With today’s online security threats, websites need to ensure the visitors of their pages are protected by enabling HTTPS security.
This is urgent, as more than half of organizations online report they are being targeted more now than ever before.
Since the vast majority of website attacks are due to stolen passwords and unsecured connections—both things that HTTPS prevents—it’s not hard to see why protective measures are a must.
While WordPress is a fantastic content management system, its websites aren’t protected with HTTPS connections from the start. There are some web hosting services out there, like Bluehost, who do provide free SSL certifications that are necessary to force HTTPS into WordPress, but even with free certifications, some additional steps are still required to get everything set up.
On that note, here’s our comprehensive guide on everything you need to know to enable HTTPS on your own website.
November 2024 Offer – For a Limited Time Only:
Get WordPress HTTPS SSL Plugin for 15% off! Don’t miss out!
A Quick Definition of HTTPS
HTTPS is a combination of HyperText Transfer Protocol (HTTP) internet connections and Secure Sockets Layer (SSL) security measures.
While an HTTP connection is required for any user to connect to a website, without SSL, there’s no data protection. Meaning, hackers and malware are more easily able to steal private information, such as user passwords or financial information.
But an HTTPS connection will defend the privacy of a website’s exchanged data while also demonstrating its authentication. Indeed, when anyone online visits websites using HTTPS protected connections, they’ll see a green padlock icon in their web browser. This acts as visual proof that a website is safe to use, which is a standard all modern users expect.
HTTPS Plugin Installation Service
Before we start, it’s important to note that CreativeMinds provides WordPress plugins and installation services.
You can find all information below, but if the technical steps overwhelm you, get in touch with us so we can help!
Learn more: Plugin Installation Service for WordPress by CreativeMinds.
How to add SSL HTTPS to WordPress site
Step 1) Obtaining an SSL Certificate
Websites who gain SSL Certification through their hosting provider should be able to easily activate it within their Admin Panel.
But those who aren’t supplied with free SSL certification will need to manually acquire and install one for themselves.
To do that, you need a certificate (which is a type of data file) from an official Certificate Authority. We always recommend LetsEncrypt as our go-to Certificate Authority service due to their free SSL certificates, and simple user-friendly instructions.
Plugin Generates Free Certificate For You
The Force HTTPS plugin generates a free certificate from Let’s Encrypt. Go to the “Certificate” tab and generate a free certificate with a single click!
Step 2) Installing an SSL Certificate in WordPress
Regardless of which Certificate Authority you use, the next steps depend on whether you have secure shell (or SSH) access to your web host. With SSH access, web managers can complete the installation of a certificate using the help of a client like Certbot. However, the most common WordPress website hosting options are structured in such way that users won’t have this access.
For websites in that situation, the best option is to go directly to their hosting provider for website modification assistance. Thankfully, many web host services anticipate these user needs by accommodating built-in support options for LetsEncrypt and other Certificate Authorities.
This way, in the unfortunate case that something doesn’t go right, you’ll be able to safely restore your website to its previous unaffected state.
Some web hosting providers will offer to install a purchased SSL certificate on your website. If that option is not available, it is also possible to manually install a SSL certificate, though that requires more hands-on knowledge and isn’t recommended for the inexperienced.
Thankfully, there are also plenty of WordPress plugins available that enable your SSL certificate for you. This is one of the more common methods of enabling HTTPS, and there are plenty of plugins that do it.
You can find WordPress HTTPS solution here, which automatically redirects your HTTP URL into a protected HTTPS after purchasing a SSL certificate.
Step 3) Two ways to Force HTTPS Connection for WordPress
Once an SSL certificate is installed on your domain, next you need to force WordPress to use it for HTTPS. This can either be accomplished with the help of a plugin, which is recommended for beginners, or by manually editing your WordPress website’s files.
Additionally, if you want a manual installation performed, but aren’t comfortable with your ability to modifying website code, it’s possible to hire WordPress developers to complete the technical edits needed to force HTTPS on WordPress.
Easy Way – Force WordPress HTTPS using a Plugin
Without a doubt, the simplest and most straightforward method of forcing HTTPS for WordPress is through a WordPress Plugin.
There are multiple plugin options from different developers, with the best of them taking care of every step for you. This includes checking your SSL certification, forcing WordPress to use HTTPS in URLs, automatically redirecting old HTTP sources to HTTPS, and checking content to find old and new security flaws.
A sturdy option is the WordPress HTTPS SSL Plugin.
This Force HTTPS plugin takes care of all the steps for installation described above, and more, to secure website databases. For instance, both an end-to-end SSL status tracker and a built-in scanner that locates mixed content errors are included.
Everything is controlled through the plugin’s comprehensive admin dashboard that lets users choose which specific pages run HTTPS, while at the same time providing easy access for any front-end-only users holding limited website roles.
The plugin works across multiple websites as well, making HTTPS security a cinch no matter how many you manage.
Hard Way – Manually Force WordPress HTTPS Step by Step
1. Replace URL Under Site Settings
Head to your website’s Settings > General page, and under the “General Settings” section replace the URL addresses there—both the WordPress Address and Site Address—with the updated HTTPS address obtained through your SSL certificate.
Then click “Save Changes”, and WordPress will automatically log you out. If you try logging back in at this point, you’ll get a loading error. So, let’s fix that.
2. Add Code To .htaccess File
This second step varies depending on whether you are using nginx servers or not (most users aren’t).
For all websites not using nginx servers, the following five lines of code must be added to your .htaccess file.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
For the few WordPress websites that do use nginx servers, these five lines of code must be added instead.
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
In both cases, make sure you don’t forget to replace the “example.com” texts with your website’s actual domain name. Afterward, WordPress will begin loading your entire website using HTTPS, which will resolve the loading error created in Step 1.
3. Fix Mixed Content Errors
Now it’s time to find and fix your mixed content errors.
Unfortunately, your website will run into these errors due to onsite sources that are still using unsecured HTTP. Meaning, you’ll need to use the inspect tool to figure out specifically which content is coming in from insecure connections.
The three main places to inspect here are your WordPress Database, WordPress Theme, and WordPress Plugins. To actually fix the errors, every mention of your old website URL must be found within its database and then replaced your new HTTPS URL.
4. Add Property on Google Search Console
Lastly, for SEO optimization, Google needs to be notified that your website has switched from an HTTP connection to HTTPS.
To do so, go to your Google Search Console account and click ‘Add a Property’. Then enter your new HTTPS address in the presented field, and choose a verification option to prove your website’s ownership.
After completing this step, you’ll have manually and successfully forced HTTPS into your WordPress website.
HTTPS WordPress Plugins Alternatives
If you are interested in using other software, here are four additional WordPress SSL and HTTPS plugins out there and how to use them.
1. Really Simple SSL
Really Simple SSL aims to keep SSL simple with minimal options and the ability to enable SSL with one click. Once enabled, this plugin moves your entire site to SSL. All incoming requests are redirected to HTTPS.
The Pro version of this plugin includes support for mixed content, the option to enable HTTP Strict Transport Security, and more detailed feedback.
2. WP Force SSL
WP Force SSL is a basic plugin that redirects all WordPress site pages from HTTP to HTTPS. It doesn’t come with the advanced options of some of the other plugins.
Note: With this plugin, users will need to add https to the WordPress Address (URL) and Site Address (URL) parameters under General > Settings.
3. Easy HTTPS Redirection Plugin
This HTTPS plugin is available for free form WordPress.org, and forces search engines to index the HTTPS versions of your webpages. Also, the plugin automatically setup a redirection to the HTTPS version of each of your webpages URLS, so users will automatically be taken to the secure page when they try to access the non-secure page.
One feature of this plugin is that it auto redirects for the entire website domain or admin can choose to auto redirects for just a few specific pages. Also, admin can force load static files like images using a secure connection.
In addition, this HTTPS plugin also supports translation with multiple languages including English and German. There is also helpful documentation and 24/7 support options for this highly rated plugin.
4. SSL Zen Plugin
The Free SSL Certificate for WordPress plugin’s differential is that it generates a free SSL certificate from the plugin itself. It also boasts a slick, hassle-free interface.
The downside is the limitation: you can only apply the certificate from LetsEncrypt, which is valid for 90 days. Also, while the interface is indeed straightforward, it still requires the user to upload files to the server, as usual in more complex installations.
5. One Click SSL
The aptly named One Click SSL plugin promises to redirect all non-SSL pages to SSL while ensuring that resources loaded over SSL as well.
One neat feature is the check, during the setup wizard, to see if SSL is supported on the hosting/server. This prevents the site from becoming inaccessible should if SSL is not supported for any reason.
Its simplicity is also the downside: compared to other options, this SSL plugin is barebones.
6. Verve SSL
Verve SSL stands out for allowing you to apply SSL during the logged in period only.
The installation is smooth, and, as bonus, no changes to WP-Config.php are required.
As a downside, there have been reports of conflict with WooCommerce.
7. WC SSL Seal
Focused on WooCommerce, WC SSL Seal can be a great asset if your website uses the eCommerce plugin. Note, however, that this plugin’s feature is showing a “secure seal” only, not implementing the SSL.
Security is particularly important if users perform transactions within your site, so taking the extra step of showing customers you care can be beneficial.