Elegant Themes Blog

Stay up to date with our most recent news and updates

How To Use SSL & HTTPS With WordPress

Posted on September 10, 2014 by in Tips & Tricks | 45 comments

How To Use SSL & HTTPS With WordPress

One of the key steps in ensuring that your WordPress site is secure is installing a valid SSL certificate. This will enable users to your site to exchange information with it via secure, encrypted transfer protocols. Setting WordPress to force the use of secure transfer protocols and deciding when to force it takes a little work, but is not that hard. It also requires making some decisions about when to require a secure transfers of information.

What Is SSL?

SSL is the standard for exchanging information securely–via cryptographic encryption–between a website and the browser. I’m not going to get into the technical details of how it works, but the short version is that SSL is a way to establish a trusted connection between the server and a web browser. Once that relationship is in place the server will encrypt data before transmitting it in a way that only its intended recipient can decrypt it.

This method of security accepts the fact that any data transmitted over the internet can, and likely will be, intercepted at anytime by a hacker or a government agency fishing for information. By sending the data encrypted, we ensure that if anyone but the intended recipient gets the data they will have what is effectively gibberish. Giving them gibberish is preferable to giving them confidential correspondence, private records, credit card numbers or any other private data.

Using SSL requires that your server has a valid SSL certificate installed. An SSL certificate, which must be purchased, tells the browser important details about your sites security. In most browsers, when you go to a secure site, you will see a lock or similar icon in the address bar, showing you details about the SSL certificate.

et-ssl

SSL is a must for any eCommerce site and is recommended to be used whenever any sensitive information is exchanged, including passwords. I will not cover the process of adding the certificate to your hosting package, as its different for each hosting provider. One of the marks of a good managed WordPress hosting company is how easy they make it for you to set up your SSL certificate.

Once your SSL certificate is installed, when someone visits your website they will be able to access it via secure HTTP, or HTTPS. I said “they will be able to” not “they will” in the last sentence as just adding the certificate is not enough. You will need to configure WordPress to force visitors to use HTTPS. These are settings you have some granular control on.

When we say “using SSL” what we mean is that the exchange of information between the server and browser is happening via the HTTPS protocol instead of the unsecured HTTP protocol. Doing so requires a valid SSL certificate, but that is not the end of the discussion.

Where To Use HTTPS

You can force your site visitors to use HTTPS when logging in, when using the admin, on every part of your site or on certain parts of your site. There are two ways to look at this question. One is to enable it only when needed, that way you don’t put the extra hurdle of authentication on access to non-sensitive exchanges. The other is better safe than sorry–use SSL everywhere.

Recently Google announced that they would start considering use of HTTPS as a positive in calculating search rankings. This means that using HTTPS will not only benefit your site’s security, but boost its SEO as well. The HTTPS everywhere approach also helps prevent the potential for human error, where you overlook a setting and expose sensitive data.

The downside of using SSL everywhere is that the HTTPS transfer protocol is slower than the unsecure HTTP transfer protocol. This is because the data must be encrypted before being sent, and decrypted before being displayed. That adds processing time for both the server sending the data and for the web browser receiving the data.

Since page load time is so important for user experience and SEO, you need to ask yourself if securing non-sensitive data–like the content of a page that is free for anyone to see is really worth the trade-off in performance. What that trade off is depends on many factors, and is something you should measure on your site to see if it is significant or not.

In many cases this trade-off is worth it compared to sharing sensitive, private information with the world.  As I said before, HTTPS is a must for any sort of eCommerce site. In addition, if you’re storing any type of sensitive information, HTTPS should be used. Some types of data, such as medical data require HTTPS for transmission. Be sure that if you are ever hired to create a site that allows users to transmit medical or financial information to or from it, that your client consults with a lawyer about the security needs. What those security needs are should be included that in the scope of your agreement to create the site.

Setting UP SSL Manually In WordPress

There is a constant that you can set in your wp-config.php file to force the use of a secure connection in the admin. FORCE_SSL_ADMIN will require that a valid SSL certificate is in place and HTTPS is being used to access any part of the WordPress administration.

This constant is false by default. You can enable it by adding on line of code to your site’s wp-config.php:

define( 'FORCE_SSL_ADMIN', true );

There is a great article in the codex you should read if you want to get into the gritty details of configuring HTTPS on your site, such as how to require SSL on all front-end pages. Personally, if I can’t do everything I need with those two constants in wp-config.php, I’ll use a plugin to do it, which is what I will cover in the next section.

Using The WordPress HTTPS Plugin

There is a great, free plugin called WordPress HTTPS (SSL) that makes all of this setup very easy. The plugin has not been updated in awhile, and currently is only listed as being tested up to 3.5.2, but I can tell you from personal experience that it works just fine in WordPress 3.9 and WordPress 4.0.

This plugin does two things. It allows you to set global SSL settings for your site–or sites on a multisite installation. If you don’t force SSL for all content, the plugin also allows you to set specific posts or pages to force HTTPS.

Configuring your global settings is very easy. From the plugin’s admin screen it gives you an option for your site–or each of the sites in the multisite installation–to require HTTPS for the admin, to require if for the whole site and to remove unsecured content.

This plugin also gives adds a metabox to each post editor, allowing you to set that individual post or page to force HTTPS. This is very useful if you only have a few pages that require secure transfers, such as an account management page or a sales page.

Remember: SSL Is Not Enough

Installing and configuring SSL is an important step in securing your WordPress site and your users data, but it is not all you need to do. Every site is as weak as its weakest password. SSL does not affect what the end user, or someone who has cracked their password does with the data they receive.

Forcing strong passwords, keeping WordPress and your plugins up to date, scanning for malware and locking out botnet attacks are important steps in securing your site as well. Having an SSL certificate will not prevent any of those, as once a malicious script is installed on your site, whether its transferring your data securely or not is irrelevant. All of this can be covered of course by using a quality security plugin such as WordFence, iThemes Security or a service such as Sucuri. You might also be interested in our post about WordPress security, as well as our post about what to do when your WordPress website get’s hacked.

Setting up an SSL certificate and configuring WordPress to use HTTPS is an important first step in the process of securing your site. As you’ve learned in this article, doing so is actually very easy.

Article thumbnail image by venimo / shutterstock.com

download divi

45 Comments

  1. Thank you for the useful information about SSL. I was wondering how to use SSL on my website. I think I will use WordPress HTTPS plugin.

  2. Great post Josh. I think you explained the scenario clearly and simply. However, I think mentioning purchasing the SSL certificate is necessary. They’re not inexpensive and you’re hosting a few sites, it adds up when you have to renew each year. I have reread your post a few times to see if I missed where you talked about this.

    For inexperienced site owners or hosts, you could also suggest some of the more reliable providers of SSL certificates.

  3. Extraordinary post, is the most informative I’ve read. Congratulations !!

  4. Thanks for this post Josh. I was just struggling with the question of whether to make one of my sites fully HTTPS.

    I was about to make the change, but was told by a developer that HTTPS tends to break WordPress plugins. I have been looking for any documentation on this and haven’t found anything.

    Wondering if you have any experience with plugins failing because of HTTPS?

    • Plugins that fail are those that pull in unsecure content from other sites/sources for eg a News Aggregator, or Pinterest, where its a case of the images not showing up on a https website

      • Thanks Ray!

  5. Great article, very clear. Thank you.

    I wish I had read it a few weeks ago before I decided to put SSL onto my website.
    Couple of points to add –
    1the longer response times are significant and remember Google does not like slow sites. This may worse than negate the uplift you might get from being secure in googles eyes.
    2 be careful if you use Cloudflare basic version. Your site won’t work with it. You either have to abandon Cloudflare (further worsening response times) or upgrade and pay.
    3 if anywhere on your page or post there is an unsecure link (eg Facebook, Twitter ) then browsers such as chrome and Firefox will warn visitors. Of course they don’t warn on non SSL sites which is very annoying and a deterrent to your visitors where you had no such thing before. So you must tediously change all the urls . I am not sure if the plug in mentioned here would do that?

    I am pleased I have done it though despite the problems. Not sure why I should secure wp admin – anybody tell me?

    I figure every site wil have to be secure in time or be seen as improper, so sooner the better I guess

    Oh, one more point – if you use google webmaster tools be sure to reconfigure to https and wait wait wait as usual for google to pick up your site. In the mean time Google will be more rapidly beignoring your http site -ugh!

  6. The next post will be “How To Find and Fix Insecure Content”?

  7. A timely article once again. However, I would urge caution in recommending the WordPress HTTPS (SSL) plugin, as many users (myself included) have been experiencing problems with it since upgrading to WP 4.0. I’m still looking into it, but something has changed in 4.0 that is causing redirect loops on the WP login page. I would suggest monitoring the forum here: https://wordpress.org/support/plugin/wordpress-https

    Prior to WP 4.0 I used this plugin, and it worked like a charm even when using W3 Total Cache. I’ve been looking at alternatives for the last few days, but no luck yet.

    Hopefully the author of this plugin will look at updating the plugin and resolving the issue. I’m at a loss as to why it’s broken, I haven’t been able to find any information about SSL changes in WP 4.0.

  8. Thanks Josh !
    I think however that it must also be mentioned that SSL comes its own challenges. Not only must you be careful where you get your certificate from (some low-cost/cheap SSL certificate providers issue certificates which don’t work with all browsers), but also understand the infrastructure you are using to deliver your content.

    Many WordPress users use plugins which leverage CDN (like CloudFront. MaxCDN and others). If you switch your site to SSL you need to also consider to ensure that the CDN delivers via SSL as otherwise you might get warnings in some browsers.

    Moving your CDN to SSL might be challenging depending on your configuration. If you use your own domain name, you will most likely have to purchase another SSL to match that domain name (unless you are using a wild card SSL of course). As you can use usually only one SSL certificate per IP address, your CDN must either support SNI Custom SSL or you will need to pay for a dedicated IP. The challenge with SNI of course is that not all browsers support it. Specially older browser will give you problems.

    And talking about dedicated IP Addresses, make sure to check with your hosting provider if your hosting plan does support SSL. Lower cost hosting plans won’t allow that as it would require a dedicated IP address and in the low end hosting plans you are sharing your IP address with others.

  9. I tried using SSL right after the Google anouncement. Bought a certificate, installed the plugin and still had issues with some posts not loading. Some editors complained they could not not access the dashboard and I gave up, unfortunately.

    • One suggestion though, install wordpress on localhost generate a local certificate for localhost and install wordpress plugin for SSL and then check what changes does it make to you wp-config file. Do similar changes opn the live.
      Before doing this take a bcakup of both live and localhost wp-config file.

  10. RW makes a good point. We use comodo as a reseller so the prices we are charged are less. With Google placing higher ranking for https, I can’t help but wonder if we’ll see a price increase for SSL certs.

  11. Great post. Pretty informative to know more about it.

  12. Thanks and Nice Posts, How to install SSL WordPress with Nginx ? — and how to secure wp-admin?

  13. If SEO (rankings & traffic) is important to you, you should:

    – Ensure all your internal links point to the new HTTPS URLs.

    – Ensure any external links and new social shares point to the new HTTPS URLs, if you’re still getting links to the old HTTP version of your website Google can become confused and you won’t see the benefit that these new links have the potential to pass on to your website structure. Google won’t be able to decipher which is the most authoritative page that deserves a higher ranking.

    – Ensure that all rel=canonical tags within your HTML don’t point to the old HTTP version. Once you move over to HTTPS these tags must be changed to the new HTTPS URLs, as this helps Googlebot understand which version of the page should be used to rank. Again, if you still point to the HTTP version then Google will once again become confused over what page should be ranking in the SERPs.

    – Ensure that you’ve mapped out the new HTTPS URLs on a page-to-page level – you basically want an exact duplicate URL structure the only thing that is changing is that ‘http://’ will become ‘https://’.

    – Once you’ve got these in place you then want to implement a permanent 301 redirect on a page level. Do not 301 redirect everything (either via global or via a wild card redirect) to the home page as this will kill all your rankings overnight.

    – Finally, you need to watch your Webmaster Tools account post go live and monitor for any issues Google may be having with your new HTTPS website.

    (as per Branded3 – http://goo.gl/2qUfC3)

    You’re welcome 😉

  14. Hey,
    thanks, great article 🙂 How can I force SSL for all my pages. I couldn’t find it under the plugin settings?

  15. Just used your tips to switch a client’s site over, and they worked great. Thanks for the help!

  16. Great article. Thanks for sharing!

  17. After the Google announced that SSL is now a ranking factor. Everyone is rushing towards moving their website to HTTPS.
    But most people do not realize there are many things people forget to do, like for example blocking HTTP pages from indexing and submitting HTTPS website to Google Webmaster tools again.
    Read this tutorial on how to setup SSL on WordPress websites: http://www.cloudways.com/blog/how-to-install-ssl-certificates-wordpress/

  18. Hi everybody…
    Thank you for this valuable post… but I have a question that I can’t find it’s answer: How can I enable SSL on the whole site via code (Like the example define( ‘FORCE_SSL_ADMIN’, true );) but for the front-end.
    thank you again for this excellent article.

  19. Great post! Thank you very much, Josh.

    Can somebody point me in the right direction how to set up WordPress/https with a ssl proxy server? Thank you in advance!

  20. Thanks for the post. A word of warning for everyone installing WordPress HTTPS (SSL) with WordPress 4.0. I installed it and the plugin logged me out of my admin several times. Took me a while to get logged back in and then the plugin would not activate. It kept taking me to a page to try again, after which it logged me out of my admin again. It too me a few times to uninstall. In short, it doesn’t work well with WordPress 4.0.

  21. I had a client come looking for help – he installed the HTTPS SSL WordPress plugin. Everything worked – installed fine, he had access.

    The issue, a day later his site dropped off the Google index and no “bots” could crawl his site.

    Anyone experience this or have similar issues?

  22. Hello sir, recently i was apply SSL for my WordPress site, But I have one problem, User name and Password not working in SSL or HTTPS site, please tell me what is problem and how to fix it, I am using standard SSL certificate, This is my domain ..https://www.bestwebsitesblogs.com/

  23. I have a problem using SSL, Please guide me, Actually I apply a standard ssl certificate from Godady on my domain, But after apply on my site , nw my site not fully loading he need one time refresh, I have 2 sites with ssl but facing same problem Please tell me and review my site.. https://www.toptechlive.com/2014/12/free-google-play-credit.html

  24. The downside of using SSL everywhere is that the HTTPS transfer protocol is slower than the unsecure HTTP transfer protocol. This is because the data must be encrypted before being sent, and decrypted before being displayed.

    Encryption and decryption is actually pretty fast and don’t add any noticable load on servers or browsers. HTTPS requests are slower because of the extra initial SSL handshake for every request.

  25. This article was awesome! Short, to the point, and it helped me save some time setting up my SSL certificate! I honestly can’t complain. If I have any more questions I know exactly where to go now. Thanks again for the post!

  26. Hi Josh!

    We just added a SSL to our site. Now when we try to visit the SSL version of our site i.e. https://lagatar.com, the browser is showing ‘insecure content’ pop-up, and site doesn’t load properly, how can i remove it?

    Non-SSL version of the site i.e. http://lagatar.com is working fine without any error.

    Thanks

  27. Hello Josh, thank you for this post. With wordpress HTTPS plugin make ssl only default login page, but i want to make ssl my custom page!

    How can i do this?

    thanks a lot

  28. Hi,
    My website http://www.alirezadadfar.ir has an SSL Cert. I used whynopadlock.com/check.php to check my page and found many absolute urls to http: address. These have all been fixed and WordPress has been set up for https:. I still however have 2 errors as below:

    Insecure URL: http://fonts.googleapis.com/css?family=Oswald
    Found in: https://www.alirezadadfar.ir/

    Insecure URL: http://fonts.gstatic.com/s/oswald/v10/Y_TKV6o8WovbUd3m_X9aAA.ttf
    Found in: http://fonts.googleapis.com/css?family=Oswald

    Anyone have any ides how I can correct these? because I couldn’t find out where the codes are.
    Thanks for your previous response.

    Best Regards,

    • The insecure code exists because it is retrieving the “Oswald” font from Google. The place it is pulling the font at on Google is not secure and that is why you are getting the error msg.

  29. I am attempting to use the WordPress HTTPS plugin with the latest version of WordPress (4.2.2) and the latest version of the Divi theme (2.3.2). The plugin sends me into an infinite loop on the login screen when trying to access the WP admin dashboard. Just an FYI in case anyone is having the same issue. Hope the plugin is updated soon because it is by far, the easiest way to secure WP pages/posts and I’m bummed. 🙁

  30. I tried this plugin on a WP 4.2.3 and it broke the website.
    Couldn’t login.
    Had to go through FTP to delete plugin and get website back up.
    Caution as it has been 2 yrs since it has been updated.

  31. How to deal with Yellow mark in Google Chrome address bar. It says site loading content from non https url’s.?

  32. i’m successfully use ssl but i get problem integrated with CDN like cdn77 or maxcdn.

    is SSL can integrated with CDN ?

  33. Thought implementing ssl is an easy task but in my case it had some issues with cache plugin. CSS won’t load and blog shows error. This is the case when I’m dealing with blog having W3 total cache and Cloudflare as a CDN.

    Could you help me if possible ? Thanks

  34. This is a good article, but now old. I would like to see an updated article that presents and reviews a selection of useful WP SSL plugins that are current.

  35. Let me know how to retain the existing backlinks to my site when converted to use https protocol as the default. Are there changes to the keyword that my ranking? Please let me know. Thanks

  36. I bought SSL certificates two times but I didn’t know how to use them with my wordpress blogs. They were wasted. But, after reading this tutorial, I think I can use them from the next time without leaving them.
    Thanks for sharing this.

Join 351,380 Happy Customers And Get Access To Our Entire Collection Of 87 Beautiful Themes For The Price Of One

We offer a 30 Day Money Back Guarantee, so joining is risk-free!

Sign Up Today

Pin It on Pinterest

Share This