etc.)
Step 6: End Preparing the entire website for errors
Next, open all of your important pages in your browser. You can load them over HTTPS.
Inspect element to find any images, videos, scripts, or other files that are not loading or blocking an HTTPS connection.
After your pages load well over HTTPS, you can force SSL across your entire site.
Step 6b (optional).
A CDN will serve files. This connection must be secured. Each CDN will have a different process.
My CDN – maxCDN has many options. You can choose from the premium EdgeSSL product (expensive), or use their free Shared SSL setup (where you content is located on their subdomain).
Based on cost, performance and SEO considerations, I decided to use my wildcard SSL on a subdomain. The annual cost for the wildcard SSL was my only expense. The custom subdomain ensures that everything is hosted on the domain larryludwig.com. MaxCDN’s SNI option was what I used.
*Note: You still need to install SSL on your server. Simply copy the certificate information along with your server’s secret key into MaxCDN.
Step 7: Apply SSL to all WordPress sites & update WordPress settings
Use FTP (or SSL) to open your root folder. Navigate to and open your.htaccess.
*Note: Your.htaccess file controls access to your server. Be careful when copying and pasting. Your site will be taken down if you make a mistake.
Copy the following to your.htaccess file.
[code]# RewriteEngine Force HTTPS On RewriteCond: %HTTPS Off RewriteRule (. *) https://%HTTP_HOST%REQUEST_URI [R=301,L][/code]
Save and upload your changes. Test your website immediately. Enter the HTTP version of your URL to see if it redirects you to the HTTPS version.
After that is done, log in to WordPress Admin and navigate back to General Settings.
Both the WordPress Address and Site Address should be changed to HTTPS URLs.
WordPress plugins, images and other WordPress components will now default to https:// in their URLs.
The WordPress SSL plugin can be uninstalled. It’s redundant.
Step 7a: Switch over Services
You will need to migrate URLs for any 3rd Party services once your site has been moved. These are the most popular.
Google Analytics
Navigate to Analytics’ Admin Section.
Select Property Settings to search for Property Name & DefaultURL.
Both can be switched to HTTPS.
Google Search Console
Navigate to Google Search Engine.
You can add a new property to your HTTPS site.
The HTTP version should allow you to use the same verification process.
Submit your new HTTPS sitemap.
Return to your HTTP profile. Go to Settings and make a change of address.
Pay attention to the decrease in clicks/indexation for the HTTP version as well as the parallel increase in the HTTPS property.
MailChimp/Email Providers
Navigate to your campaigns, and switch to the HTTPS version.
All other profiles
You must make sure that any links you manage point to the HTTPS version. This prevents search engines and users from being redirected.
Consider local business listings, social media profiles, and so forth.
Step 8: Continued Maintenance
To get a security rating, run your site through the SSL Labs’s testing tool.
Continue to inspect your site for insecure material. If you’re pasting code from 3rd Party websites (e.g. YouTube embeds), ensure it is via HTTPS or protocol relative.
My MailChimp subscription is one of the most difficult pieces of code that I have encountered. To serve over HTTPS, it must be modified to a specific data center.
If you have a large website, I recommend Screaming Frog, which is a crawler that is commonly used by SEOs but also useful in crawling for insecure material.
Always look for the green lock whenever you publish new content.
Best of luck!