"Excellent customer service"
— Neal F. Fischer What They Say

HTTPS for WordPress: Auto-enable SSL for Free

HTTPS for WordPress Cover

HTTPS for WordPress is critical today. Your WordPress site should always load via https:// instead of http:// because the HTTP protocol is inherently insecure. Installing an SSL certificate to enable HTTPS for WordPress can be costly and overly technical, but it doesn’t have to be. I’ll tell you how to use a free and automatic method so that you can easily begin serving WordPress securely.

Let’s cut to the chase. I’ll start by explaining how to auto-enable HTTPS for WordPress in three simple steps. You can keep reading after that to learn why HTTPS/SSL should be used on every site. In a nutshell, it’s a security necessity. WordPress recommends HTTPS and Google is penalizing sites that do not have an SSL certificate. The time to start using HTTPS on WordPress is now.

How to Set Up HTTPS for WordPress

There are a couple of ways you can go about setting up HTTPS on WordPress. Simply put, the automatic method is easy and the manual method is hard. Fortunately, very few users will need to resort to the manual method.

Auto-enable HTTPS for WordPress in Three Steps

Follow these three easy steps to automatically enable HTTPS for WordPress without having to buy or install an SSL certificate.

You won’t have to bother with setting up redirects from the old http:// URLs to the new https:// URLs. This will be done automatically for you. It’s likely that your content and widgets contain dozens or hundreds (even thousands) of references to your insecure http:// URLs. Step three will correct this automatically, saving you time and preventing visitors from seeing “mixed content” warnings.

Three Simple Steps

HTTPS WordPress Setting in WP Ultimate

This is how easy it is to enable HTTPS for WordPress on WP Ultimate hosting

  1. Sign up at WP Ultimate (or WP Church Host). The cheapest plan is ideal for most.
  2. Log in then request for your site to be moved from your old host (a free service).
  3. After your website has been moved for you, enable the https:// option in your account.

What is normally a process that takes several hours is done in just a few minutes without cost to you. These two are not the only hosts that provide free SSL certificates (thanks to Let’s Encrypt) but I’m not aware of others that automatically redirect traffic to https:// and replace the insecure URLs in your content. This helps you avoid a long and often error-prone manual process.

Ask your current host what their process and costs are like to decide if you want to stick with them or make a switch.

Wrapping Up

Give your site a test after completing the steps and contact your new host if you see any quirks. You probably won’t need to, but help is available. As managed WordPress hosts, these providers help not only with hosting issues but with WordPress issues. This makes them specially suited to assist with setting up HTTPS for WordPress. A typical host is not likely to assist you with things like URL redirection and replacement within the contents of a WordPress site.

Since now it is possible, all hosts should provide SSL certificates for free and I hope that at some point in the future all hosting providers will make switching to HTTPS for WordPress as easy as WP Ultimate does. The key to switching over all web traffic to HTTPS is for web hosts to make it utterly easy and free for their customers. It’s far too complicated a process for the average user to undertake manually, as you’ll see if you read on.

Or, Set Up HTTPS on WordPress Manually (Hard)

You can also enable HTTPS for WordPress manually. It’s quite an involved process with regard to ordering and installing the SSL certificate then setting up your URL redirects and replacements manually. You almost certainly don’t need to go this route but there are some reasons it may be necessary. Maybe you want to stick with your host but they don’t offer SSL certificates or maybe you have a very high-profile website and want to invest in an EV SSL certificate.

Thirteen Technical Steps

  1. Generate a CSR (Certificate Signing Request) on your server.
  2. Use the CSR to order an SSL certificate (PositiveSSL via Namecheap is a decent option).
  3. Follow the provider’s instructions to validate the request and receive the certificate (you must prove you control the domain).
  4. Log into your hosting control panel to install the SSL certificate for your domain (consult your host’s docs).
  5. Try accessing your website via https:// to ensue the SSL certificate has been installed correctly.
  6. Go to Settings > General in WordPress to update the URL settings so that https:// URLs are used instead of http://.
  7. Force your admin area to always use SSL by adding define('FORCE_SSL_ADMIN', true); to wp-config.php via FTP.
  8. Redirect all traffic from http:// to https:// (see Need to redirect all traffic to https on Stack Overflow).
  9. Make a MySQL database backup before continuing with URL replacements (mistakes are not easily reversed)…
  10. Replace all references to your http:// URL with your https:// URL (Velvet Blues Update URLs is helpful).
  11. Manually replace any references to your https:// URL in Appearance > Widgets (the Velvet Blues plugin doesn’t automate this).
  12. Test every page of your website to make sure there are no “mixed content” warnings or other issues. Edit content as needed.
  13. Make a reminder to renew, re-install and test your certificate after it expires (usually yearly).

Usually Not the Best Option

This process can literally take hours or days and cost hundreds of dollars if you outsource the work. This is why I and so many others who help people with their websites are thrilled about Let’s Encrypt and hosts that automatically redirect and replace insecure URLs after auto-installing the SSL certificate. If you know of any others that do both of these things in addition to WP Ultimate and WP Church Host, please share in a comment for the benefit of other readers.

Why to Enable HTTPS for WordPress

Now that you know how easy it can be to enable HTTPS on WordPress, let’s talk about why you absolutely must do it sooner than later. Data transferred to and from your WordPress site is not encrypted when using an http:// URL. You need to use https:// in order for the data to be encrypted to and from your website. The way to enable HTTPS for WordPress is to install an SSL certificate. You can then use an https:// URL with WordPress.

Note that using an SSL certificate to make your site load via the HTTPS protocol is not all that is required to make a WordPress site secure but your site cannot be considered secure without it. Even while using HTTPS for your WordPress site, you should take other security precautions such as setting strong passwords, making regular backups and keeping WordPress itself, plugins and themes up-to-date.

Security is the main reason to set up HTTPS for WordPress but it is not the only reason. Your website’s traffic and brand image are likely to be hindered by continuing to serve your website in an insecure manner. Let me share some recent developments with you. Keep in mind that with time reasons like these will multiply as the push for a web that runs entirely on HTTPS/SSL continues.

What’s Insecure in WordPress Without HTTPS

If you are not currently using SSL with WordPress then these are just a few things that are insecure. After you enable HTTPS, all of these problems will be solved because passwords, form submissions and so on will be encrypted. Prying eyes will no longer be able to snoop into your and your users’ business.

  • Your password when logging into the WordPress admin area (critical).
  • Other users’ passwords when they log into any part of your website.
  • Form submissions from website visitors (contact forms, user registration, etc. — protect your users’ privacy).
  • Payment screens should always use HTTPS/SSL (very important).
  • Any data transferred to and from your site by you and your users could be read by malicious parties.

WordPress Urges HTTPS/SSL Usage

WordPress recommends HTTPS for all sites and may later make some features SSL-only. You’ll want to be running WordPress on HTTPS before this happens.

Later we will begin to assess which features, such as API authentication, would benefit the most from SSL and make them only enabled when SSL is there.
Matt Mullenweg, WordPress Co-founder

Google Search Penalizes Non-HTTPS Websites

Google has for some time now used HTTPS as a search engine ranking factor. This hurts sites without an SSL certificate while giving sites on HTTPS a competitive edge. Enabling HTTPS on WordPress can be a quick and easy way to improve your website’s ranking on Google. You aren’t likely to see a tremendous jump but a little extra traffic day in and day out over a long period of time can add up.

Consider this an opportunity to boost not only your website security but also your marketing reach. All of these problems I’m highlighting are solvable simply by taking three steps to auto-enable HTTPS on WordPress.

Browsers Warn Users About Non-HTTPS Websites

Do you know what the most popular browser is? It’s Chrome by Google. Since Google is on a crusade to make the web more secure, their browser now tells your visitors that your website is insecure.

A Subtle Warning on All Pages

Chrome shows this subtle but concerning warning on every page of your non-HTTPS WordPress site. Have you noticed? It didn’t always show, but now it does. If you’re using Chrome right now, compare this screenshot to the green “Secure” label you see in the address bar for our website.

HTTPS Warning

Chrome’s warning on pages without HTTPS

A More Direct Warning on Sensitive Pages

On more sensitive pages (e.g. log in, sign up, payment, etc.), Chrome highlights your website’s security problem really loud by showing “Not Secure” in the address bar. Go to your WordPress login screen to see it yourself. Google wants to make sure your visitors know you’re not running WordPress on HTTPS so that they can decide if they want to risk staying. Indeed, not using HTTPS for WordPress creates not only a security issue for users but a credibility issue for your brand.

HTTPS Not Secure WordPress Login

“Not Secure” shows on sensitive pages

Update: Starting October, 2017, Chrome will show “Not Secure” on any page with a form that the user enters text into. See how this is progressing?

Google Search Console HTTPS Not Secure Warning

Google Search Console HTTPS Warning

An Alarming Warning on All Pages — Eventually

But Google is just getting started. You don’t want to be caught without an SSL certificate when Google eventually makes the “Not Secure” warning standard on all pages and colors it red with an exclamation point. This will really get website owners to switch over to HTTPS/SSL because most users aren’t going to hang around after seeing such an urgent warning.

HTTPS Not Secure Red

Later, this will show on all pages

Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS. Google Security Blog

Other Browsers Falling in Line

Not surprisingly, other browsers are following suit. As you can see, the idea is that every website should be on HTTPS. The power players are making a huge push for that and I’d say at this point it’s an unavoidable issue. Switch your WordPress site to HTTPS right now and get it over with. We’re glad we did at churchthemes.com and you and your visitors will reap the benefits too.

You’re Making the Web More Secure

Google wants to make the web more secure and that’s why they’re pushing for universal HTTPS/SSL usage. The time to get on board with this is now (more like last year, actually). There are already consequences to not doing so, ranging from loss of traffic, user privacy violations and flat-out website hacking in the case of an unencrypted password being intercepted by an attacker.

It took a great deal of time for WordPress on HTTPS to be made easy and affordable. In fact, it took decades to pull off free, automatically installed SSL certificates. But the web is a better place now and you can take full advantage of the time we’re living in by enabling HTTPS for WordPress in three simple steps.

…don’t wait to get started moving to HTTPS. HTTPS is easier and cheaper than ever before… Google Security Blog

Have you set up HTTPS/SSL on WordPress yet? Tell us in a comment what method you used and how it was for you.

8 Comments

  1. Our web host Flockhosting.com also provides the free Let’s Encrypt SSL certification through cPanel, although without the option to automatically redirect all requests to HTTPS. For this I have installed the free plugin “Really Simple SSL” from the WordPress plugin directory and it works great. Haven’t had to mess with it in almost two years, and the certificates just keep on renewing automatically every 90 days without any problem.

    • Things are starting to come together. I hope most will eventually have something in place to automate the URL replacements within content and widgets. I’m not sure which have gone that far at this point.

  2. Let’s Encrypt is definitely another route to go and I would check with your ISP as they also have a tool to automate the installation of the certificate.

    As far as your WordPress site is concerned once the certificate is installed you do need to resolve all your existing addresses which means updating all your content. In most cases a simple tweak to the address will suffice. Setting | General and change all references to http to https.

    Finally, a modification to your htaccess file to redirect all traffic from http to https should complete the process (there are plugins to do that.)

    • Thanks for commenting. I would add that it’s important also to replace the old http URLs within all page, post, etc. content and widgets. WordPress uses absolute URLs so there will likely be some non-https links and image tags remaining which would create unnecessary redirects and mixed content warnings.

      The Velvet Blues Update URLs plugin is helpful for this but last time I checked doesn’t handle widgets so those would need to be checked manually. WP Ultimate automates these kinds of things right after installing the SSL certificate so that beginner users don’t have to tinker with .htaccess, install a plugin or manually change URLs in settings or content.

      • That may not be necessary once you change the default protocol for the site. i could be wrong, but I anticipated having to do that on the last site migration and noticed there was not a need.

        The first time I moved a site over I used a simple search and replace plugin that parsed the database making all those changes.

        There are definitely a couple of considerations and the easiest way to tell what has worked is to monitor the little lock. Once the site is secure (in chrome) you’ll see that lock with a green shadow. If you’ve still work to do the information icon will show you what needs to be done

        • Was the site very minimal?

          The only time I can think of it not being necessary would be when no locally hosted images are added to page or post content. Having an http to https redirect in .htaccess would still cause mixed content warnings if there are images because http:// would remain in the markup. The redirect would make internal links keep working but it’s better to change the URL’s than rely on 301 redirects. In any case, it’s easiest to run an automatic tool like you mentioned to check and fix local URLs in content.

          I remember seeing a plugin that will scan your website for pages triggering mixed content warnings. That should be handy for sites with too many pages to manually check. A good thing to do whatever the method used.

Commenting has been turned off.