SSL for WordPress – why you need it and how to install it

SSL for WordPressMany websites, including e-stores and subscription portals, ask their visitors to share sensitive information such as credit/debit card details, home address, phone number, etc.

However, the web is not as secure as it used to be a decade ago and there are countless threats for your visitors’ security.

Whatever the reason for a hacker’s attack, if your clients’ sensitive data is compromised, chances are that not only will they not return but you’ll be blacklisted and best case scenario, hardly welcome any newly registered users for a long time.

That’s why SSL can be crucial for a website owner.

In the article below, we will give you details on how to setup SSL for WordPress quickly and efficiently.

What is SSL?

The widely used term SSL is an abbreviation for ‘Secure Sockets Layer’.

It represents a type of cryptographic protocol, which is used for secure exchange of information between a website and the web browsers of its visitors.

It encrypts the exchanged data, in order to add another level of security.

Today a vast majority of Internet sites on the world-wide web use SSL Certificates.

That’s why, its presence is regarded as a guarantee for a website’s authenticity by random web users.

The advantages of having an SSL for WordPress

In simple terms, implementing SSL for WordPress is the process of migrating from the obsolete HTTP to the up-to-date HTTPS protocol.

In this article, we will use the SSL and the HTTPS terms interchangeably, because of their similarities in this particular context.

The main differences between HTTP and HTTPS are the following:

  • Website security: With HTTP, the information is sent and received in plaintext. This creates potential for man-in-the-middle attacks, during which an attacker can steal personal details without the users knowledge. With HTTPS, the data transmitted between the site and the visitor is encrypted and cannot be decrypted by any third party.
  • The padlock: To easily identify when a site is using an SSL certificate, browsers will display a padlock next to the URL. If you click on the padlock, you will detailed information about the actual certificated, used by the website.
  • Price difference: HTTP is, for now, the default state of each page that is published online. As such, it’s completely free. To have your site working over HTTPS, you need to purchase an SSL certificate and then renew it on an annual basis. However, there are also free SSL Certificate providers, like Comodo or Let’s Encrypt.

Why you need to get an SSL Certificate today

Below, we will list some of the basic reasons why migrating to HTTPS is a good long-term investment for your website.

  • Better SEO: Search engine optimization basically means getting more traffic, thanks to search engines. As you’re probably aware, there are quite a few ranking signals that Google analyzes in order to determine the ranking for a given website. It is important to know that HTTPS is among the officially declared ones. Google says that HTTPS sites have higher rankings than HTTP-based ones.
  • Security: Needless to say, the security of your visitors should be your top priority. It is even more essential if you collect payments. In case it is ever compromised, it is less than likely that any of the affected will return and you’ll probably need to create a new website from scratch to welcome new visitors. That being said, SSL helps a lot for the security of your site, since when in use, the traffic is 100% encrypted. Your visitors will also be able to tell whether you’re using it because of the green padlock and feel safe browsing through your site and making orders.
  • Website credibility: All of the popular internationally-visited sites on the web use HTTPS today. For example: Youtube, Google and Mozilla. As a result of this, the green padlock, which can be seen in their addresses is considered as a sign of good reputation and credibility. Therefore, visitors will find a website, which uses SSL trustworthy. Of course, sometimes that is not a wise decision, as there are non-legit sites on the web, which use this protocol.
  • For eCommerce stores: it is hardly possible to own a successful eCommerce store nowadays without SSL. Per PCI Compliance, you are required to use SSL in order to accept credit cards and PayPal payments.

As you can see your targeted visitors will only trust your website and enter their credit/debit card details or any other type of sensitive data when you use SSL. Below, we will show you how to implement the SSL for WordPress.

How to get an SSL for WordPress

Every SSL certificate is a virtually authorized document. When you get one, you’re allowed to use SSL encryption for a specified period of time.

Currently, the price of an SSL is in the range of $60 – $200 and it is dependant on its period of validity – the longer it is, the higher the price.

Therefore, you should remember to regularly renew your certificate in order to keep using SSL for your site.

There are two ways to get an SSL certificate:

  • Purchase it from a trusted seller.
  • Join the Let’s Encrypt initiative and get a free SSL certificate. It has issued more than 24 million certificates by December 2016.

After you’ve obtained your SSL certificate, you need to install it. You can contact your web hosting service provider or the certificate provider and they will do this for you.

How to install an SSL for WordPress

In order to take advantage of your SSL everywhere on your website, update your WordPress site settings:

  • Go to: Settings > General
  • Add: https://www.mydomain.com/ in both Site URL & Home URL fields
  • Make sure to replace ‘mydomain.com’ with your domain name
  • Click on: “Save Changes.”

The aforementioned steps can sometimes be unsafe for old WordPress based websites. Alternatively, you can use the Really Simple SSL WordPress plugin. It will do all that automatically and update you whether there are some other things you should fix.

If you don’t want to install additional plugins, just add the following program code in your .htaccess file:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.your_domain.com/$1 [R,L]

Then, replace: your_domain.com with your domain name. As a result, all pages will be redirected to https with an updated, HTTPs URL.

You can also force the use of SSL for the admin area, to prevent any unsecured connections. Simply add the following short line of code in the wp-config.php file above “That’s all, stop editing!” line:

define( ‘FORCE_SSL_ADMIN’, true );

This way, your dashboard will become HTTPS-friendly.

Don’t forget to update hardcoded URLs

In case you run an older website, then all of its links will have to be updated in accordance with the new HTTPs standard.

One option is to search for and replace these links individually. Luckily there’s an alternative.

Before you proceed any further, make a full backup of your WordPress database. Then do the following:

  • Install the useful Better Search Replace plugin by Delicious Brains Inc.
  • Go to: Tools > Better Search Replace in order to use the plugin
  • Search for: ‘http://your_domain.com’ and replace it with the updated version, in other words: ‘https://your_domain.com.’

This way, all the outdated URLs will be replaced with the HTTPs ones.

How to test if everything is working

Once you are done with the aforementioned steps, it is recommended that you perform some tests to verify that everything works properly just like it did before migrating to HTTPs. Follow these tips:

  • Use the Jitbit’s SSL-check tool to identify any insecure content on your website. However, they do have a crawl limit – 200 pages per website.
  • Another tool to test if there are non-secure elements on your website is Whynopadlock
  • In addition, use the SSL Labs test, so as to get a complete and up-to-date picture of your configurations.
  • Visit a few pages of your website and check whether all of them have the padlock icon visibly displayed.
  • Search for “site:your_domain.com” on Google, in order to ensure that all the indexed links are properly redirected and are https. Remember that it takes some time for Google to pick up the redirection. That’s why always make sure that your sitemap is submitted, and that you can reindex your website manually.
  • Use the SSL Insecure Content Fixer plugin to fix any mixed content warnings that may appear on your WordPress based website.

Conclusion

Although the HTTP to HTTPs migration with the addition of SSL for WordPress described above may sound a bit complicated and time-consuming, it is rather important, especially if you run a business-oriented website.

If you want to welcome many new targeted visitors and keep the existing ones, you need proper SEO and security.

HTTP is getting more and more out-of-date, though once used for the creation of the world-wide web. Stay up-to-date, using HTTPs.

 



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.