X
    Categories: WordPress Tutorials, Tips and Guides

Easy Guide About Installing WordPress SSL Certificate Through Plugin

Reading Time: 9 minutes

Secure Socket Layer (SSL) is the standard for encrypted communication between web servers and web browsers. It makes sure that the communication between the web server and the browser is encrypted and private. When compiling SERP, Google prefers SSL certified websites. When you secure a site with WordPress SSL certificate, a padlock icon is visible in the address bar and the URL prefix changes from HTTP:// to HTTPs://.

Google Chrome started marking HTTP sites as ‘Not secure’ from July 2018. This is a dire situation for Non-SSL sites as it will result in alarmingly fewer visitors as well as sales.

“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” said Emily Schecter from Chrome Security Team.

What is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA). It is a service provided by the Internet Security Research Group (ISRG). By using Let’s Encrypt, anyone who owns a domain can add a Secure Socket Layer (SSL) certificate without any cost. We will learn how to add Lets Encrypt to WordPress site.

How Does an SSL Certificate work?

As described above, an SSL certified or HTTPs added website establishes a secure connection with the web server and the web browser. When a user submits information such as name, password, or credit card number etc, it is encrypted with a special code. It travels via HTTPS from a web browser to the hosting server. Just in case, the information is intercepted by a hacker, it would be unreadable as it is encrypted with a unique cryptographic key, that makes this whole process considered secure.

SSL Boost SEO Ranking

Google is trying to make the internet more secure by offering SSL certified websites an edge in SERP listings. The search engine apparently prefers SSL certified sites over non-SSL certified. SSL certificates are an important factor in the SERP positioning strategy. You could read about relation in-depth of SSL with SEO.

In this guide, I will use Cloudways as my WordPress managed hosting provider and will let you know how to get free SSL certificate for website.

Create Server to Install WordPress

For the purpose of this blog, I assume that you have already Signed up for Cloudways, created a server with WordPress installed and pointed your domain. If not, here is how you can create the server and install WordPress on it.

How to Get SSL Certificate?

If you have successfully launched a cloud server and WordPress on it, go to the Applications tab available on the top left of the screen. All websites installed on a server will be listed there. In this tutorial, I will use a WordPress website to add free Let’s Encrypt SSL.

Get free SSL Certificate for WordPress

Get into the WordPress application, from the left pane, go to the SSL Certificate tab and fill in your details. Click on Install Certificate.

Important: Before attempting to get free SSL certificate for website, please make sure that your domain is live with complete DNS propagation. Otherwise, you won’t be able to install the free Lets Encrypt SSL certificate.

What is the Wildcard SSL Certificate?

Let’s Encrypt Wildcard SSL certificate is a way to protect multiple sub-domains along with the root domain using a single certificate.

Wildcard SSL certificates by Let’s Encrypt require DNS based domain authentication. During the process of installing Wildcard SSL certificate, you will be provided with the instructions for setting up a DNS record.

Get Free Wildcard SSL Certificate

Back in March, Let’s Encrypt announced the support for Wildcard SSL certificates, we went ahead and added it to the Cloudways platform.

You just need to mark the checkbox to get Wildcard SSL certificate by Let’s Encrypt. It will take a few moments to provide you the CNAME record that needs to be added to the domain registrar.

Login to your domain registrar and add a CNAME record like below:

Once done, go back to the SSL management tab and click on Verify DNS. It will cross-check the settings and notify you accordingly. Then, click on Install Certificate to get free SSL certificate for WordPress.

P.S: If you have generated Let’s Encrypt SSL before the free Wildcard SSL announcement on Cloudways (Aug 2018), you would require to Revoke the certificate to get the Wildcard SSL by Let’s Encrypt.

Note: If you have your own SSL certificate except Let’s Encrypt then you can follow this custom SSL certification guide.

Auto Renewal of WordPress Free SSL Certificate

SSL Certificates issued by Let’s Encrypt need to be renewed every 90 days. Cloudways will handle the renewal process automatically if you set the Auto Renewal option to Yes and/or you can Renew it at any time by clicking on Renew Now button.

Check SSL Certificate

I assume you have installed Let’s Encrypt SSL for WordPress along with the free Wildcard SSL certificate and configured everything. Now, it’s time to test the SSL certificate. There is an excellent SSL check tool by SSL Labs. Enter your domain name, it will analyze and give you the report something like below.

Change All Internal URLs to HTTPs

After successful installation of WordPress free SSL certificate, go to the WordPress Admin Panel. From the left pane, navigate to Settings -> General. Before WordPress Address and Site Address input HTTPs instead of HTTP and click on Save Changes at the bottom of the page. This will replace all internal URLs to HTTPs.

Mix Content Warning

Now, visit your website and verify that all internal links are moved to HTTPs. If you can still see an info icon ⓘ on a few of your web pages, then it indicates that one or more of the URLs are serving via HTTP on the relevant page. We need to identify that URL/s.

Let me show you an example. I have added an image to a post and made its URL HTTP by going to the text editor of a post. Updated and visited the post and opened Developer Console (inspect element), click on the errors icon from the right side, then write “mix” in the search bar, it will show you all the URLs that are serving via HTTP. We need to make them HTTPs.

In our scenario, it’s only the image URL. However, there are chances that a few external Images, stylesheets or scripts from a domain without an SSL certificate are being used on your website. You need to make them HTTPs manually, remove them or move files to your own server.

Also, there is an excellent online tool to check Non-SSL URLs by JitBit. It will crawl and check for non-SSL links on a complete site. I have scanned my testing site, and you can see the result that some URLs are having insecure content serving via HTTP.

Fix Mix Content Warning

There are multiple ways to fix the mix content warning issues. Let’s discuss a few of them:

Method 1: Use Velvet Blues Update URLs Plugin

There is an awesome plugin Velvet Blues Update URLs that will check all URLs and update them.

Install the plugin, and navigate to Tools -> Update URLs and configure the plugin as below.

Method 2: Use Better Search Replace

Better Search Replace is another great plugin that replaces the HTTP URLs to HTTPs in the database.

Install the plugin, and navigate to Tools -> Better Search Replace and configure the plugin as below. Do not forget to read the labels and warnings mentioned.

Method 3: Use Really Simple SSL

The easiest way to configure free HTTPs is to use the Really Simple SSL plugin. Install the plugin, go to Settings -> SSL. If everything is done correctly, you will see something like below and if there is something misconfigured, you will see a red-cross along with the instructions to fix that warning.

Important: Really Simple SSL replaces the URLs as the page is being loaded. This may impact slightly on performance and if you are using a WordPress cache plugin, then, the impact will be on the first load only.

Redirect HTTP to HTTPs

Although, all internal links have been moved to HTTPs, if someone visits the site with HTTP, it will not be forced to serve via HTTPs. In this step, I will add a rule to redirect all traffic from HTTP to HTTPs by using .htaccess file.

P.S: WordPress .htaccess file is the control room of a website. Even a single misspelled dot (.) could damage the WordPress site. Before making any changes, backup your .htaccess file to an offsite location.

Redirection of WordPress websites to HTTPs can easily be done by adding a few lines to the “.htaccess” file. Login to your hosting account, navigate to your WordPress root directory and open .htaccess file with any editor. At the beginning of the file, paste the following lines.

RewriteEngine On
RewriteCond %{http:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

The .htaccess file should look something like:

RewriteEngine On
RewriteCond %{http:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Configure HTTPs in Google Search Console

To track HTTPs links in Google Search Console, go to the Google Analytics Dashboard and then get into the Admin area. Choose your required property and click on Property Settings.

  1. From the right-hand side, change the Default URL from HTTP:// to HTTPs:///
  2. Go one step back and get into the View
  3. And change the Website’s URL to HTTPs.

And you are done with how to get free SSL certificate for a WordPress site. Don’t forget to change all pre-defined URLs from HTTP to HTTPs. Like on the Facebook page, Twitter account, etc. As they will be tracked in Google Analytics.

Having trouble to get free HTTPS certificate on a free SSL hosting? Feel free to ask questions in the comment section below.

Frequently Asked Questions

Q1. What is a free SSL certificate?

A free SSL certificate is a data file that links a cryptographic key to the information of a website. Installed on a server, the certificate activates the padlock and the “HTTPs” protocol (via port 443) in browsers to ensure a secure connection between the web server and the browser.

Q2. How do I get SSL certificate for my website?

If you have a regular WordPress website that handles sensitive information (like credit cards), you can get a free SSL certificate from a service called Let’s Encrypt. Otherwise, most hosting providers have already become a partner with Let’s Encrypt to simplify the installation of an SSL certificate.

Q3. What are the benefits of Implementing a Free SSL Certificate?

Beyond the protection of data exchanged, the security of the web is a priority of Google. In fact, Google encourages websites to switch to HTTPs since 2014.

Since July 2018, Google Chrome reports a danger in its address bar for all websites not accessible in HTTPs. The result of Google’s actions is a strong growth of secure SSL websites which in result assures visitor that they are on a safe website.

Q4. How long does it take to set up an SSL?

Setting up an SSL certificate is just a matter of 1-click if it is provided by your hosting provider like Cloudways. Otherwise, it manually takes half an hour to install SSL certificate on a website.

Q5. Do SSL certificates expire?

Yes, SSL certificates do expire after every 90 days, but they can be renewed in just a few minutes.

Q6. How long is an SSL certificate good for?

SSL certificates do more than encrypt data, they also authenticate websites. This is an important and fundamental function because it builds trust. Website visitors see the SSL or HTTPs padlock and think the website is genuine.

Q7. What happens when an SSL certificate expires?

If your SSL certificate is expired, Google Chrome and other browsers will show your website as insecure in the search bar.

Mustaasam Saleem :Mustaasam is the WordPress Community Manager at Cloudways - A Managed WordPress Hosting Platform, where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music. You can email him at mustaasam.saleem@cloudways.com