How to install SSL on a WordPress site

Step 1 – Install an SSL certificate

This is done at a server level (via your cPanel). Most hosts make free SSL certificates available using a service called “Let’s Encrypt” or another equivalent provider. These free certificates are ‘domain validated’ and offer a sufficient level of protection for personal sites and small business sites where you are not handling credit card details or other sensitive information. If you do handle sensitive data, or if you’d like someone to take care of installing the certificate for you, then you can ask your web host to install the SSL for you. A paid SSL certificate for an average business or personal website should price in the ballpark of $150 to $250 AUD. If your webhost won’t help you or charges like a wounded bull for the service then it’s time to change hosts!

Step 2 – Configure WordPress for HTTPS

There are a few things you need to configure yourself now, even if your host installed the certificate for you.

  1. Login to WordPress > Settings > and change your Site URL and Home URL to use https://
    add-s-https
  2. Now set a redirect from HTTP to HTTPS in your htaccess file. Add this code:
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]

    Don’t forget to replace yoursite.com with your own domain and make sure that you enter in the correct server port if yours isn’t 80.
    If your htaccess file already has stuff in it place this code above everything else (with htaccess, the order matters – this code needs to be up first).
  3. Next we need to adjust the wp-config file. Add this code:
    define('FORCE_SSL_ADMIN', true);
    A good place would be at the end before the /* That's all, stop editing! Happy blogging. */ line.
  4. Finally, I like to run a search and replace script to catch any rogue instances of http:// and change them to https:// This fixes any “mixed content warnings”. If you prefer to use a plugin, I’d recommend Better Search and Replace plugin.

When you’ve completed all the steps above test every page of your site and make sure it shows a green https:// in the URL bar. If it doesn’t on any given page there is something wrong. Check the error console to troubleshoot further.

Notes

  • Another alternative at Step 4 is to use a plugin like SSL Insecure Content Fixer. I tested the plugin and it worked perfectly. I just personally prefer not to use a plugin if there’s a more transparent and direct way of handling it. Plugins work by executing code – more code executing = slower load time. Plugins also sometimes obscure what’s going on under the hood, and can confuse the client or site owner or yourself later!
  • If you see any mixed content warnings on specific pages then check your error console where you should be able to see exactly what is causing the error. Mixed content means something is trying to load over http:// instead of https:// If you followed the article steps correctly then this is quite likely to be an external file being called from your theme eg Google Fonts, or some JS. Usually easily fixed by manually adding the ‘s’.
  • If you use Cloudflare make sure you enable the Full SSL (Strict) setting.  I also advise installing the official Cloudflare plugin and configuring it with your details. The very last option (Protocol Rewriting) should be switched OFF seeing as that is for use with their Flexible SSL option not SSL certificates issues by a proper signing authority (although having it ON should do no harm if everything else is set up right). There is also no need to set up any Page Rule Redirect on the Cloudflare side because we are already doing that via htaccess (step 2 above) and we don’t want to confuse it with different instructions (redirect loop).
  • Further to the previous point, if you’re thinking of using Cloudflare’s free SSL certificate instead of a properly signed certificate then the setup instructions are completely different to the above article. 😉 So don’t follow the article above at all, go back to square one and read this fabulous guide instead.

4 thoughts on “How to install SSL on a WordPress site

  1. Pete says:

    Great post Maeve, I’m really keen to try my first http – https conversion but i’m a little “scared”.

    1. Maeve says:

      Cool, glad you found it helpful Pete. Of course the net is flooded with information about SSL and WordPress but I wanted to note the exact steps with no extraneous explanation or background info complicating things. Let me know how you go! Shout out if you need help.

  2. MSVCP140 says:

    🙂 OK !

  3. Kuman says:

    It’s helpful Maeve. And, for in CloudFlare with the Force HTTPS plugin is helping me to correct secure URL for my images in template file: https://wordpress.org/plugins/force-https-littlebizzy/

    but, for other is fine. thanks

Leave a Comment

Your email address will not be published. Required fields are marked *