A customer has recently asked how he can enable SSL on his WordPress website. This article had been created to provide a detailed step by step guide on how to configure a WordPress site to always use secure (SSL) connections.
It is assumed that you already have a valid, functioning SSL certificate installed on your web site or you have the autoSSL running on your account. If you are a Todhost customer, you should have the autoSSL enabled for your account. This means that both HTTP and HTTPS will work for your site. To make sure that your visitors always use HTTPS, we recommend the following steps.
Further reading:
How to Fix the ERR_CONNECTION_TIMED_OUT Error in WordPress
What you should know about optimizing your WordPress website for speed
Enabling SSL for WordPress
Method #1: Use the WordPress administration interface
Method #2: Use phpMyAdmin
Methohd #3: Use a WordPress plugin
To enable SSL for WordPress, you must update two URL settings. To do this, use one of the following methods:
- Use the WordPress administration interface.
- Use phpMyAdmin to update the database directly. You may need to use this method if you are unable to access the WordPress administration interface.
Further reading:
7 Security Tips for a WordPress Website
WordPress Website Speed Optimization Tutorial
WordPress image optimization tutorial
Method #1: Use the WordPress administration interface
To use the administration interface to update the WordPress URL settings, follow these steps:
1. Log in to WordPress as the administrator.
2. On the left-hand menu, click Settings, and then click General.
3. Under General Settings, in the WordPress Address (URL) text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name.
4. Make sure you type the correct URL, or your WordPress installation will be inaccessible.
5. Make sure the URL begins with https://.
6. Make sure the URL does not end with a forward slash (/).
7. In the Site Address (URL) text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name.
8. As in step 3, make sure you type the correct URL, or your WordPress installation will be inaccessible.
9. Make sure the URL begins with https://.
10 Make sure the URL does not end with a forward slash (/).
11. Click Save Changes.
Method #2: Use phpMyAdmin
To use phpMyAdmin to update the WordPress URL settings, follow these steps:
- Log in to cPanel. If you do not know how to log in to your cPanel account, please see this article.
- In the Databases section of the cPanel home screen, click phpMyAdmin.
- In the left-hand pane of phpMyAdmin, click the WordPress database. A list of tables in the database appears. Typically, the WordPress database is username_wpXXX, where username represents your cPanel username, and XXX is a three-digit number.
- Under the Table heading, click the wp_options table. A list of data rows appears.
- Under the option_name heading, locate siteurl, and then click Edit.
- In the option_value text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name. Make sure you type the correct URL, or your WordPress installation will be inaccessible. Make sure the URL begins with https://. Make sure the URL does not end with a forward slash (/).
- Click Go. phpMyAdmin saves the changes in the table.
- Under the option_name heading, locate home, and then click Edit. You may have to scroll through more than one page of data in the wp_options table to locate the home row. To do this, click the > icon, or you can click Show all to view all of the table's rows simultaneously.
- In the option_value text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name.
- As in step 6, make sure you type the correct URL, or your WordPress installation will be inaccessible. Make sure the URL begins with http://. Make sure the URL does not end with a forward slash (/).
- Click Go. phpMyAdmin saves the changes in the table. WordPress should now use the secure https:// URL.
Method #3: Use a WordPress Plugin
To make sure that your visitors always use HTTPS, we recommend installing a plugin called Really Simple SSL. In this guide we show you how to do this.
Step 1 - Log into WordPress and go to Plugins
Log into your WordPress dashboard and click Plugins in the menu to the left.
Click Add New at the top of your screen.
Go to Plugins in your WordPress admin and click Add New
Step 2 - Install the Really Simple SSL plugin
Type in Really Simple SSL in the search field.
Click Install now to install the plugin.
Install the plugin Really Simple SSL
Step 3 - Activate the plugin
Click Go ahead, activate SSL! to activate the plugin and start serving your WordPress site via https.
Note: If you get an error that SSL has not been detected, please contact our support to check if SSL is properly enabled for your domain.
Click the button to activate SSL
Step 4 - Done!
All done! Open your site in your browser and check if you see the secured padlock.
Your WordPress website now shows in https.
Why SSL is Important
Enabling SSL on your website is no longer an option. As Google roles out its Chrome update which mark sites that do not have SSL enabled as "unsecure", enabling SLL is now a must as not doing so could hurt your website reputation and business.
Taking advantage of Todhost's Free SSL is easy. Enabling (or forcing) the SSL will give your domain an "HTTPS://" prefix, which ensures your website will be labeled as "secure" in most web browsers.
The Free SSL will be automatically added to every domain for new and existing cPanel platform customers..
The Free SSL lasts for 90 days from issuance and renews automatically at no cost to you so your site hosted with Todhost should never be without an SSL.
New customers will be automatically added to the free SSL upon account sign-up.
Note: The free SSL will not come with any warranty or site logo. For these features, the free SSL must be upgraded to a Positive or EV SSL Certificate.
Step by Step Guide for Enabling your Free SSL
If you have a website hosted and pointed to a Todhost hosting package, your SSL should be ready to use and can proceed to the next step to direct your customers to HTTPS. If your domain name is managed by another provider, you will need to ensure that an A record has been created for your domain that is associated with your Todhost package via your domain provider's dashboard. Otherwise, you will be unable to use the Free SSL.
The Free SSL does not automatically force HTTPS onto the domain and will need to be manually updated. This can be completed via updating the .htaccess to force HTTPS on every page.
Navigate to your website to test the SSL certificate. If you are redirected to the secure HTTPS:// version of your site, the SSL certificate is working properly. If you don't see the HTTPS:// prefix, please see the guide below.
Add the following code to your .htaccess file:
Scroll down to find RewriteEngine On and insert the following lines of code below it:
-
RewriteEngine On
-
RewriteCond %{HTTPS} off
-
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Further reading:
How to Backup and Restore the backup of a WordPress Website
How to Create Redirects in WordPress
How to Install and Setup Your Premium WordPress Theme
Benefits of Using SSL
Many webmasters operate under the false assumption that SSL/TLS only offers benefits to sites that process sensitive information like credit cards or banking details. And while SSL/TLS certainly is essential to those sites, its benefits are by no means limited to those areas.
One of the main benefits of SSL/TLS is encryption. Whenever you or your users enter information at your site, that data passes through multiple touchpoints before it reaches its final destination. Without SSL/TLS, this data gets sent as plain text and malicious actors can eavesdrop or alter this data. SSL/TLS offers point-to-point protection to ensure that the data is secure during transport. Even a WordPress login page should be encrypted!
Another key benefit is authentication. A working SSL/TLS connection ensures that data is being sent to and received from the correct server, rather than a malicious “man in the middle.” That is, it helps to prevent malicious actors from falsely impersonating a site.
The third core benefit of SSL/TLS is data integrity. SSL/TLS connections ensure that there’s no loss or alteration of data during transport by including a message authentication code, or MAC. This ensures that the data that gets sent is received without any changes or malicious alterations.
Beyond encryption, authenticity, and integrity, there are also other less technical benefits like:
Google Says Its a Ranking Signal
Using the https protocol is now a ranking signal according to Google, the search engine guru. In Google's words, below is an overwhelming reason to switch to https by enabling SSL on your website.
Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google.
Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites.
We want to go even further. At Google, a few months ago, we called for “HTTPS everywhere” on the web.
We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging.
For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
In the coming weeks, we’ll publish detailed best practices (it's in our help center now) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started:
- Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
- Use 2048-bit key certificates
- Use relative URLs for resources that reside on the same secure domain
- Use protocol relative URLs for all other domains
- Check out our Site move article for more guidelines on how to change your website’s address
- Don’t block your HTTPS site from crawling using robots.txt
- Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.
If your website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool. If you are concerned about TLS and your site’s performance, have a look at Is TLS fast yet?. And of course, if you have any questions or concerns, please feel free to post in our Webmaster Help Forums.
We hope to see more websites using HTTPS in the future. Let’s all make the web more secure!
