How to Secure Your WordPress Site with SSL (HTTPS)
Back in 2014 Google announced they would start using SSL as a ranking signal for search results. They claim the HTTPS carries less weight as a ranking factor than other important SEO stuff like well written articles, titles, proper use of headings, backlinks and more, but their algorithms will now look at your site and see if it has SSL and decide where it will rank in their index, based in part, whether or not it using SSL.
Many of us are familiar with SSL when we make purchases online. Any reputable site that has a checkout process where credit card information is entered on their site, will already have their checkout process secure with SSL. But Google wants more. They want every single page on your site to be delivered to browsers through encryption. I’m not exactly sure why Google wants all browsing encrypted. Possibly, they are concerned about big government of various countries snooping on individuals’ browsing experience. Google doesn’t make it exactly clear why they want all websites to encrypt all their pages with SSL. I’m just speculating at best. I want whatever help I can get with Google to rank, so I decided to secure my entire site.
There is a negligible trade-off when it comes to site speed. SSL will slow things down some, but the speed change is hardly noticeable.
Changing a WordPress site over to SSL can be a little intimidating. I know it was for me. Things can break. If you have mixed content such as images delivered non https on a secure page, browsers alert you and won’t deliver content that isn’t secure without the user taking extra steps. When this happens, the end result is a bad user experience which is not good for the website owner. So I want to share what I did when switching my WordPress site over to SSL and hopefully this will take some of the intimidation out of the whole process. Switching your WordPress site over to SSL does not have to be a bad experience if done correctly.
This article assumes your website’s web server software is Apache with normal Linux-Apache-PHP-MySQL (LAMP) server configuration. The vast majority of WordPress sites are on servers like this. This article does not apply to Windows or Ngnix web servers. Check with your host provider if you are unsure.
Obtaining a SSL Certificate
The first step to securing your WordPress site with SSL is to get a SSL certificate. The best deals on SSL certificates I have found are through NameCheap. You can get the Comodo PositiveSSL for $9 per year. I have not been able to find a better value. There are a few free SSL certificates out there like Open SSL, but I personally do not trust them. They usually throw a security error to the end user. We don’t want to create a bad end user experience, so paying for one is the way to go. Comodo is a name I trust, so that is what I went with. If you want the green bar in your url, be prepared to pay quite a bit more for one that will do that. The encryption is no different with the expensive green bar one than the $9/yr. one.
Once you have obtained your SSL, you will most likely need to contact your host provider for assistance setting up your SSL. You will probably need a dedicated IP address for your site if you do not already have one. Host providers usually charge a little extra for a dedicated IP address. Check with your host provider about your SSL setup.
How WordPress Processes URLs for Everything
WordPress is a database driven machine. That means, for everything created and inserted through the WordPress system is stored in a database and delivered to the browser based on the Settings that was configured during the initial setup. This means text, images (image URLs), and more are all delivered by the database.
So now that you have your SSL certificate installed, nothing has actually happened to make your site secure. We will have to apply your SSL certificate to your WordPress site to secure everything.
WordPress actually makes this part easy to do. With a simple change to your site settings, 90% of your site will instantly begin using your secure server certificate.
Go to Settings > General Settings > WordPress Address (URL) and Site Address (URL).
Change your http to https.
This will secure most everything because when WordPress delivers content to the browser, it will attach the site URL to the stuff it delivers from the database. In other words, your pages, posts and images, CSS etc. will be delivered from the database using https. However, if you hard-coded anything, you will need to manually go in and change the URLs on those things. If you used the media library to insert your images, then you don’t have to do anything. WordPress takes care of that.
If you simply want to secure specific pages, you don’t need to follow the above instructions. You simply need to create a https URL to the page(s) and/or posts(s). This is a common way to secure just the checkout process. Of course, doing it that way defeats the whole purpose of getting some more love from Google.
Testing Your Site (Mixed Content Issues)
Testing your site out after changing over to SSL is very important. If you have any issues with mixed content, that is some is SSL and some is not, it is possible that the browser the end-user is using will not deliver all the content that you had intended. Mixed content is very common when dealing with images that have been hard-coded into your post or pages. Another common mixed content issue has to do with favicons.
One important example of mixed content that actually happened to this site during the changeover to SSL, I was using Google Custom Search, delivered by the iframe setup, and it quit delivering the search results. Unfortunately, I was not able to find a fix for this problem and had to change the search program for this site. It is strange since Google is the one that has started this whole “SSL everything”, movement, that their custom search won’t work anymore once the site switched to SSL.
For testing, I personally recommend using a combination of Internet Explorer and Google Chrome. Internet Explorer will throw up a mixed content warning/alert, unless you have turned that off in the security settings, that will let you know what pages are delivering mixed content. Google’s “Inspect Element”, will tell you what is causing the mixed content warning and where it is located, making it easy to fix. I know for this site, I had hard-coded the favicon into header.php and was able to quickly find and fix that issue.
Internet Explorer Mixed Content Warning
Chrome Mixed Content Inspect Element
Check for Broken Links
Once you have converted over to SSL, the Non-SSL http:// will no longer work. You will et 404 response from your server. So I HIGHLY recommend you check your entire site for any links that didn’t update correctly in the database. Fortunately there is a quick way to find those links. Put your main domain in this free broken link checker and it will crawl your site and let you know if you are getting 404 anywhere. You will know what page and what link is broken so you can fix it.
If you find a bunch, you may want to get the Better Search and Replace plugin and search your posts table and replace all http: with https: If you use that plugin, you may want to run your site through the broken link checker again.
I hope this has helped taking some of the intimidation out of setting up your WordPress site with SSL.