WordPress SSL: How to Install and Configure SSL Certificates to Secure Your Website

If your business has an online presence, and no matter how many SEO strategies you apply, you can’t seem to achieve good search engine rankings, or the visitors just bounce back from your website.

You decide to audit your website and discover the painful truth: there is no SSL certificate installed on your website! In other words, your website’s security seems unreliable not just to the search engines but also to the visitors.

In this article, you will learn what SSL is and why it is important? What advantages does the SSL certificate provide, and how does it work? What type of WordPress SSL certificates exist, and which is the most suitable for your website?

These are just some of the questions you should know before installing WordPress SSL.

What Is SSL and Why Is It Important?

Secure Sockets Layer (SSL) is the standard for encrypted communication between servers and browsers. A browser receives and interprets this certificate and verifies its authenticity. Once the verification has been performed, all the data sent through the secure connection is encrypted. A browser displays the existence of this connection with a closed padlock icon and adds https before the website address.

Hypertext Transfer Protocol Secure (HTTPS) is a combination of HTTP and SSL protocols. HTTP is a tunnel that transmits the data, and the SSL is a security protocol that encrypts the data in the tunnel. As a result, unauthorized access to reading, copying, or decrypting the communication between the server and the client is (nearly) impossible. A typical SSL certificate includes:

• A domain name and a public key
• Validity information and a serial number
• Signature of a certificate authority

SSL certificates have temporary validity (mostly up to 90 days), so they must be renewed periodically to guarantee the continued trustworthiness of your website. These certificates are a mandatory requirement for all websites that handle personal data and sensitive financial information.

Google’s initiative to give SSL-secured websites a better SERP ranking also indicates the importance of installing SSL certificates. Since 2014, SSL certificates have become a must-have component for all websites. The following chart shows the massive growth in the percentage of pages loaded over SSL-certified websites.

Matt Mullenweg, the co-founder of WordPress once said, “We will only promote hosting partners that provide an SSL certificate by default in their accounts.” Besides, you can also see a special mention of HTTPs support for hosting requirements.

Some WordPress hosting providers like Cloudways offer free 1-click SSL installation to help you avoid all hassles.

How Does an SSL Certificate Work?

The SSL protocol is a four-layer construct (SSL record, Handshake, Change-cipher spec, and Alert protocol) that securely encrypts the data between a server and a browser. These layers allow the use of a key for encryption/decryption and an authentication model based on the use of a public key and a private key.

In this model, the public key encrypts the data, while the private key is used to decrypt. This happens at the Handshake layer of the SSL protocol where asymmetric cryptographic keys for encrypting and decrypting the data are exchanged.

SSL Certificates: Validation and Types

SSL certificates generally come in three validation levels:

1. Domain Validation (DV)

The Certification Authority verifies the applicant’s right to use a specific domain name. The identity of the company behind the domain is not inspected. The information is displayed when a user clicks the secure site padlock. As you can guess, this is a pretty basic level of SSL validation.

2. Organization Validation (OV)

The Certification Authority checks the applicant’s right to use a specific domain name and the validity of the organization behind the domain.

Organization Validation (OV) is more complex, but it guarantees the legitimacy of the domain and identifies the owners of the company, thus offering more confidence to the visitors. It is usually used by ecommerce businesses and corporate websites.

3. Extended Validation (EV)

The Certification Authority verifies the applicant’s right to use a specific domain name and subjects the organization to a detailed inspection. The process of issuing certificates with Extended Validation (EV) is defined extensively in the guidelines of the CA/Browser Forum.

Extended Validation (EV) is the highest level of SSL certificate validation and requires the presentation of documents and legal permits to verify the existence of the company. With EV, the users see a secure site seal in the browser’s address bar.

In addition to the validation, SSL certificates are also available in several application configurations:

1. Single Domain

If you only want to protect a domain, a Single Domain certificate is your best option. These certificates only apply to a top-level domain (for instance, website.com). This type of SSL certificate is available with all validation levels.

2. Multi-domain

This type of certificate certifies multiple domains (for instance, website.com, website.com.uk) with a single SSL certificate. Note that depending upon the Certificate Authority, the number of protected domains can vary. Multi-domain SSL certificates are available with all validation levels except EV.

3. Wildcard

They are used for single domains that have multiple subdomains. The Certificate Authority issuing the wildcard SSL certificate has the right to limit the number of protected subdomains. This type of SSL certificate is available with all validation levels except EV.

4. Multi-domain Wildcard

These certificates are a combination of multi-domain and wildcard certificates. You can use these certificates to protect a number of top-level domains along with the subdomains. Again, the limit may vary depending on the Certificate Authority. This type of SSL certificate is available at all validation levels except EV.

Advantages of Using WordPress SSL Certificates

At this point, you have already been able to know the importance of SSL certificates. If a website doesn’t have an SSL certificate, users can get infected by undetectable spyware or even ransomware during their visit. Now it is time to know about the advantages of SSL certificates.

• Trust: With an SSL certificate, visitors know that their connection to the website is encrypted, thereby improving trust and credibility.
• Legitimacy: Because it is clear that all activity is happening on a website that is known and properly secured.
• Security: Visitors know that the information is encrypted, hence the data will be secure against any type of third-party unauthorized access or attack.
• Ranking: Google favors web pages that have SSL and has HTTPS in the address.

SSL certificates are especially recommended for businesses, particularly online stores that work with the personal data of users.

Let’s Encrypt: Free SSL/TLS Certificates

Let’s Encrypt is a free and automated Certificate Authority (CA) that provides Domain Validated (DV) certificates for free with a validity period of 90 days. This service is provided by the Internet Security Research Group (ISRG). Anyone who owns a domain and hosting can add Let’s Encrypt SSL certificates to WordPress without any cost.

The activation time of a certificate may also depend on the availability of Let’s Encrypt resources and a series of limitations of the Certificate Authority itself. These limitations include:

• Certificates per registered domain (50 per week)
• Names per certificate (up to 100)
• Unique subdomains (up to 5,000 per week)
• Duplicate certificates (5 per week)

To check out the details of these limitations, please refer to the Let’s Encrypt Rate Limits. I will also use Let’s Encrypt SSL certificates to demonstrate practical ideas from now onwards.

Before moving to the next section, I recommend backing up your WordPress website, so you can always restore it in case things go south. You can take backups in two ways: via a WordPress backup plugin or server-side backups. Alternatively, you can create a WordPress staging environment or clone your entire website for testing.

Install Free SSL Certificates on WordPress

I use the Cloudways Platform for this article and assume that you have already signed up for an account, launched a server with a WordPress application, and pointed it to your domain. If not, here is how you can launch your server with WordPress.

In the next step, go to Applications from the top-left menu bar. You can see your WordPress application installed on your server. Click on your application to get into the Application Management dashboard.

Add Single Domain WordPress SSL on Your Site

Before installing WordPress SSL, please make sure that your domain is live with complete DNS propagation. Otherwise, you won’t be able to install the SSL certificates.

In the next step, enter your Domain Name and the same Email Address you used to create the Cloudways account. Now, click Install Certificate.

Add Multiple-Domain WordPress SSL on Your Site

To install the Let’s Encrypt WordPress SSL certificate on multiple domains, click Add Domain and enter the domain names associated with your WordPress website. Once done, click Install Certificate.

Add Wildcard SSL Certificate for Subdomains

You just need to mark the Apply Wildcard checkbox. It will take a few moments to provide you with the CNAME record that needs to be added to the domain registrar.

Log in to your domain registrar and add a CNAME record with similar information:

• Type: CNAME
• Host: _acme-challenge
• Value: [your website URL]

Once done, go back to the SSL Certificate section and click Verify DNS. It will validate the settings and notify you accordingly. In the next step, click Install Certificate to install WordPress SSL on your site.

Auto-Renewal of Let’s Encrypt WordPress SSL Certificate

The Cloudways Platform handles the renewal process automatically if you set the Auto-Renewal option to Enable. You can also renew it at any time by clicking the Renew Now button.

Alternatively, you can use an SSL monitoring service that ensures all the SSL certificates are valid and your clients are not receiving security warnings.

Install Paid WordPress SSL Certificates

For paid SSL certificates, you first need to enable Certificate Signing Request (CSR) on your WordPress application.

Go to the SSL Certificate section, select “I do not have a certificate” from the drop-down menu, and then click Create CSR.

If you want to use a single WordPress SSL certificate on multiple domains, mark the checkbox where it says SAN and add the domain names in the form.

Once you submit the form, the CSR will be generated. In the next step, click on the Download CSR button to download the CSR file.

Submit the downloaded CSR file to your WordPress SSL certificate provider to generate an SSL certificate based on your requirements.

The SSL Certificate provider will give you two files: [yourdomain].crt (Certificate Code) and [yourdomain].ca (Chain File). Click Install Certificate, and you will see a pop-up asking for Certificate Code and CA Chain. Submit this information in their respective fields.

Once you have submitted this information, click Submit, and you are good to go. The SSL should now work for your WordPress website.

What Is HSTS, and Why Should You Use It?

HTTP Strict Transport Security (HSTS) is a web server directive that tells a web browser and user agents how to handle the connection with your website. It sends a response header with instructions at the very beginning.

Sometimes HTTPS is not enough as the attacker will still find a way to reach your website over http://. HSTS forces browsers to use HTTPS if available. Configuring HSTS for WordPress SSL certificates is pretty easy. If you are hosting on an Apache server, add the following lines to the .htaccess file.

# Use HSTS to force clients to use secure connections only

Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

Before adding HSTS to your WordPress website, make sure you read the following prerequisites:

• The website must have a valid SSL certificate installed.
• Redirect ALL HTTP links to HTTPS with a 301 Permanent Redirect.
• Make sure all the subdomains are covered in your SSL Certificate. (Consider a Wildcard Certificate)

WordPress SSL Certificates on Cloudflare (Optional)

If you are using Cloudflare in one way or the other, you need to take a few additional steps. First of all, disable Cloudflare, as otherwise, the configuration process might fail.

Step 1

Log in to your Cloudflare dashboard and under the DNS tab, disable both www and [yourdomain].com options by using the toggle switch. If it is grey, it means the service is disabled.

Step 2

Now, go to the Cloudways Platform → Server Management → Settings and Packages section, inside the Advanced tab, and under WAF Module, choose Cloudflare, then click on the Save Changes button.

Step 3

Go back to the Cloudflare dashboard and enable the options you disabled in Step 1. Click on the SSL/TLS tab at the top and turn SSL/TLS encryption mode to Flexible. It can take up to 24 hours for Cloudflare to activate the certificate. However, if you already have used the same domain before, it will be activated instantly.

Once the certificate is activated, switch it to Full (strict).

Clear Website, Hosting, and Browser Cache

Now, it’s time to check whether the free WordPress SSL certificate has been installed. Before moving ahead, Purge the website cache as well as server-side caching like Varnish by navigating to Cloudways Platform → Server Management → Manage Services.

Check SSL Certificates Are Working Properly

I assume you have installed Let’s Encrypt WordPress SSL certificate for your website and configured everything properly. Now, it’s time to test the SSL certificate. Visit your website and check the icon being displayed.

If you see the second icon, it means that the SSL certificate is working fine. If you see the third icon, it means the website is using an SSL certificate, but some elements on the page are not using HTTPS, a phenomenon known as Mixed Content.

SSL Labs offers an excellent SSL check tool where you simply enter your domain name, and it will analyze and give a report something like the one below.

Many Cloudflare users report issues when trying to import a free Let’s Encrypt WordPress SSL certificate to their domain on a Cloudflare free account. The above setup should work, but if it doesn’t, try the following steps:

1. Log in to Cloudflare and select the domain you want to work with.
2. Select SSL/TLS from the top menu option
3. Change SSL/TLS encryption mode to Flexible
4. Set Always Use HTTPS to On
5. Under the HSTS section, Enable HSTS
   • Set Max-Age to 3 months
   • Include subdomains: Off (change as you wish – read above)
   • Preload: Off
6. Set the Minimum TLS Version to TLS 1.2
7. Opportunistic Encryption: On
8. Set TLS 1.3: On
9. Automatic HTTPS Rewrites: On (to enable redirection)
10. Disable Universal SSL (again, read above). By doing this, you are no longer using Cloudflare SSL certificates and use only the certificates provided by your server.

The above process was contributed by Gary Stevens from Hosting Canada – Web Hosting Reviews.

Change URLs from HTTP to HTTPS

Go to your WordPress Dashboard → Settings → General → before WordPress Address (URL) and Site Address (URL) → enter https instead of http → and click Save Changes at the bottom of the page. This will replace all internal URLs to https://.

Force SSL for the WordPress Login Page

By changing URLs in the WordPress Dashboard, all the website URLs should also be changed. If it doesn’t, you may want to force SSL for the WordPress login area by configuring SSL in the wp-config.php file.

In the wp-config.php file, add the following line where it says, “That’s all, stop editing!”

define('FORCE_SSL_ADMIN', true);

The above line will force SSL for the WordPress login pages ( the URL is generally: wp-admin/wp-login.php)

Redirect HTTP to HTTPS via .htaccess File

If someone visits your website with HTTP, the server is not forced to serve via HTTPS. In the next step, I will add a rule to the .htaccess file for redirecting all traffic from HTTP to HTTPS. Before making any changes, please back up the .htaccess file to an offsite location since a single dot can affect your WordPress.

Log in to your WordPress dashboard→ navigate to the WordPress root directory → open the .htaccess file with any editor → paste the following lines at the beginning of the .htaccess file.

RewriteEngine On

RewriteCond %{http:X-Forwarded-Proto} !HTTPS

RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

The .htaccess file should look something like:

RewriteEngine On

RewriteCond %{http:X-Forwarded-Proto} !HTTPS

RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

Update CDN URLs to HTTPS

If you are using a WordPress CDN, update the WordPress URLs to https:// (just like I covered in the Cloudflare section above).

Mix Content Warning

Visit your website and verify that all internal links have been moved to https://. If you can still see an info icon on some of your web pages, one or more URLs are being served via HTTP. You need to identify those URLs.

Identify the Mix Content Warning URLs

To demonstrate the Mix Content scenario, I added an image to a post and changed the URL to HTTP by going to the text editor of a post. Next, I visited the post and opened the Developer Console (inspect element). Click the error icon and enter “mix” in the search bar. This will show you all the URLs that are serving via HTTP and need to be updated to HTTPS.

In my case, it is only the image URL. However, there is a chance that a few external Images, stylesheets, or scripts from a domain without a WordPress SSL certificate are being used on your website. You need to move them to https:// manually. Alternatively, you can remove them or move these files to your server.

JitBit’s Non-SSL URLs is an excellent online tool that crawls and checks for non-SSL links on a website. I scanned my test website, and the following screenshot displays the URLs that were being served over HTTP.

There are multiple ways to fix Mixed Content Warning issues. Let’s discuss a few of them:

Method 1: Using Velvet Blues Update URLs Plugin

There is a useful plugin Velvet Blues Update URLs, that checks all URLs and updates them accordingly. After installing the plugin, go to WordPress Dashboard → Tools → Update URLs → configure the plugin as below → and then click Update URLs Now.

Method 2: Using Better Search Replace Plugin

Better Search Replace is another great plugin that replaces HTTP URLs with HTTPS in the database. After installing the plugin, go to WordPress Dashboard → Tools → Better Search Replace → configure the plugin as below → and then click Run Search/Replace.

Method 3: Using Really Simple SSL Plugin

The easiest way to configure free HTTPS is to use the Really Simple SSL plugin. After installing the plugin, go to WordPress Dashboard → Settings → SSL. If everything is done correctly, you will see something like below, and if there is something misconfigured, you will see a red cross along with the instructions to fix that warning.

Really Simple SSL replaces the URLs as the page is being loaded. This may impact slightly on performance, and if you are using a WordPress cache plugin, then the impact will be on the first load only.

Configure HTTPS for Google Search Console

To track HTTPS links in Search Console, go to Google Analytics Dashboard → Admin → choose your required property and click Property Settings → change the Default URL from http:// to https:// → and click Save at the end of the page.

You are done with how to get a free SSL certificate for WordPress. Please don’t forget to change all predefined URLs from HTTP to HTTPS, as they will be tracked via Google Analytics.

Wrapping up!

If you have reached here, then you can now imagine the importance of WordPress SSL and how you can install it in your WordPress. If you don’t use it, you will lose potential customers, visitors will abandon your website because they do not feel safe, and most importantly, you will lose search engine rankings.

This last question is especially serious in the case of Google. This is responsible for penalizing pages without SSL certificates. Not to mention the possibility of opening your doors to phishing and data theft. If you have any questions, please feel free to ask in the comment section below.