How to Install a WordPress SSL Certificate

wordpress-ssl

Because Google Chrome started marking websites without SSL as "insecure", you may want to upgrade and add an SSL certificate to your WordPress website.

In addition, installing SSL for WordPress will lead to better SEO and rankings in Google searches so that you can draw more traffic to your site.

Thankfully, doing all of that is very simple. Here is how to install SSL certificate on WordPress:

  • Step 1: Obtain an SSL from your host
  • Step 2: Update your WordPress and Site URLs
  • Step 3: Edit your '.htaccess' file
  • Step 4: Edit your 'wp-config.php' file
  • Step 5: Fix HTTP content errors in your files, themes, and plugins
  • Step 6: Add your HTTPS site to Google Search Console

Step 1: Obtain an SSL from Your Host

Chances are, you already have a free SSL certificate for WordPress from your domain host that you can use to migrate your WordPress site to HTTPS.

Most major hosting companies now offer SSL certificates free for all users. So contact your host - you might be eligible for one!

However, if you need to purchase an SSL certificate, you can do so through either your current hosting provider. It can also provide you with free options, such as a Let's Encrypt SSL certificate.

Step 2: Update Your WordPress And Site URLs

The first step in adding an SSL certificate to your WordPress site and migrating it to HTTPS is to redirect the URLs for your WordPress database and website.

To do this, visit 'Settings > General' from the dashboard. In the 'WordPress Address (URL)' and 'Site Address (URL)' boxes, manually change the 'http://' at the beginning of each address to 'https://'. Make sure to click 'Save Changes' at the bottom of the window, after which point you’ll need to log back into WordPress.

WordPress SSL Settings

Step 3: Edit Your '.htaccess' File

Next, you need to force WordPress to load your entire website in HTTPS by adding a snippet of code to your '.htaccess' file.

Typically, the '.htaccess' file for your site can be found in the root directory of your site when you log in to your WordPress site using an FTP client. For more information about how to find your '.htaccess' file, see our WordPress htaccess tutorial on how to do that.

Once you have your '.htaccess' file open in a text editor, add the following code to the bottom of the file:

IfModule mod_rewrite.c
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

If your WordPress site is hosted on a Nginx server (this only applies to a handful of users - won't apply to most of the people reading!), then you will need to add the following code instead. Replace 'example.com' with your own website name:

server {
listen 80;
server_name example.com www.example.com
return 301 https://example.com$request_uri;
}

Step 4: Edit Your 'wp-config.php' File

In order to force WordPress to use your SSL certificate when you log into your dashboard, you’ll also need to add some code to the 'wp-config.php file'. The 'wp-config.php' file is normally found alongside the '.htaccess' file in the root directory of your website and can be downloaded for editing with an FTP client.

Open the 'wp-config.php' file in a text editor and add the following code just above the line that says, 'That’s all, stop editing!':

define('FORCE_SSL_ADMIN', true);

Step 5: Fix HTTP Content Errors in Your Files, Themes, And Plugins

WordPress SSL mixed errorAt this point, you have successfully added an SSL certificate to your WordPress site.

And migrated your site from HTTP to HTTPS.

However, you are likely to continue to receive warnings from your browser that not all information on your site is secure.

The browser may not load all of the content on your site correctly depending on the security plugins you have installed.

The reason for this is that many of the files, themes, and plugins your site is using are still loading using the insecure HTTP protocol without checking the newly added SSL certificate. This is known as a mixed content error.

Correcting Mixed Content Errors in File Links

The first pieces of content you need to update will be your database of links connected to files, images, embeds, and other similar data. To do this, you simply need to change the 'http://' address of every content item to your new 'https://' address.

Thankfully, there are plugins available to make these updates to every file in your database automatically, such as Better Search Replace, CM On-Demand Search And Replace, and Search & Replace. To illustrate this process, I'll use the Better Search Replace plugin as an example, but the process is similar regardless of which plugin you choose.

In the 'Search for' field, put your old website address: 'http://example.com'. In the 'Replace with' field, put 'https://example.com'. Remember to replace example.com with your website’s name.

Below that, the 'Select tables' window will display all of the folders where your WordPress database holds files.

Select all of the folders and uncheck the 'Run as dry run?' box at the bottom. Then click 'Run Search/Replace' to start the address updates. Depending on the size of your site, this may take a few minutes.

WordPress SSL better search replace

Correcting Mixed Content Errors in WordPress Themes

Theme files that are causing mixed content errors can be more difficult to fix, but thankfully most well-designed WordPress themes will work fluently with HTTPS protocol. If you do need to update 'http://' addresses in your theme files, you’ll need to do so manually.

Use your browser’s code inspection tool to view which theme files are causing mixed content errors. You’ll then need to go through the code of your WordPress theme to find the links to these files and change the 'http://' addresses to 'https://'.

Correcting Mixed Content Errors in Plugins

Any plugin that is coded up to WordPress’s coding standard should not cause mixed content errors when you add an SSL certificate to your WordPress site. However, if an error does occur, it is best not to attempt to edit the code of the plugin yourself.

Instead, contact the plugin’s developer to let them know about the issue and ask if they can release an HTTPS-ready version of the plugin. If this is unsuccessful, you may need to find an alternative plugin.

Step 6: Add Your HTTPS Site to Search Engines

Search engines such as Google think that your HTTP and HTTPS website addresses represent two different websites. That means you need to add your HTTPS address to search engines to avoid any SEO issues.

I'll illustrate how to do this in Google Search Console as an example. Login to your Google Search Console and click 'Add A Property'. In the pop-up window, select 'Website' from the drop-down menu and type in the new 'https://example.com' address of your website. Google will then offer you several methods to verify your website.

WordPress SSL google search console

Do not delete the HTTP address from your Google Search Console. When both the HTTP and HTTPS addresses are listed, Google and other search engines will automatically set the HTTPS address as the primary website and will transfer your search rankings to the more secure version of your website.

Using a Plugin to Obtain a WordPress SSL Certificate (Alternative Method)

The method described above for adding an SSL certificate to WordPress is preferred because it is permanent and optimized for loading performance.

However, you can also add an SSL certificate using the Really Simple SSL or WordPress HTTPS (SSL) plugins. These and similar plugins automatically detect your SSL certificate upon activation and attempt to automatically fix any mixed content errors they detect.

There are several downsides to using plugins, though. Plugins attempt to fix mixed content errors by updating links as the page loads, which can significantly slow down page loading times. In addition, you’ll need to leave the plugin active at all times or mixed content errors will reappear.

SSL for WordPress: Final Thoughts

Converting your WordPress website from HTTP to HTTPS protocol by adding an SSL certificate is increasingly important since major browsers are starting to flag HTTP as "unsafe content" to potential site visitors.

Thankfully, most domain providers offer a free SSL certificate with your site and converting your site to use the SSL certificate is relatively straightforward.

If you found this guide helpful or have another favorite method for fixing mixed content errors, please let me know in the comments below!

An experienced content professional with a creative mind. If I'm not writing, you can probably find me in the backyard playing with dogs or at some weird art show.

Leave a Comment

Get new blog posts by email: