How to add SSL and HTTPS to WordPress (in 3 steps)

Make security a priority

If there’s one thing more important than your bottom line, it’s the security of your customers’ data. Playing fast and loose with bank details, addresses and other sensitive information might not be a major priority right now, but if something goes wrong, you’ll ultimately pay for it with your business.

Fortunately, technology, such as Secure Sockets Layer (SSL) and Hyper Text Transfer Protocol Secure (HTTPS), exists to protect data entered into a browser as it flows from server to server. These technologies can be complex under the hood, but are simple for WordPress users to implement. Don’t know how to add SSL and HTTPS to WordPress? Keep reading.

Introducing Secure Sockets Layer (SSL) and HTTPS

Adding SSL HTTPS Lock
The green padlock is a key indicator of an encrypted site.

The data that’s passed from server to server when you interact with a website hasn’t always been encrypted and safe from interception. In fact there’s still a long way to go in that regard. The history of SSL and HTTPS is a little involved, but ultimately both were born out of a need to protect online data.

These two technologies have their own distinct roles to play:

  1. SSL: This is the protocol that provides communications security over a network.
  2. HTTPS: This is essentially a protected version of HTTP, which provides authentication for a website and its associated server.

However, you can’t have one without the other . This means that as soon as they’re both implemented, data transferred between servers is protected as fully as possible.

How to add SSL and HTTPS to WordPress

While they’re complex protocols, using Secure Sockets Layer and Hyper Text Transfer Protocol Secure on your site has become much easier over the years. Almost anyone can learn how to add SSL and HTTPS to WordPress these days. Simply follow the three steps outlined below, and you will be up and running in no time.

1. Choose a suitable SSL certificate.

While the process of connecting a certificate to your site might be simple, choosing the right certificate is a little more involved. There are many options available depending on your needs, but the most commonly used are one of the following three types:

  • Domain Validation (DV): This certificate simply verifies you as the owner of the domain.
  • Organization Validation (OV): Along with verifying the domain, this certificate also proves that your organization is legitimate.
  • Extended Validation (EV): With this certificate, you offer the highest level of security assurance to your customers. All applicants must pass a strict vetting process.

On the whole, the more sensitive the data you process is, the greater security level you’ll require to protect it. However, keep in mind that higher security comes with an additional cost. The level you need is up to you, but we’d recommend that if you deal with customer banking data, anything other than an EV SSL certificate would be risky.

GoDaddy offers all of these solutions, and if you’re a GoDaddy hosting customer, they’re simple to set up – a single click is all it takes. If you’re not using GoDaddy, encrypted data is still achievable within minutes.

2. Generate a Certificate Signing Request (CSR).

To help validate your website, business and server, you’ll need a Certificate Signing Request (CSR). In short, this identifies the server and domains you’ll use your certificate with.

The instructions are different depending on the server you’re using, but generally you’ll need to:

  1. Connect to your server via Secure Shell (SSH).
  2. Run a console command.
  3. Enter your URL and business details.
  4. Copy and paste the text into your account’s SSL request area.

As we alluded to earlier, GoDaddy customers have fewer steps to take to encrypt their data because GoDaddy takes care of this part of the process. However, regardless of your hosting provider, you’ll still need to make some tweaks within your WordPress dashboard once your certificate is ready to go.

3. Direct WordPress to use SSL and HTTPS.

The final step is to make sure WordPress knows you’re now using SSL and HTTPS. First, head to your WordPress dashboard and navigate to Settings > General. Scroll down to the WordPress Address (URL) and Site Address (URL) fields, and swap out http:// for https://:

Adding SSL HTTPS Settings

Once you’ve saved your changes, you should be all set. However, if you’re implementing SSL on your existing site, you’ll also need to make a change to your .htaccess file. But before you go tinkering with your WordPress core files, you should brush up on your File Transfer Protocol (FTP) skills and back up your website in case something goes wrong.

Then, log in to your site via FTP, find the .htaccess file in your main directory, and add the following code:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]

 

Make sure you replace yoursite.com with your site’s URL, and save your changes. At this point, your site should be encrypted, but navigate to your front end and check out the browser bar to make sure.

Finally, it’s possible your site might only be deemed “partially secure” by the browser. This is a common issue with WordPress sites using third-party certificates. The good news is that you can use a plugin, such as Really Simple SSL, to solve it quickly.

When it comes to your website, your users’ security should be a top priority. What’s more, influential companies, such as Google and WordPress itself, are pushing for all sites to protect the data they process. This means you need to learn how to add SSL and HTTPS to WordPress and make the change right away.


Also published on Medium.

Image by: Michał GrosickionUnsplash