This is a continuation of our website security series. Today we learn how to add SSL to your WordPress website.
Security is the foremost reason, an SSL certficate encrypts data between your website and the website visitors browser. This means that even if the data is intercepted, it cannot be read because it's encrypted.
An SSL certificate also authenticates your website confirming to your web browser that the website is actually who it claims to be.
SSL Certficates are crucial to ecommerce websites, banks and any website where securing data is important. Even a regular website with users passwords and personal data needs to be protected. Imagine your website being compromised and your users personal data and passwords being stolen? Stolen data is often used for fraud and identify theft. This kind of breach can be devastating to both to your website's reputation and to the people whose data was hijacked.
Adding SSL to WordPress is easy, you need to purchase an SSL certificate and usually you'll need a dedicated IP number. Both can be supplied to you by your web hosting company. Once you have an SSL certficate you can ask your web hosting provider to install it for you. They should be more than happy to do that for you.
On our shared hosting we install all SSL certifcates for our clients.
Some people prefer to use SSL on only selected pages or areas e.g. the login page or the checkout page etc. We recommend you add SSL to your entire site as there is a small SEO benefit according to an announcement by Google. The choice of course is entire yours.
If you want to add SSL to your entire website then we'll start as follows:
1) Update your URL in WordPress to to use HTTPS in the WordPress admin. Go to Settings » General Settings, then update your site address URL and WordPress URL fields to HTTPS.
2) Force SSL on WordPress by redirecting all traffic to use HTTPS. This is done by adding a line of code to your .htaccess file.
You want to make sure that you force SSL on WordPress. This means that when someone visits your website from e.g. www.yourwebsite.com (a non-encrypted link) they are forced to view the encrypted page which in this case would be https://www.yourwebsite.com.
For more in-depth info on how to force SSL on WordPress read this Help Centre article but the code below is what you'll need to add:
Please note: If you already have existing code in your .htaccess file then add this code above the code with a similar starting prefix.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourname.com/$1 [R,L]
</IfModule>
Please make sure to replace www.yourname.com with your domain name.
Add this line of code will also avoid your SSL breaking and causing errors. What essentially happens is some items like images or other content are not called securely (via HTTPS) but insecurely (via HTTP) and this will cause browsers to give various errors.
Once you've done all the above, it's time to test your website to make sure the SSL is working correctly. You can visit your site in your browser to start with and some of the results in Chrome will give you browser icons as follows:
For more in-depth information on Chrome's browser icons and their meanings visit this page.
We also recommend using a tool like https://whynopadlock.com to test your site for errors.
Why No Padlock will test your page and make sure all items are called securely. If not it will highlight each item that's called insecurely and you can fix each one.
There are also WordPress plugins that can help when changing from HTTP to HTTPS. One such plugin is WordPress HTTPS. WordPress HTTPS can be really helpful with you have a big site with lots of content that needs to be fixed because it's being called insecurely.
