How to Secure a Website with WordPress SSL: 2 Methods to Setup HTTPS + Common Errors

How to Secure a Website with WordPress SSL: 2 Methods to Setup HTTPS + Common Errors

If you run a website, there may be people who trust their personal information to you. That means you need to enforce solid security standards, and both Secure Sockets Layer (SSL or TLS) and Hypertext Transfer Protocol Secure (HTTPS) play an essential role in making that happen. Luckily, setting up a WordPress SSL certificate and enforcing HTTPS on the platform is fairly simple, and can be done in just a few steps.

In this article, we’ll talk about:

  1. What SSL is and when you should use it.
  2. What HTTPS is, and how it works alongside SSL.
  3. How to configure WordPress to use HTTPS and SSL via two different methods.
  4. Two common errors you can run into when using SSL with WordPress, and how to deal with them.

We have an important subject to tackle and a lot of ground to cover, so let’s dive right in!

What SSL Is (And When You Should Use It)

Secure Sockets Layer (SSL) is a technology that creates a secure connection between a website and a browser. Websites that use SSL have ‘certificates’ that let you know your private information is safe during each transfer.

You can recognize most sites that use these certificates, due to the green lock symbol many browsers use to identify them:

The green SSL padlock on Google Chrome

For example, if you’re purchasing something online, you should only do so through websites that use SSL. Otherwise, attackers might be able to read or modify your payment information as it’s sent across the web.

As for your own website, using SSL is a must. There are a number of benefits to doing this:

  • If you run a website where you encourage users to register and share private information, their data will be safer.
  • Your website will be more trustworthy.
  • An awesome green lock will show up next to your web address in various browsers.
  • You’ll receive a boost to your site’s Search Engine Optimization (SEO).

To elaborate on that last point, search engines like Google encourage all websites to use SSL, by giving secure sites preference in their results. That means you get to protect your users’ information and possibly benefit from some more traffic in one fell swoop.

In addition, Google announced that Chrome will display a “not secure” warning since the beginning of July 2018. So it’s a great time to enforce your website’s security with an SSL certificate if you haven’t already.

Pro Tip

Here at Hostinger, we also encourage safe websites. Thus we bundle in a free lifetime SSL certificate with Business web hosting plans. Check out our guide to learn how you can install an SSL certificate using hPanel.

These days, setting up a WordPress SSL certificate is downright simple. There are several types of SSL certificates, but you probably won’t need anything fancy unless you’re running a sizable website or selling products online.

For all other types of websites, a free certificate will usually do the job. What’s more, you can easily set one up to work with Hostinger.

What HTTPS Is (And How It Works Alongside SSL)

When you set up an SSL certificate for your website, you’ll also need to configure it to transmit data using Hypertext Transfer Protocol Secure (HTTPS). Every site you visit uses either HTTP or HTTPS as a prefix for its full URL, including Hostinger:

The HTTPS prefix highlighted on the address bar

HTTPS works just like HTTP, but it enforces higher security standards. If you load a website that uses HTTPS, you’ll know your data is secure during the transfer. However, in order for HTTPS to work, the website you’re trying to access needs an SSL certificate.

If you try to access a site without SSL using HTTPS, you’ll see an error like this one:

A Chrome SSL error.

In other words, SSL and HTTPS work hand-in-hand. If you only use one, the information users send through your website won’t be secured.

Your first move, therefore, should be to get an SSL certificate and set it up to work with your website. Once you have that, you need to tell WordPress to load using HTTPS instead of HTTP. Let’s take a look at how to enable HTTPS on WordPress.

How to Configure WordPress to Use SSL and HTTPS (2 Methods)

At this point, we’re going to assume that you already have an SSL certificate set up for your website. Once you’ve done that, you simply need to force WordPress to use HTTPS. There are two primary ways to do that.

1. Use the WordPress Dashboard and a 301 Redirect

Once you have a WordPress SSL certificate set up, you need to configure your website to use HTTPS. This process is simple if you’re starting a new website. However, if you’re adding an SSL certificate to a site that’s been around for a while, it’s a bit more complicated.

In any case, your first step should be to go to your dashboard and open up the Settings › General tab. Inside, you’ll find two fields called WordPress Address (URL) and Site Address (URL). Your website’s address should appear identical in both, and should use HTTP.

What you need to do is replace that HTTP prefix with HTTPS in both fields, and save the changes to your settings:

Changing your WordPress website's URL to using HTTPS.

That’s all it takes to configure WordPress to use HTTPS. However, some users might have saved your website’s old URL, and it may be linked to across the web. You need to make sure those people make it to the HTTPS version of your site instead. To do that, you can set up a URL redirect.

There are many types of redirects you can use. However, you’re generally best off using a 301 redirect, which tells search engines that your website has moved permanently from one address to another. To implement this redirect, you need to edit a file called .htaccess, which controls how your server interacts with WordPress, as well as its URL structure.

This will require you to access your site’s files directly, using a File Transfer Protocol (FTP) tool such as FileZilla. If it’s your first time doing this, you can find all the details in our FTP guide.

Once you connect to your website via FTP, navigate to the public_html folder and look for the .htaccess file within:

Selecting View/Edit on the .htaccess file in the FTP application.

Select that file and right-click on it, then choose the View/Edit option. This will open the file using your local text editor, enabling you to make changes to it. Don’t alter any of the code within .htaccess unless you know what you’re doing. Just scroll to the very bottom of the file, and paste in the following snippet:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]
</IfModule>

For this to work, you’ll need to replace the placeholder URL in this code with your website’s full HTTPS address. This will redirect any connection that comes through port 80 to your new, secure URL. As you may know, port 80 is the default for HTTP connections, so this will catch just about anyone trying to access your website through the old address.

Once you’ve added the code with your URL, save your changes to .htaccess and close the file. FileZilla will ask if you want to upload those changes to your server, which you’ll want to agree to. If you try visiting your website using the HTTP URL now, your browser should automatically redirect WordPress to HTTPS version instead.

2. Install a WordPress SSL Plugin

If you’d rather not work directly with your WordPress files, there are easier ways to enforce HTTPS use throughout your website. For example, you can set up a WordPress SSL plugin, which adds the same code we showed you in the previous method.

While this approach is much simpler, it also comes with some added risk. For example, if compatibility issues arise with another tool, your SSL plugin could stop working and your website won’t load over HTTPS until you fix the issue. That means you’ll want to choose your plugin carefully.

We recommend Really Simple SSL, since it’s remarkably easy to set up. All you need is a WordPress SSL certificate ready to go:

The Really Simple SSL plugin banner.

Once you install and enable the plugin, it will scan your website for a WordPress SSL certificate. If it finds one, it will help you enable HTTPS throughout your entire site with a single click. To do this, just visit the new Settings › SSL tab in your dashboard, and click on the Reload over HTTPS button. With that, you’re good to go!

2 Common WordPress SSL Errors (And How to Fix Them)

At this point, you know how to make sure all visitors to your site get to take advantage of a secure connection. In some cases, however, forcing WordPress to load over HTTPS can lead to a couple of errors. Let’s talk about what they are and how to fix them, just in case.

1. Some Assets Aren’t Loading Over HTTPS

After enabling HTTPS for your website, you might find that some of its assets, such as images, aren’t loading properly. That’s because WordPress is still using the HTTP prefix for them instead of HTTPS.

If you find yourself having this problem with your site’s images, CSS, or JavaScript, the easiest way to solve it is to make a few additions to your .htaccess file. However, this approach only applies if you used the manual method during the previous section. We’ll talk about what to do if you used a plugin instead in a minute.

Access your website via FTP again, and look for the .htaccess file within the public_html directory. Open it up, and find the code you added earlier to force a 301 redirect, which should look like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]
</IfModule>}

What you’re going to do is delete that snippet and replace it with one that’s more thorough. This isn’t necessary in most cases, since it isn’t that common to have issues with some assets not loading properly. However, if you are having this problem, here’s the code you should use instead:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

What this code does is force all traffic to load over HTTPS. It also includes rules for your WordPress assets, so it should take care of all the files that weren’t working. After adding it in, save your changes to the .htaccess file and upload it back to the server.

If you configured your website to use HTTPS via a plugin, you shouldn’t need to tweak your .htaccess file manually. Instead, most plugins will offer an alternative solution. For example, Really Simple SSL can scan your website for files not loading over HTTPS, and help you fix them. To use this feature, go to your Settings › SSL tab, and then navigate to the plugin’s Settings page:

Fixing the WordPress mixed content error in the Settings page in the admin panel.

There’s a setting called Auto replace mixed content right at the top of the screen. Make sure it’s enabled, and then save your changes to the plugin’s configuration. This option will ensure that WordPress loads all its assets over HTTPS, and not just your posts and pages.

2. Your WordPress Caching Plugin Is Causing Issues

If you have a WordPress caching plugin set up, your browser might try to load your website’s cached version over HTTP, which can lead to some errors. The quickest way to solve this problem is to clear your WordPress cache.

The way this process works will vary, depending on which caching plugin you use. However, it shouldn’t take you more than a few minutes. For more details, you can check out our guide on how to clear your WordPress cache in WP Super Cache, W3 Total Cache, and WP Fastest Cache. If you’re using another caching plugin, you may need to check its documentation for instructions on how to proceed.

In any case, once you clear your cache, try loading your website again to ensure that your browser is using HTTPS without any errors. Your SSL certificate is now successfully set up!

Conclusion

It used to be the case that WordPress SSL certificates were reserved for business websites, which dealt with a lot of sensitive information. These days, SSL certificates and HTTPS have become commonplace. In fact, search engines such as Google encourage you to use them. Fortunately, as you’ve seen, implementing SSL and forcing your WordPress site to use HTTPS isn’t a difficult task.

Do you have any questions about how to use WordPress SSL and HTTPS? Let’s talk about them in the comments section below!

Author
The author

Will M.

Will Morris is a staff writer at WordCandy. When he's not writing about WordPress, he likes to gig his stand-up comedy routine on the local circuit.