Making sure your website uses HTTPS should be a top priority for any webmaster
In fact, recent statistics show that over 42% of site administrators across the web use WordPress, and many of these sites still don’t have an SSL certificate installed.
For the past several years, SSL has become increasingly important. Not only is SSL crucial for securely transmitting information to and from a website, but also in terms of search engine visibility. Having SSL installed can lower the chances of being penalized by website authorities, and should always be a part of a website’s security posture.
SSL certificates essentially protect the integrity of the data in transit between the host (web server and/or firewall) and the client (web browser). They work as a barrier to prevent data visibility or modification. An SSL certificate doesn’t protect websites from being hacked however.
SSL works only to protect the data in transit.
If you’d like to understand more about how SSLs work, feel free to check out our short webinar: Is SSL Enough to Secure Your Website?
Website authorities such as Google have been known to penalize non-HTTPS sites for some time now. Back in 2017, Google changed its approach to handling HTTP websites. Having an SSL certificate has been an important factor for SEO and security, but now it shows that the site takes security more seriously than a non-HTTPS site generally would.
In version 68 of Google’s Chrome Browser, released in July 2018, it shows a “Not Secure” warning for websites that don’t have an SSL certificate.
HTTPS websites generally tend to rank better on search engines such as Google. Since 2014, SSL has been a ranking signal for SEO and has been one of the site’s characteristics that determine its position amongst search engines.
According to Yoast,
“It’s inevitable that we are moving to an all-HTTPS web.”
In order to install an SSL certificate on a WordPress site, you’ll first need to either purchase one through a Certificate Authority, such as GoDaddy, or use a free certificate from Let’s Encrypt.
Some hosting companies provide SSL certificates to their customers as well. We advise contacting your hosting provider before proceeding, since they may be able to provide support with the installation & management of your certificate.
If you choose to go with a free Let’s Encrypt SSL certificate however, we’ve written an extensive guide on how to add one to your website here.
If you’re using the Sucuri Website Firewall (WAF) and you don’t currently have an SSL certificate on the origin server for your site, an SSL will still be enabled on the firewall server by default. This ensures the data between visitors and pages they view are still encrypted, via the firewall server.
Before Installing SSL/HTTPS in your WordPress site, you’ll need to have a valid SSL certificate uploaded to your server or CDN. You can reach out to your hosting or CDN to ask for assistance with this step.
Below are the steps for installing SSL/HTTPS to a WordPress website. You can either do it manually, or use a plugin to help. If you choose to add an SSL to WordPress manually, you’ll need to modify some files and troubleshoot certain issues.
Step 1 – Backing Up Your Site
Before starting this process, it’s highly advised you save a backup of your website in a secure location. Make sure to have a complete copy of your website files and database. This way, the website can be restored if any of the following steps break the website.
Step 2 – Download a WordPress SSL Plugin
One of the most used plugins to move from HTTP to HTTPS is the Really Simple SSL Plugin. This plugin automatically detects new website settings, and configures it to run over HTTPS. You can download this plugin from the WordPress official repository.
Really Simple SSL Plugin
You can also install this plugin directly from the WordPress admin dashboard. You’ll just want to go to Plugins > “Add New.”
Activate Really Simple SSL Plugin in WordPress
Step 3 – Automatically Detecting SSL With the Plugin
The plugin should automatically detect the SSL certificate installed, and then set WordPress to use HTTPS with it. You’ll first need to open the plugin inside your admin dashboard, then navigate to Settings > SSL.
Once you select the option “Go ahead, activate SSL!” your WordPress site should now be running on HTTPS.
Activate SSL Button
After clicking on the “Go ahead, activate SSL!” button, you may need to login to WordPress again.
If you’re seeing mixed content warnings, read this “really simple ssl” article for further instructions.
PS: If you’ve decided to use the plugin you can skip step 8.
Step 4 – Update the URL Address
In your WordPress dashboard click on Settings > General.
Update URL Address
Now, replace your website address from http:// to https:// and click on Save Changes.
After making these changes, logout and back into WordPress again.
Step 5 – Force HTTPS in WordPress
Next you’ll want to force HTTPS by editing your .htaccess file by adding this code to your file:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Step 6 – Add HTTPS to WP Admin
To force HTTPS within your WP admin dashboard you’ll want to edit the wp-config.php file with the following line:
define('FORCE_SSL_ADMIN', true);
Step 7 – Force HTTPS to your Database
In order to avoid mixed content errors, you can simply edit all URLs in your database that still show under HTTP.
You can also use a plugin that searches and replaces URLs for you, such as Better Search Replace. You’ll want to open the plugin and search for http://yourwebsite.com, and then replace it with https://yourwebsite.com instead. Now click on Run Search/Replace.
Better Search Replace
Step 8 – Sending The HTTPS Site to Google Search Console
Add and verify the new HTTPS site in Google Search Console now.
Add a Property in Google Search Console
After this, Google will re-crawl the site once a new XML sitemap including the HTTPS URLs is submitted.
For many SEO elements such as “rel=canonical” and Open Graph tags, it’s advisable to use an absolute URL. Absolute URLs are read externally by social media sites and search engine crawlers.
It’s important to note there’s a period of normalization after applying an SSL, but ultimately, it’s a confirmed ranking signal according to Google.
Similarly, social sharing counters for older content will likely become invalid. This is because there’s now a new URL starting with HTTPS instead of HTTP, and many tools count each as a separate URL with its own engagement metrics.
SSL protects the information in transit, allowing a site to be accessed over HTTPS. The data sent is encrypted between visitors and the web servers. However, having a HTTPS website doesn’t mean the website is protected against website attacks and infections. It’s essentially only a piece of the website security puzzle.
If you’d like to take a better look at the state of your website security, you can install our free Sucuri security plugin.
Sucuri Security – Auditing, Malware Scanner, and Security Hardening
In case you’d like peace of mind, we recommend checking out how our website security platform detects, protects, and cleans site malware. You can also activate SSL/HTTPS via our cloud-based WAF that’s included in our platform.