How to enable SSL on your WordPress website and move from http to https

A customer has recently asked how he can enable SSL on his WordPress website. This article had been created to provide a detailed step by step guide on how to configure a WordPress site to always use secure (SSL) connections.

It is assumed that you already have a valid, functioning SSL certificate installed on your web site or you have the autoSSL running on your account. If you are a Todhost customer, you should have the autoSSL enabled for your account. This means that both HTTP and HTTPS will work for your site. To make sure that your visitors always use HTTPS, we recommend the following steps.

 

Further reading:


How to Fix the ERR_CONNECTION_TIMED_OUT Error in WordPress

What you should know about optimizing your WordPress website for speed

WordPress Search Engine Optimization Tutorial

Basic Guide to WordPress Security

How to Fix a Hacked WordPress Website

How to Improve the Security of your WordPress Website

How to Secure a WordPress Website

Top 5 Security Issues with WordPress and How to Fix Them

WordPress Security Plugins

 

Enabling SSL for WordPress

 

Method #1: Use the WordPress administration interface
Method #2: Use phpMyAdmin
Methohd #3: Use a WordPress plugin


To enable SSL for WordPress, you must update two URL settings. To do this, use one of the following methods:

  • Use the WordPress administration interface.
  • Use phpMyAdmin to update the database directly. You may need to use this method if you are unable to access the WordPress administration interface.

 

Further reading:

How to create a simple portfolio website with WordPress

How to create and manage a page in WordPress

How to enable and disable pingbacks and trackbacks in WordPress

How to safely disable the WordPress automatic update feature

How to update your WordPress installation

The Many Uses to Which You Can Put Your WordPress Website

7 Security Tips for a WordPress Website

WordPress Website Speed Optimization Tutorial

WordPress image optimization tutorial

Automatic Update in WordPress

 

Method #1: Use the WordPress administration interface

 

To use the administration interface to update the WordPress URL settings, follow these steps:

1. Log in to WordPress as the administrator.
2. On the left-hand menu, click Settings, and then click General.
3. Under General Settings, in the WordPress Address (URL) text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name.
4. Make sure you type the correct URL, or your WordPress installation will be inaccessible.
5. Make sure the URL begins with https://.
6. Make sure the URL does not end with a forward slash (/).
7. In the Site Address (URL) text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name.
8. As in step 3, make sure you type the correct URL, or your WordPress installation will be inaccessible.
9. Make sure the URL begins with https://.
10 Make sure the URL does not end with a forward slash (/).
11. Click Save Changes.

 

Method #2: Use phpMyAdmin

 

To use phpMyAdmin to update the WordPress URL settings, follow these steps:

  1. Log in to cPanel. If you do not know how to log in to your cPanel account, please see this article.
  2. In the Databases section of the cPanel home screen, click phpMyAdmin.
  3. In the left-hand pane of phpMyAdmin, click the WordPress database. A list of tables in the database appears. Typically, the WordPress database is username_wpXXX, where username represents your cPanel username, and XXX is a three-digit number.
  4. Under the Table heading, click the wp_options table. A list of data rows appears.
  5. Under the option_name heading, locate siteurl, and then click Edit.
  6. In the option_value text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name. Make sure you type the correct URL, or your WordPress installation will be inaccessible. Make sure the URL begins with https://. Make sure the URL does not end with a forward slash (/).
  7. Click Go. phpMyAdmin saves the changes in the table.
  8. Under the option_name heading, locate home, and then click Edit. You may have to scroll through more than one page of data in the wp_options table to locate the home row. To do this, click the > icon, or you can click Show all to view all of the table's rows simultaneously.
  9. In the option_value text box, replace the current URL with the secure URL. For example, type https://www.example.com, where example.com represents your domain name.
  10. As in step 6, make sure you type the correct URL, or your WordPress installation will be inaccessible. Make sure the URL begins with http://. Make sure the URL does not end with a forward slash (/).
  11. Click Go. phpMyAdmin saves the changes in the table. WordPress should now use the secure https:// URL.

 

Method #3: Use a WordPress Plugin

 

To make sure that your visitors always use HTTPS, we recommend installing a plugin called Really Simple SSL. In this guide we show you how to do this.

Step 1 - Log into WordPress and go to Plugins

Log into your WordPress dashboard and click Plugins in the menu to the left.
Click Add New at the top of your screen.

Go to Plugins in your WordPress admin and click Add New

Step 2 - Install the Really Simple SSL plugin

Type in Really Simple SSL in the search field.
Click Install now to install the plugin.

Install the plugin Really Simple SSL

Step 3 - Activate the plugin

Click Go ahead, activate SSL! to activate the plugin and start serving your WordPress site via https.

Note: If you get an error that SSL has not been detected, please contact our support to check if SSL is properly enabled for your domain.

Click the button to activate SSL

Step 4 - Done!

All done! Open your site in your browser and check if you see the secured padlock.

Your WordPress website now shows in https.

 

Why SSL is Important

 

Enabling SSL on your website is no longer an option. As Google roles out its Chrome update which mark sites that do not have SSL enabled as "unsecure", enabling SLL is now a must as not doing so could hurt your website reputation and business.

Taking advantage of Todhost's Free SSL is easy. Enabling (or forcing) the SSL will give your domain an "HTTPS://" prefix, which ensures your website will be labeled as "secure" in most web browsers.

The Free SSL will be automatically added to every domain for new and existing cPanel platform customers..

The Free SSL lasts for 90 days from issuance and renews automatically at no cost to you so your site hosted with Todhost should never be without an SSL.

New customers will be automatically added to the free SSL upon account sign-up.
Note: The free SSL will not come with any warranty or site logo. For these features, the free SSL must be upgraded to a Positive or EV SSL Certificate.

 

Step by Step Guide for Enabling your Free SSL

 

If you have a website hosted and pointed to a Todhost hosting package, your SSL should be ready to use and can proceed to the next step to direct your customers to HTTPS. If your domain name is managed by another provider, you will need to ensure that an A record has been created for your domain that is associated with your Todhost package via your domain provider's dashboard. Otherwise, you will be unable to use the Free SSL.

The Free SSL does not automatically force HTTPS onto the domain and will need to be manually updated. This can be completed via updating the .htaccess to force HTTPS on every page.

Navigate to your website to test the SSL certificate. If you are redirected to the secure HTTPS:// version of your site, the SSL certificate is working properly. If you don't see the HTTPS:// prefix, please see the guide below.

Add the following code to your .htaccess file:

Scroll down to find RewriteEngine On and insert the following lines of code below it:

  1. RewriteEngine On
  2. RewriteCond %{HTTPS} off
  3. RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

Further reading:

How to Schedule Blog Posts in WordPress

How to modify search features of your WordPress website

Changing your WordPress website location

Configuring the basic settings in your WordPress website

How to Backup Your WordPress Website Automaticaly Using Backup Plugins

How to Backup and Restore the backup of a WordPress Website

How to Create Redirects in WordPress

How to Install and Setup Your Premium WordPress Theme

How to Keep Your WordPress Website Updated

How to Manage 403 Forbidden Error in WordPress

How to Optimize and Speed Up Your WordPress Website

How to Remove the "Powered by WordPress" Footer Link

How to control new user registration in WordPress

 

Benefits of Using SSL

 

Many webmasters operate under the false assumption that SSL/TLS only offers benefits to sites that process sensitive information like credit cards or banking details. And while SSL/TLS certainly is essential to those sites, its benefits are by no means limited to those areas.

One of the main benefits of SSL/TLS is encryption. Whenever you or your users enter information at your site, that data passes through multiple touchpoints before it reaches its final destination. Without SSL/TLS, this data gets sent as plain text and malicious actors can eavesdrop or alter this data. SSL/TLS offers point-to-point protection to ensure that the data is secure during transport. Even a WordPress login page should be encrypted!

Another key benefit is authentication. A working SSL/TLS connection ensures that data is being sent to and received from the correct server, rather than a malicious “man in the middle.” That is, it helps to prevent malicious actors from falsely impersonating a site.

The third core benefit of SSL/TLS is data integrity. SSL/TLS connections ensure that there’s no loss or alteration of data during transport by including a message authentication code, or MAC. This ensures that the data that gets sent is received without any changes or malicious alterations.

Beyond encryption, authenticity, and integrity, there are also other less technical benefits like:

 

Google Says Its a Ranking Signal

 

Using the https protocol is now a ranking signal according to Google, the search engine guru. In Google's words, below is an overwhelming reason to switch to https by enabling SSL on your website.

Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google.

Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites.

We want to go even further. At Google, a few months ago, we called for “HTTPS everywhere” on the web.

We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging.

For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

In the coming weeks, we’ll publish detailed best practices (it's in our help center now) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started:

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • Use 2048-bit key certificates
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains
  • Check out our Site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.

If your website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool. If you are concerned about TLS and your site’s performance, have a look at Is TLS fast yet?. And of course, if you have any questions or concerns, please feel free to post in our Webmaster Help Forums.

We hope to see more websites using HTTPS in the future. Let’s all make the web more secure!

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to Keep Your WordPress Website Updated

Updating your WordPress website is good for its security, content and data integrity and also for...

How to Install and Setup Your Premium WordPress Theme

WordPress is an excellent web development tool and still remains the most popular content...

How to create and manage a page in WordPress

Creating pages in WordPressCreating individual pages in WordPress is quite similar to writing a...

WordPress Search Engine Optimization Tutorial

Wikipedia defines Search engine optimization (SEO) as the process of affecting the online...

How to Secure a WordPress Website

How to Secure WordPress with Unique Admin UsernameMost applications use "admin" as username and...