HTTPS for WordPress is critical today. Your WordPress site should always load via https:// instead of http:// because the HTTP protocol is inherently insecure. Installing an SSL certificate to enable HTTPS for WordPress can be costly and overly technical, but it doesn’t have to be. I’ll tell you how to use a free and automatic method so that you can easily begin serving WordPress securely.
Let’s cut to the chase. I’ll start by explaining how to auto-enable HTTPS for WordPress in three simple steps. You can keep reading after that to learn why HTTPS/SSL should be used on every site. In a nutshell, it’s a security necessity. WordPress recommends HTTPS and Google is penalizing sites that do not have an SSL certificate. The time to start using HTTPS on WordPress is now.
- How to Set Up HTTPS for WordPress
- Why to Enable HTTPS for WordPress
- You’re Making the Web More Secure
How to Set Up HTTPS for WordPress
There are a couple of ways you can go about setting up HTTPS on WordPress. Simply put, the automatic method is easy and the manual method is hard. Fortunately, very few users will need to resort to the manual method.
Auto-enable HTTPS for WordPress in Three Steps
Follow these three easy steps to automatically enable HTTPS for WordPress without having to buy or install an SSL certificate.
You won’t have to bother with setting up redirects from the old http:// URLs to the new https:// URLs. This will be done automatically for you. It’s likely that your content and widgets contain dozens or hundreds (even thousands) of references to your insecure http:// URLs. Step three will correct this automatically, saving you time and preventing visitors from seeing “mixed content” warnings.
Three Simple Steps
- Sign up at WP Ultimate (or WP Church Host). The cheapest plan is ideal for most.
- Log in then request for your site to be moved from your old host (a free service).
- After your website has been moved for you, enable the https:// option in your account.
What is normally a process that takes several hours is done in just a few minutes without cost to you. These two are not the only hosts that provide free SSL certificates (thanks to Let’s Encrypt) but I’m not aware of others that automatically redirect traffic to https:// and replace the insecure URLs in your content. This helps you avoid a long and often error-prone manual process.
Give your site a test after completing the steps and contact your new host if you see any quirks. You probably won’t need to, but help is available. As managed WordPress hosts, these providers help not only with hosting issues but with WordPress issues. This makes them specially suited to assist with setting up HTTPS for WordPress. A typical host is not likely to assist you with things like URL redirection and replacement within the contents of a WordPress site.
Since now it is possible, all hosts should provide SSL certificates for free and I hope that at some point in the future all hosting providers will make switching to HTTPS for WordPress as easy as WP Ultimate does. The key to switching over all web traffic to HTTPS is for web hosts to make it utterly easy and free for their customers. It’s far too complicated a process for the average user to undertake manually, as you’ll see if you read on.
We are pleased to provide free SSL certificates with automatic installation. Now it only takes a few clicks to enable HTTPS for WordPress.
— WP Ultimate (@WPUltimateHQ) August 17, 2017
Or, Set Up HTTPS on WordPress Manually (Hard)
You can also enable HTTPS for WordPress manually. It’s quite an involved process with regard to ordering and installing the SSL certificate then setting up your URL redirects and replacements manually. You almost certainly don’t need to go this route but there are some reasons it may be necessary. Maybe you want to stick with your host but they don’t offer SSL certificates or maybe you have a very high-profile website and want to invest in an EV SSL certificate.
Thirteen Technical Steps
- Generate a CSR (Certificate Signing Request) on your server.
- Use the CSR to order an SSL certificate (PositiveSSL via Namecheap is a decent option).
- Follow the provider’s instructions to validate the request and receive the certificate (you must prove you control the domain).
- Log into your hosting control panel to install the SSL certificate for your domain (consult your host’s docs).
- Try accessing your website via https:// to ensue the SSL certificate has been installed correctly.
- Go to Settings > General in WordPress to update the URL settings so that https:// URLs are used instead of http://.
- Force your admin area to always use SSL by adding
define('FORCE_SSL_ADMIN', true);to wp-config.php via FTP.
- Redirect all traffic from http:// to https:// (see Need to redirect all traffic to https on Stack Overflow).
- Make a MySQL database backup before continuing with URL replacements (mistakes are not easily reversed)…
- Replace all references to your http:// URL with your https:// URL (Velvet Blues Update URLs is helpful).
- Manually replace any references to your https:// URL in Appearance > Widgets (the Velvet Blues plugin doesn’t automate this).
- Test every page of your website to make sure there are no “mixed content” warnings or other issues. Edit content as needed.
- Make a reminder to renew, re-install and test your certificate after it expires (usually yearly).
Usually Not the Best Option
This process can literally take hours or days and cost hundreds of dollars if you outsource the work. This is why I and so many others who help people with their websites are thrilled about Let’s Encrypt and hosts that automatically redirect and replace insecure URLs after auto-installing the SSL certificate. If you know of any others that do both of these things in addition to WP Ultimate and WP Church Host, please share in a comment for the benefit of other readers.
Why to Enable HTTPS for WordPress
Now that you know how easy it can be to enable HTTPS on WordPress, let’s talk about why you absolutely must do it sooner than later. Data transferred to and from your WordPress site is not encrypted when using an http:// URL. You need to use https:// in order for the data to be encrypted to and from your website. The way to enable HTTPS for WordPress is to install an SSL certificate. You can then use an https:// URL with WordPress.
Note that using an SSL certificate to make your site load via the HTTPS protocol is not all that is required to make a WordPress site secure but your site cannot be considered secure without it. Even while using HTTPS for your WordPress site, you should take other security precautions such as setting strong passwords, making regular backups and keeping WordPress itself, plugins and themes up-to-date.
Security is the main reason to set up HTTPS for WordPress but it is not the only reason. Your website’s traffic and brand image are likely to be hindered by continuing to serve your website in an insecure manner. Let me share some recent developments with you. Keep in mind that with time reasons like these will multiply as the push for a web that runs entirely on HTTPS/SSL continues.
What’s Insecure in WordPress Without HTTPS
If you are not currently using SSL with WordPress then these are just a few things that are insecure. After you enable HTTPS, all of these problems will be solved because passwords, form submissions and so on will be encrypted. Prying eyes will no longer be able to snoop into your and your users’ business.
- Your password when logging into the WordPress admin area (critical).
- Other users’ passwords when they log into any part of your website.
- Form submissions from website visitors (contact forms, user registration, etc. — protect your users’ privacy).
- Payment screens should always use HTTPS/SSL (very important).
- Any data transferred to and from your site by you and your users could be read by malicious parties.
WordPress Urges HTTPS/SSL Usage
Later we will begin to assess which features, such as API authentication, would benefit the most from SSL and make them only enabled when SSL is there.
Matt Mullenweg, WordPress Co-founder
Google Search Penalizes Non-HTTPS Websites
Google has for some time now used HTTPS as a search engine ranking factor. This hurts sites without an SSL certificate while giving sites on HTTPS a competitive edge. Enabling HTTPS on WordPress can be a quick and easy way to improve your website’s ranking on Google. You aren’t likely to see a tremendous jump but a little extra traffic day in and day out over a long period of time can add up.
Consider this an opportunity to boost not only your website security but also your marketing reach. All of these problems I’m highlighting are solvable simply by taking three steps to auto-enable HTTPS on WordPress.
Browsers Warn Users About Non-HTTPS Websites
Do you know what the most popular browser is? It’s Chrome by Google. Since Google is on a crusade to make the web more secure, their browser now tells your visitors that your website is insecure.
A Subtle Warning on All Pages
Chrome shows this subtle but concerning warning on every page of your non-HTTPS WordPress site. Have you noticed? It didn’t always show, but now it does. If you’re using Chrome right now, compare this screenshot to the green “Secure” label you see in the address bar for our website.
A More Direct Warning on Sensitive Pages
On more sensitive pages (e.g. log in, sign up, payment, etc.), Chrome highlights your website’s security problem really loud by showing “Not Secure” in the address bar. Go to your WordPress login screen to see it yourself. Google wants to make sure your visitors know you’re not running WordPress on HTTPS so that they can decide if they want to risk staying. Indeed, not using HTTPS for WordPress creates not only a security issue for users but a credibility issue for your brand.
Update: Starting October, 2017, Chrome will show “Not Secure” on any page with a form that the user enters text into. See how this is progressing?
An Alarming Warning on All Pages — Eventually
But Google is just getting started. You don’t want to be caught without an SSL certificate when Google eventually makes the “Not Secure” warning standard on all pages and colors it red with an exclamation point. This will really get website owners to switch over to HTTPS/SSL because most users aren’t going to hang around after seeing such an urgent warning.
Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS. Google Security Blog
Other Browsers Falling in Line
Not surprisingly, other browsers are following suit. As you can see, the idea is that every website should be on HTTPS. The power players are making a huge push for that and I’d say at this point it’s an unavoidable issue. Switch your WordPress site to HTTPS right now and get it over with. We’re glad we did at churchthemes.com and you and your visitors will reap the benefits too.
We've gone 100% SSL. One small step toward making the web more secure…
— churchthemes.com (@churchthemes) April 29, 2016
You’re Making the Web More Secure
Google wants to make the web more secure and that’s why they’re pushing for universal HTTPS/SSL usage. The time to get on board with this is now (more like last year, actually). There are already consequences to not doing so, ranging from loss of traffic, user privacy violations and flat-out website hacking in the case of an unencrypted password being intercepted by an attacker.
It took a great deal of time for WordPress on HTTPS to be made easy and affordable. In fact, it took decades to pull off free, automatically installed SSL certificates. But the web is a better place now and you can take full advantage of the time we’re living in by enabling HTTPS for WordPress in three simple steps.
…don’t wait to get started moving to HTTPS. HTTPS is easier and cheaper than ever before… Google Security Blog
Have you set up HTTPS/SSL on WordPress yet? Tell us in a comment what method you used and how it was for you.