We know that: the web can be a dangerous place. For this reason, and many others, it’s useful to have a SSL certificate on our websites, the one that will give us that really comforting padlock in the address bar. Plus, browsers like Google Chrome mark as insecure all the websites without SSL, so… It’s really not good.
In this post we will see how to use HTTPS in a WordPress site by installing a SSL certificate.
How to get an SSL certificate
In order to install an SSL certificate, you surely have to get it first. For that, you have to ask your hosting provider. Usually you can activate the certificate by yourself by finding the option in your hosting panel, and it can be free or not. It really depends on your hosting provider.
Once you have bought your certificate, you can proceed installing it in your website. There are two main ways to do that.
Install SSL/HTTPS in WordPress with a plugin
If you’re a WordPress beginner and don’t really know how (or don’t really want to) to mess with code and everything, it’s recommended to use this method.
First of all, you have to install and activate the Really Simple SSL plugin. Then, navigate to Settings > SSL: the plugin will take care of setting up your website for the new certificate, and you will finally see the padlock appearing in your address bar.
Note: in order this to work, you have to always keep the plugin activated on your site.
Manually setup SSL/HTTPS
If you don’t want to install plugins to correctly use your SSL certificate, you can do it manually.
Let’s see what it takes.
The first thing you have to do is going to Settings > General, and update the WordPress Address and Site Address by including https where now it’s http. So, of course, the addresses remain the same, except for the http, that becomes https. Save all that and login again.
The second thing you have to do, is adding a code in your .htaccess file. You can find it in your website root. Open the file, and add this code to the start. It will redirect to the https version of your site.
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Okay: now you’re website is correctly set to use the secure connection, but you could still see some errors of insecure contents. If you still don’t see the padlock next to your address bar, you can use this tool to check what’s the problem. It will give you a list of the resources that are still loaded with an insecure connection, so you can check them and replace their address.
You could also need to replace some database entries (like internal links) that still have the old address: there’s a plugin for that. With this plugin, you can easily replace all the entries containing http://www.yourwebsite.com/ with https://www.yourwebsite.com/.
And… that’s it! Now your website should finally have its beautiful, comforting secure connection.