SSL stands for Secure Sockets Layer. It is an encryption-based technology to securely exchange of information between a website and visitor. Aside from encrypting the data exchanged, it also ensures the authenticity of a website to your visitors. Millions of websites use SSL for website security. It is an integral element of website security. If you care about site user experience and security, you need SSL — it’s really that simple.

A large number of people enter sensitive information like credit cards details on websites. Details like these are important, far too important to let hackers sniff ‘em off website traffic. That’s why it is important for website owners as well as visitors to understand the importance of SSL. It is not a marketing gimmick by hosting companies to make you spend money. It does secure your communication as well as your users trust you.

In this post, you will learn the what, why and how of SSL for your WordPress website.

The Differences Between HTTP vs. HTTPs

https1

Implementing SSL is, in the most basic terms, switching from traditional protocol HTTP to HTTPS. HTTP is a data communication protocol on which the entire world wide web is based. Note that I will be using the terms HTTPS and SSL interchangeably since they almost mean the same for the purpose of this article. There are several differences between the HTTP and HTTPS like:

  • Website security: With HTTPS, the information exchanged between browser and the visitor is encrypted, making it ciphertext and completely different from the actual transmitted data.
  • The padlock: Websites which employ SSL have their URLs prefixed with HTTPS, and a green padlock is shown beside them. Clicking the padlock shows various details about the website, and it’s security layer.
  • Price difference: HTTP is free, anyone can use it. HTTPS costs an annual fee of $60-200 for renewing the associated certificate. But services like Let’s Encrypt are helping the world by making SSL free.

Those are the major differences between the protocols, though, they are beyond the scope of this article. All you need to know is that HTTPs is secure but HTTP is not. Any data you enter over HTTP can be spoofed by hackers.

Why You Need HTTPs

While the given technology may sound fancy and cool, — Are there any practical reasons to migrate from HTTP to HTTPS? Yes! Let me explain a few reasons why you need HTTPS.

  • Better SEO: SEO is about driving more traffic from search engines. There are many ranking signals that Google examines to determine the ranking a web page. One of the officially declared ranking signals is HTTPS. Google says that it ranks HTTPS sites better.
  • Security: It is incredibly essential to ensure the privacy and security of your visitors. If you collect payments or any other sensitive information through your website, you must ensure its security. SSL strengthens security for both visitors and website owner. Website owners can take a sigh of relief because their traffic is 100% encrypted. For visitors, they can also feel safe and secure seeing the shiny green padlock.
  • Website credibility: Since huge websites like Google, Mozilla, and Youtube use HTTPS and show green padlocks, the green padlock shown beside any address is deemed as a sign of reputation. Visitors are more likely to trust a website if it has SSL. This is both good and bad because not all websites that use this protocol are legit.
  • For eCommerce stores: When you run an eCommerce store, accepting credit cards and PayPal becomes important. If you want to do that, per PCI Compliance, you are required to use SSL.

With HTTPS comes a sense of trust for visitors. Visitors should never enter their credit card details or any other sensitive information on a website without SSL. Now you know the importance of SSL. But how do you implement it on your website? Continue reading to learn how.

How to Get HTTPS

Step#1: Get an SSL Certificate / Use Let’s Encrypt

An SSL certificate is a virtually authorized document which permits you to use the SSL encryption technology. It is mandatory to have this certificate because, without it, you can’t force HTTPS on your website. An SSL certificate costs in the range of $60-200, depending upon the validity period of the certificate. That’s right; the certificate expires, and you need to renew it to keep using it.

There are two ways to get a certificate.

Both options are as valid as they can get. Once you have bought a certificate, ask the certificate provider or hosting provider to install it for you.

Step#2: Force HTTPS on WP-ADMIN

WordPress dashboard is just as important as the website itself. Forcing HTTPS on wp-admin is important. First of all make sure you have a backup of your site ready, in case you screw things up.

Add following code in your wp-config.php file above “That’s all, stop editing!” line:

define( ‘FORCE_SSL_ADMIN’, true );

This will force the dashboard to be HTTPS friendly.

Step#3: Change Site & Home URLs to HTTPS

ssl-settings

To use HTTPS everywhere, make sure the WordPress site settings are updated too. Follow these instructions:

  • Go to Settings > General
  • Add https://www.mydomain.com/ in both Site URL & Home URL fields
  • Make sure to replace mydomain.com with your domain name
  • Click “Save Changes.”

This step can be risky sometimes, especially if you are going to do it for an old website. I recommend using Really Simple SSL WordPress plugin, which takes care of this step automatically and lets you know about other things you need to fix.

Step#4: Search & Replace URLs to HTTPS

better-search-replace

If your website is fairly old, all internal links will need to be updated. It is time to search and replace these links. Before you proceed with this step, backup your WordPress database. Follow these instructions:

  • Install Better Search Replace plugin by Delicious Brains Inc.
  • Go to Tools > Better Search Replace to use the plugin
  • Search for “http://your_domain.com” and replace it with the updated version i.e. “https://your_domain.com.”

This should replace all the old URLs with the new ones.

Step#5: Redirect HTTP to HTTPS

This step is not necessary if you are using Really Simple SSL plugin.

What about all the HTTP search listings? How do you tell Google to stop replace HTTP with HTTPS URLs? Simple, put a 301 redirect on all links. Add following code in the .htaccess file:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{SERVER_PORT} 80

RewriteRule ^(.*)$ https://www.your_domain.com/$1 [R,L]

</IfModule>

Replace your_domain.com with your domain name. Implementing this step will ensure that all pages are redirected to https with the updated URL.

Testing Phase

When all this is done, you need to perform tests to make sure everything is working properly. Here are some tips and techniques to follow:

  • Use Jitbit’s SSL-check tool to identify insecure content on your website
  • You can also use the SSL Labs test to get a complete picture of your configurations.
  • Visit a few pages of your site, check to if they all display padlock icon
  • Search “site:your_domain.com” on Google, make sure all the indexed links are properly redirected and are https (it takes time for Google to pick up the redirection, make sure your sitemap is submitted, and you can reindex your site manually.)
  • Use SSL Insecure Content Fixer plugin to fix mixed content warnings

Conclusion

This steps described in this post may feel overwhelming and daunting, but it is a very important to have an SSL for your business site. With the benefit of SEO, trust, and website security, you get to stay ahead of the curve. HTTP is obsolete; HTTPS is the future.

Starting Jan 2017, Google Chrome will treat HTTP sites as insecure.

ssl-certificate

So, right now is the right time to start thinking about HTTPs.

What do you think about the importance of SSL? Do you have any tips for migration from HTTP to HTTPS?

Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @MrAhmadAwais; where I write about development workflows in the context of WordPress.

As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.


Author:

I am a senior Full Stack WordPress Developer, WP Core Contributor, Front-end Fanatic and an accidental writer. I love to write, talk, build, and share everything about WordPress. You can reach out to me at Twitter @MrAhmadAwais.

Siteground Hosting
Does WPLift load fast for you? That’s because we use Siteground for hosting, WPLift readers can click here to get up to 60% off hosting for your site.

Disclosure: This page may contain affiliate links for which we will receive compensation if a purchase is made.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4.50 out of 5)
Leave Yours +

3 Comments

  1. Thanks for the inside Ahmad. The task to move to SSL sounds very daunting and you can read a lot bad user experiences online. But after just moving two of my sites to https I found it super easy. The really simple SSL plugin does everything for you. I didn’t even see any drop in traffic.

  2. This is a great walk-through the subject of SSL! I was wondering if for an eCommerce site I should buy a SSL or use the free SSL like Let’s Encrypt that comes with a Siteground hosting account? Is there any difference?

  • Comments are Closed

Our Sponsors