Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

Install SSL Certificate to Make Your WordPress Website HTTPS & Boost Your Site’s Trustworthiness

February 21, 2019

17 Min Read
WordPress SSL
Reading Time: 17 minutes

Secure Socket Layer (SSL) is the standard for encrypted communication between web servers (such as Apache or NGINX) and web browsers. It ensures that the communication between a web server and browsers is encrypted and private. When compiling SERP, Google prefers SSL certified websites. When a site is secure with an SSL certificate, a padlock icon is visible in the address bar and the URL prefix changes from http:// to https://.

In this guide, you will learn what is SSL and HTTPS, and how you can easily add SSL to the WordPress website.

Google Chrome started marking HTTP sites as ‘Not secure’ since July 2018. This is a drastic situation for non-SSL sites as it will result in alarmingly fewer visitors and eventually sales.

Chrome Non-Secure HTTP

A glimpse of how the non-SSL sites look like.

Emily Schecter from Chrome Security Team said:

“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”

What is SSL?

Secure Socket Layer or SSL is a standard protocol for data transmission between a web server and a browser. SSL makes sure the transmitted data is encrypted and protected specifically against a man-in-the-middle attack.

SSL secured websites has the HTTPS protocol instead of traditional HTTP. For example:

Without SSL = http://example.com
With SSL = https://example.com

What is HTTPS?

HTTPS stands for Hypertext Transfer Protocol Secure. It is a mixture of two protocols: the HTTP and SSL (Secure Socket Layer). HTTP is the tunnel through which the data is transmitted and the SSL is a security protocol which protects the data by encrypting it so that no one can steal it while communicating over a network. (SSL is also known as Transport Layer Security (TLS).)

How Does an SSL Certificate work?

As described above, an SSL certified or HTTPS added website establishes a secure connection with the web server and the web browser. When a user submits information such as name, password, or credit card number etc, it is encrypted with a special code.

HTTP vs HTTPS

— Source: Sucuri

The data travels via HTTPS from a web browser to the hosting server. Even when the information is intercepted by a hacker, it would be unreadable as it is encrypted with a unique cryptographic key, that makes this whole process considered secure.

Importance of an SSL Certificate

Google’s initiative to give secure websites better-ranking exposure indicates the importance of integrating SSL certificates to websites. Having an SSL certificate not only improves the site ranking, but it also plays a crucial part in securing the websites from possible data theft.

Since 2014, SSL has become a must-have thing to do. The chart below shows massive growth in the percentage of pages loaded over SSL certified websites.

SSL Certified Websites Stats

Percentage of pages loaded over HTTPS in Chrome by platform

Recommended: WordPress SSL Hosting Only

Matt Mullenweg, the co-founder of WordPress that powers more than 30% of the web once said:

“We will only promote hosting partners that provide an SSL certificate by default in their accounts.”

And now, you can see a special mention of WordPress SSL (HTTPS) supported hosting providers at the WordPress requirements page.

Performance

Firstly, let me introduce HTTP/2 – an optimized protocol of HTTP1.1 for transporting data faster. The old HTTP1.1 allows web servers to serve one request at a time, and the connection has to open and close after each request is sent, while the HTTP/2 uses Multiplexing (multiple requests in a single TCP connection) that helps in faster performance, and reduced server response time.

Most major browsers such as Chrome, Firefox, Safari, and Edge, had added HTTP/2 support a few years back.

Though HTTP/2 is designed to work with HTTPS and HTTP both, most of the web browsers only support it over SSL. Thus, a TLS encryption (SSL) is mandatory for your websites to get the benefits of HTTP/2.

Have a look at the comparison between HTTP vs HTTPS speed test.

HTTPS Speed Test
SSL As a Ranking Signal

Google is trying to make the internet more secure by offering SSL certified websites an edge in SERP listings. The search engine apparently prefers SSL certified sites over non-SSL certified. You could read about relation in-depth of SSL with SEO.

SSL certificates ensure security for everyone!

Try Cloudways to get 1-click Let’s Encrypt free SSL certificates.

HTTPS – A Sign of Trustworthiness & Authenticity

SSL certificates (HTTPS) are widely used in online transaction systems, private networks, email services etc. It is definitely a reassurance factor for you and your site’s visitors as any data entered by them will be submitted in an encrypted form over a secure network.

Who Needs to Move to HTTPS?

Since the Google’s announcement and their promise of giving a boost in SERPs, I say that every website should move over to the HTTPS protocol, that includes blogs, ecommerce websites, business websites, forums, video sites, news, and social media websites.

For a proper SERP boost, one should deploy HTTPS on each and every page of a website. Otherwise, you may be left behind your competitors.

Validation Levels of SSL Certificates

Mainly there are three validation levels of an SSL certificate.  Each of them has a different level of security:

Domain Validation (DV)

Domain Validation SSL or DV SSL is the base-level for all SSL types. DV SSL certificates are the best fit for websites that only need encryption and nothing more. These certificates are cheap and issued within a few minutes. You just have to prove that you own a particular domain.

Domain Validation SSL
Organization Validation (OV)

In Organization Validation SSL or OV SSL certificate, the issuer verifies your domain name as well as your business registration information. You may need to submit a few documents that will be verified and the information will be listed on the certificate as well, and it will provide higher assurance to your users. Since it needs document verification, it may take a few hours to days to get an Organization Validation SSL certificate.

Organization Validation SSL
Extended Validation (EV)

Extended Validation SSL or EV SSL requires extensive business validation a bit more than the Organizational Validation (OV) SSL certificates. You may need to provide a few documents that will be verified and the information will be listed on the certificate as well.

In the EV SSL type, the address bar becomes green and displays your organization’s name next to the URL. Since it needs document verification, it may take a few hours to days to get an Extended Validation SSL certificate.

Extended Validation

Types of SSL Certificates

Single Domain

As the name suggests, the SSL certificate can only be used on a single domain or an IP address.
Example: A single certificate will only apply to example.com

This type of SSL certificate is available at all validation levels.

Multi-domain

As the name suggests, the single SSL certificate can be used on multiple domains.
Example: A single certificate will apply to example.com, abc.net, xyz.org etc.

This type of SSL certificate is available at all validation levels except the EV (Extended Validation).

Wildcard

The wildcard SSL certificates are used for a single domain but having a number of subdomains. The limit may vary from provider to provider.
Example: A single certificate will apply to example.com, site1.example.com, site2.example.com etc.

This type of SSL certificate is available at all validation levels except the EV (Extended Validation).

Multi-domain Wildcard

The Multi-domain wildcard SSL certificates are the combination of both, multi-domain and Wildcard certificates. You can have a number of domains along with the subdomains. The limit may vary from provider to provider.
Example: A single certificate will apply to example.com, site1.example.com, abc.com, site1.abc.com etc.

This type of SSL certificate is available at all validation levels except the EV (Extended Validation).

There are a number of SSL certificate providers. All you have to do is to identify your requirements and go with the one that best suits you. Here are a few top SSL certificate providers.

Besides above, we can’t forget another most renowned free SSL certificate provider that’s Let’s Encrypt.

What is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA). It is a service provided by the Internet Security Research Group (ISRG). By using Let’s Encrypt, anyone who owns a domain and hosting can add SSL to WordPress or any website without any cost.

Note: Let’s Encrypt offers Domain Validation (DV) certificates only.

In just 2 years, Let’s Encrypt adoption rate has gone through the roof.

Let's Encrypt Growth Stats

Source: Let’s Encrypt Stats

Throughout this guide, I will be using Let’s Encrypt as my free SSL certificate provider and will learn how to add Let’s Encrypt to a WordPress website.

Let’s Encrypt SSL Certificate Limitations

Let’s Encrypt certificates expire in three months and the certificate must be renewed. Beside the expiry, Let’s Encrypt also restricts on the number of domains.

“The main limit is Certificates per Registered Domain, (50 per week).” 

“If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 5,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.”

To know more, have a look at the Let’s Encrypt Rate Limits.

Backup Your Web Files & Database

It is always suggested to have a back of your WordPress website so that if anything goes wrong. You always have a chance to restore it.

Backups are done in two ways: one, backup WordPress site via a plugin such as UpdraftPlus; two, server-side backup.

Alternatively, you can create a WordPress staging environment or clone your entire site to test.

How to Make an HTTPS WordPress Website for Free

I have used Cloudways as an example. For this, I assume that you have already signed up for an account, launched a server with WordPress installed and pointed your domain. If not, here is how you can create a server and install WordPress on it.

DO

Issue Let’s Encrypt WordPress SSL Certificate

When the server is successfully launched with WordPress installed, go to the Applications tab available on the top left of the screen. All websites installed on a server will be listed there.

WordPress Applications on Cloudways

Add HTTPS to WordPress for Single Domain

Get into the WordPress application and from the left pane, go to the SSL Certificate tab and fill in your details. Click on INSTALL CERTIFICATE. Make sure to enter the same email address that is used to create an account on Cloudways.

Important: Before attempting to get a free SSL certificate for a website, please make sure that your domain is live with complete DNS propagation. Otherwise, you won’t be able to install the free Let’s Encrypt SSL certificate.

Install WordPress SSL Certificate

Add HTTPS to WordPress for Multiple Domains

To install the Let’s Encrypt free HTTPS certificate on multiple domains, click on the ADD DOMAIN button and enter the domain names associated with this WordPress application. Once done, click on the INSTALL CERTIFICATE button.

Multiple Domain SSL Certificate

Get Free Wildcard SSL Certificate for Subdomains

Back in March 2018, Let’s Encrypt announced the support for Wildcard SSL certificates, we went ahead and added it to the Cloudways platform.

Add Let's Encrypt Wildcard SSL Certificate

You just need to mark the checkbox to get Wildcard SSL certificate by Let’s Encrypt. It will take a few moments to provide you with the CNAME record that needs to be added to the domain registrar.

Apply Let's Encrypt Wildcard SSL Certificate

Log in to your domain registrar and add a CNAME record like below:

  • Type: CNAME
  • Host: _acme-challenge
  • Value: Your WordPress staging URL

Once done, go back to the SSL Certificate tab and click on Verify DNS. It will cross-check the settings and notify you accordingly. Then, click on the INSTALL CERTIFICATE button to get a free SSL certificate for WordPress.

P.S: If you have generated Let’s Encrypt SSL before the free Wildcard SSL announcement on Cloudways (Aug 2018), you would require to Revoke the certificate to get the Wildcard SSL by Let’s Encrypt.

Auto Renewal of Free WordPress SSL Certificate

As said above, the free HTTPS Certificates issued by the Let’s Encrypt need to be renewed every 90 days. Cloudways will handle the renewal process automatically if you set the Auto Renewal option to Yes and/or you can Renew it at any time by clicking on the RENEW NOW button.

Let's Encrypt SSL Certificate Renewal

How to Add Paid SSL Certificates on WordPress

First, you need to create a Certificate Signing Request (CSR) by going to the SSL Certificate tab. After the CSR is created you will need to submit that to your chosen SSL Certificate provider. Upon submission, the provider will issue a unique SSL certificate for you to install on WordPress.

Go to your Application dashboard and click on the SSL Certificate tab. Toggle the switch from Let’s Encrypt SSL Certificate to Custom certificate.

Create Custom SSL Certificate on Cloudways

Click on CREATE CSR button and fill the form and click SUBMIT.

Note: If you want to use a single certificate on multiple domains, mark the checkbox where it says SAN and add the domain names in the form.

Create CSR for SSL Certificate

Once successfully submitted the information, the CSR will be generated. Now, you need to download the CSR.

Download CSR Certificate

Submit the downloaded file to your SSL certificate provider to generate an SSL certificate based on your requirements.

The SSL Certificate provider will give you two files: yourdomain.crt (Certificate Code) and yourdomain.ca (Chain File). Press “INSTALL CERTIFICATE” and you will see a popup asking for Certificate Code and CA Chain. Submit these pieces of information.

Install Custom SSL Certificate

Once you have provided this crucial information, press “SUBMIT” and you’re good to go. The SSL should now work for your WordPress website.

What Is HSTS?

HTTP Strict Transport Security (HSTS) is a web server directive that tells a web browser and user agents how to handle the connection with your website. It sends a response header at the very beginning containing instructions.

Using HTTPS on your website is sometimes not enough as the attacker will still find a way to reach your website over http://. HSTS forces browsers to use HTTPS if available.

Configure HSTS on WordPress

Configuring HSTS on a WordPress site is pretty easy. You just have to add below lines of code in the .htaccess file (if using Apache).

 # Use HSTS to force clients to use secure connections only
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

Before adding HSTS to your WordPress site, make sure you have read the precautions:

  • A website must have a valid SSL certificate installed.
  • Redirect ALL HTTP links to HTTPS with a 301 Permanent Redirect.
  • Make sure all the subdomains are covered in your SSL Certificate. (Consider a Wildcard Certificate)

Configure WordPress SSL Certificate on Cloudflare (Optional)

If you are using Cloudflare in one way or the other, you need to do a few more steps. First of all, you need to disable Cloudflare. Otherwise, it may not configure properly.

  1. Log in to your Cloudflare dashboard and under the DNS tab, disable both www and yourdomain.com options by using the toggle switch in front of it. Grey cloud means that the service is disabled.

SSL on Cloudflare

  1. Now, go to your Cloudways Server Management → Settings and Packages tab inside the Advanced tab, enable HTTP/2 option and under WAF Module choose Cloudflare.

Configure Cloudflare on Cloudways

  1. Go back to the Cloudflare dashboard and enable the options we disabled in step 1. Click on the Crypto tab at the top and turn SSL to Flexible. It can take up to 24 hours for Cloudflare to activate the certificate. However, if you already have used the same domain before, it will get activated instantly.

Cloudflare SSL Flexible

Once the certificate is activated, switch it to Full (strict).

Clear Website, Hosting, and Browser Cache

Now, it’s time to check whether the free SSL certificate is installed or not. Before moving ahead, clear the website cache as well as server-side caching like Varnish by navigating to your Cloudways Server → Manage Services.

Purge Varnish Cache Cloudways

Check SSL Certificate

I assume you have installed Let’s Encrypt SSL for WordPress and configured everything. Now, it’s time to test the SSL certificate. Visit your website and see, which of the following icons you see.

Types of HTTP Protocol

If it’s the second or third icon, then you must act to configure the SSL certificate. There is an excellent SSL check tool by SSL Labs. Enter your domain name, it will analyze and give you the report something like below.

Check SSL Certificate Online

Change URLs From HTTP to HTTPS

After the successful installation of WordPress free HTTPS certificate, go to the WordPress Admin Panel. From the left pane, navigate to Settings → General. Before WordPress Address and Site Address input HTTPS instead of HTTP and click on Save Changes at the bottom of the page. This will replace all internal URLs to HTTPS.

Replace to HTTPS in WordPress Admin

Force SSL to WordPress Login Page

By changing URLs in the WP dashboard, all the site URLs should also be changed. If it doesn’t, you may want to force SSL to WordPress login area by configuring SSL in the wp-config.php file.

In the wp-config.php file, add below lines of code where it says “That’s all, stop editing!”.

define('FORCE_SSL_ADMIN', true);

 The above code will force SSL on WordPress login pages (wp-admin/wp-login.php)

Redirect HTTP to HTTPS via WordPress .htaccess File

Although, all internal links should have moved to HTTPS, if someone visits the site with HTTP, it will not be forced to serve via HTTPS. In this step, I will add a rule to redirect all traffic from HTTP to HTTPS by using the .htaccess file.

Note: WordPress .htaccess file is the control room of a website. Even a single misspelled dot (.) could damage the WordPress site. Before making any changes, back up your .htaccess file to an offsite location.

Redirection of WordPress websites to HTTPS can easily be done by adding a few lines to the “.htaccess” file. Login to your hosting account, navigate to your WordPress root directory and open .htaccess file with any editor. At the beginning of the file, paste the following lines.

RewriteEngine On
RewriteCond %{http:X-Forwarded-Proto} !HTTPS
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

The .htaccess file should look something like:

RewriteEngine On
RewriteCond %{http:X-Forwarded-Proto} !HTTPS
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] 

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Update CDN URLs to HTTPS

If you are using any WordPress CDN provider, make sure to update the WordPress site URLs to HTTPS, just like we have covered Cloudflare before.

Mix Content Warning

Now, visit your website and verify that all internal links are moved to HTTPS. If you can still see an info icon ⓘ on a few of your web pages, then it indicates that one or more of the URLs are serving via HTTP on the relevant page. We need to identify that URL(s).

Identify Mix Content Warning URLs

Let me show you an example. I have added an image to a post and made its URL HTTP by going to the text editor of a post. Updated and visited the post and opened Developer Console (inspect element), click on the errors icon from the right side, then write “mix” in the search bar, it will show you all the URLs that are serving via HTTP. We need to make them HTTPS.

Check NON-SSL Website URLs

In our scenario, it’s only the image URL. However, there are chances that a few external Images, stylesheets or scripts from a domain without an SSL certificate are being used on your website. You need to make them HTTPS manually, remove them or move files to your own server.

Also, there is an excellent online tool to check Non-SSL URLs by JitBit. It will crawl and check for non-SSL links on a complete site. I have scanned my testing site, and you can see the result that some URLs are having insecure content serving via HTTP.

Check NON-SSL URLs
Fix Mix Content Warning
There are multiple ways to fix the mix content warning issues. Let’s discuss a few of them:

Method 1: Use the Velvet Blues Update URLs Plugin

There is a useful plugin Velvet Blues Update URLs that will check all URLs and update them.

Install the plugin, and navigate to Tools → Update URLs and configure the plugin as below.

Velvet Blues Update URLs
Method 2: Use Better Search Replace

Better Search Replace is another great plugin that replaces the HTTP URLs to HTTPS in the database.

Install the plugin, and navigate to Tools → Better Search Replace and configure the plugin as below. Do not forget to read the labels and warnings mentioned.

Replace HTTP to HTTPS
WordPress SSL Plugin

The easiest way to configure free HTTPS is to use the Really Simple SSL plugin. Install the plugin, go to Settings → SSL. If everything is done correctly, you will see something like below and if there is something misconfigured, you will see a red-cross along with the instructions to fix that warning.

Really Simple SSL Plugin

Important: Really Simple SSL replaces the URLs as the page is being loaded. This may impact slightly on performance and if you are using a WordPress cache plugin, then, the impact will be on the first load only.

Configure HTTPS in the Google Search Console

To track HTTPS links in Google Search Console, go to the Google Analytics Dashboard and then get into the Admin area. Choose your required property and click on Property Settings.

  1. From the right-hand side, change the Default URL from http:// to https://
  2. Go one step back and get into the View
  3. And change the Website’s URL to HTTPS.

And you are done with how to get a free SSL certificate for a WordPress site. Don’t forget to change all predefined URLs from HTTP to HTTPS. Like on the Facebook page, Twitter account, etc. As they will be tracked in Google Analytics.

Having trouble to get free HTTPS certificate on a free SSL hosting? Feel free to ask questions in the comment section below.

Q. What is a free SSL certificate?

A free SSL certificate is a data file that links a cryptographic key to the information of a website. Installed on a server, the certificate activates the padlock and the “HTTPS” protocol (via port 443) in browsers to ensure a secure connection between the web server and the browser.

Q. How do I get a free HTTPS certificate for my website?

If you have a regular WordPress website that handles sensitive information (like credit cards), you can get a free HTTPS certificate from a service called Let’s Encrypt. Otherwise, most hosting providers have already become a partner with Let’s Encrypt to simplify the installation of an SSL certificate.

Q. What are the benefits of Implementing a Free WordPress SSL Certificate?

Beyond the protection of data exchanged, the security of the web is a priority of Google. In fact, Google encourages websites to switch to HTTPS since 2014. Since July 2018, Google Chrome reports a danger icon in its address bar for all websites not accessible in HTTPS. The result of Google’s actions is a strong growth of secure SSL websites which in result assures visitor that they are on a safe website.

Q. How long does it take to set up HTTPS on WordPress website?

Setting up an HTTPS on a WordPress website is just a matter of 1-click if it is provided by your hosting provider like Cloudways. Otherwise, it manually takes half an hour to install an SSL certificate on a website.

Q. Do the Let’s Encrypt WordPress SSL certificates expire?

Yes, the SSL/HTTPS WordPress certificates do expire after every 90 days, but they can be renewed in just a few minutes.

Q. How long is an SSL certificate good for?

SSL certificates do more than encrypt data, they also authenticate websites. This is an important and fundamental function because it builds trust. Website visitors see the SSL or HTTPS padlock and think the website is genuine.

Q. What happens when an SSL certificate expires?

If your SSL certificate is expired, Google Chrome and other browsers will show your website as insecure in the search bar.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today!

We never compromise on performance, security, and support.

Mustaasam Saleem

Mustaasam is the WordPress Community Manager at Cloudways - A Managed WordPress Hosting Platform, where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music. You can email him at mustaasam.saleem@cloudways.com

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!