How to Install an SSL Certificate on WordPress
SSL certificates are essential for any website online. When it released Chrome 62, Google began punishing insecure websites using HTTP with a “not secure” label in the address bar on any webpage that has text entry.
In this guide on how to install a SSL certificate on WordPress, we’re going to help you sidestep that problem using the world’s most popular content management system. We’ll run through what a SSL certificate is, how to choose the right one for you and how to configure it for your website.
The simplest method of installing a SSL certificate on WordPress is to use a plugin, so feel free to skip to that section if you want easy mode. The permanent solution is more difficult, though, and requires you to edit core WordPress files. Make sure to read our guides to using WordPress if you’re unfamiliar with doing so.
What Is an SSL Certificate?
SSL stands for “secure sockets layer” and it’s a security protocol used to transmit data across the internet. Essentially, two machines contact each other, agree on an encryption model and open a secure tunnel between them. Afterward, data can be transmitted between the two in an encrypted format.
SSL, as a protocol, is outdated, though. In the early 2000s, it was replaced by TLS, which does the same thing: establish an encryption agreement between two machines. The naming scheme is confusing, so be sure to read our SSL vs. TLS piece if you’re lost.
That’s what the protocol does. A SSL certificate, on the other hand, doesn’t encrypt anything. Certificates are used as a form of verification for websites. For example, your web browser wants to go to CommQueR.com. Your local machine checks for a certificate, finds it and starts the process of opening a tunnel.
Because of that, the name of a SSL certificate is irrelevant, even though SSL isn’t the security protocol used today. The certificate exists solely to verify that your website is legitimate and can be connected to securely.
In short, the protocol deals with encryption and the certificate deals with verification. As long as you have an SSL certificate, it can be used for SSL or TLS. Not all SSL certificates are made equally, though.
Choosing the Right Certificate
Before installing a SSL certificate on WordPress, you’ll need to know which one you should buy. A few of the best cheap web hosting providers include a certificate for free, but it might not be enough, especially if you’re selling online.
There are three types of certificates: domain validated, organization validated and extended validation.
DV certificates are high-risk, meaning your domain has been verified but nothing else. You can generally get them for free, but, with browsers cracking down on encrypted connections, you’ll still get a red lock in Chrome.
The other two are more secure. OV certificates verify that your business is legitimate and use that to show your website is trustworthy. EV is the same, but happens on a continual basis and the verification process is more strict.
OV and EV certificates are much more expensive. If you don’t have text entry on your website, then you’re fine not having a SSL certificate or using a free one through your web hosting provider. If you have so much as a contact form, though, Chrome will display a red lock and potentially a warning to those landing on your website.
Text fields apply to contact forms, payment entry, registration, etc. If you run a blog that has a comment section, for example, Chrome will show a red lock, but won’t display a warning.
You may see “wildcard” SSL certificates floating around while shopping. They don’t change the verification method but verify all the subdomains on a site. If you have “store.domain.com,” for example, a wildcard SSL certificate will protect that area, too.
Where to Buy an SSL Certificate
The best web hosting providers will connect you with a Certificate Authority to purchase a SSL certificate. SiteGround, one of our picks for the best web hosting for WordPress, has three certificate options you can purchase with your web hosting plan (read our SiteGround review).
You can purchase a certificate directly from a CA, too. Comodo, Verisign and GlobalSign are among the top names in the industry. Usually, web hosting providers partner with one of those CAs, even if not explicitly stated, and provide certificates at a discounted rate, so it’s best to go that route.
You’ll need to ask your domain registrar — usually your web host — to install the SSL certificate on your domain. If you’re purchasing the SSL certificate through your domain registrar, it should install it automatically.
After that, you can get to setting it up on your WordPress website.
How to Install an SSL Certificate on WordPress
With your SSL certificate in the bag, let’s see how you go about installing one.
The Easy Way: Use a Plugin
The simple answer to any WordPress problem is “use a plugin.” SSL certificates are no different and you can configure yours using the free Really Simple SSL plugin. Go to “plugins > add new” in the WordPress backend, search for Really Simple SSL and install it.
Once it’s activated, go to “settings > SSL.” You’ll see your current status, including any errors, in the main window. You don’t need to configure anything, the plugin has you covered behind the scenes.
It’s doing a few things. First, and most obvious, it’s checking for a SSL certificate. After it’s verified that you have one, it’ll force WordPress to load HTTPS instead of HTTP, set redirects from HTTP webpages and attempt to correct those still loading with HTTP.
You’ll have to keep the plugin active at all times, though, as deactivating it will cause mixed content errors. Like many plugin solutions, this one has downsides. It may not permanently fix old content and you might see a slight performance impact (read our guide on how to improve website loading times).
The Hard Way: Do It Manually
The hard way is permanent, but it requires you to edit WordPress files and troubleshoot problems that pop up along the way. If you’re not comfortable with doing that, be sure to read the WordPress guides we linked to in the introduction.
Before getting into it, we recommend that you do this on a staged website in case anything goes wrong. It’s also a good idea to use online backup in case you need to roll back any changes. You will need to edit core WordPress files, so a mistake could break your website. Always backup and test your changes before taking them live.
The first step is simple, though. Go to your WordPress backend and follow “settings > general.” Change your WordPress address and site address so they use HTTPS instead of HTTP. For example, your domain would go from “http://www.example.com” to “https://www.example.com.”
Save your changes and WordPress will kick you out. Next, you need to force your site to redirect HTTP traffic to HTTPS. Open an FTP client and find your .htaccess file. It should be in the root directory. If you can’t find it, make sure you allow your FTP client to show hidden files.
Add the following code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
In the unlikely event you’re using nginx servers, you’ll need a different snippet. If you’re not sure which you’re using, contact your web hosting provider. Add the following to your configuration file if you’re using nginx servers:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
Of course, replace “example.com” with your domain name.
Now that WordPress is using HTTPS instead of HTTP, it’s time to force it to use SSL. Open your FTP client and find “wp-config.php.” It’s usually in “public_html.” This file stores your database information and WordPress doesn’t work without it.
Above the line that says “that’s all, stop editing,” add the following code:
define(‘FORCE_SSL_ADMIN’, true);
After that’s done, your website will be forced to use SSL and HTTPS. You’ll still get mixed content errors, though. They come from other elements on your website, such as images and scripts, that are still loading using HTTP.
The issue with mixed content is that it’s so varied. Some images will cause problems while others won’t, and the same goes for scripts. It’s tedious and time-consuming to try to correct it manually, so we’re going to use a plugin.
Install the Better Search Replace plugin. It will go through your WordPress database and update any content served with HTTP to HTTPS. After it’s installed, go to “tools > Better Search Replace” to open the menu.
Enter your old URL, “http://example.com,” in the “search for” field and your new URL, “https://example.com” in the “replace with” field. Select all your tables in the section below to make sure it scans everything.
You can check the “run as a dry run” box to search through your database without updating any files. We recommend doing that first. After you’ve checked, unmark that setting and let the plugin go to work.
After that, you should be good to go. Your website will now load with your certificate and redirect any webpages using the non-secure protocol to the new ones.
Theme and Plugin Mixed Content Errors
You may still have mixed content issues riding on your theme or plugins. You can edit your theme and plugin files to update the any old URLs with the new ones, but we don’t recommend it.
Any theme or plugin following WordPress coding standards won’t show mixed content errors. If you’re getting them, there are likely to be more issues hidden in the codes of those areas.
If your theme or the plugins causing issues aren’t essential, it’s best to replace them. It can be a hassle to reconfigure your website after updating your theme, but it’s less time-consuming than going at it yourself and will probably come with other benefits such as better security and speed.
Final Thoughts
Even if you fancy yourself a techie, there’s no shame in contacting your web hosting support or reaching out to a developer. Configuring WordPress this way is risky and, while our method works, you may have a configuration that we can’t account for.
If you want a web hosting provider that will help you through WordPress specifically, we recommend SiteGround or Kinsta (read our Kinsta review). Both providers have many plans targeted at WordPress with excellent speeds, to boot.
Are there any other WordPress tips you’d like to see? Let us know in the comments and, as always, thanks for reading.
Jacob Roach is a Midwesterner with a love for technology, an odd combination given his corn field-ridden setting. After finishing a degree in English at Southern New Hampshire University, Jacob settled back under the Arch in his hometown of St. Louis, MO, where he now writes about anything tech. His main interests are web technologies and online privacy, though he dips his toes in photography and the occasional card game as well. You can reach him at jacob[at]commquer.com.