Needless to say, because of the sensitive nature of online data, using HTTPS is a necessity especially when using unencrypted networks like Wi-Fi. Since security is essential when using a browser, using https guarantees that user data is protected and the data is also defended from identity theft. For anyone looking to do some serious business online, it is almost mandatory to have SSL. Most customers will be reluctant about using a website that does not have an SSL certificate as they always want to use the website with confidence knowing that they are protected.
If you are looking to switch your WordPress to HTTPS from HTTP and also get an SSL certificate for your website, here is a guide on how to go about it effortlessly.
What is HTTPS?
HTTPS is a web protocol that is secure and is popularly used by the e-commerce websites. It is an encryption method that ideally provides secure transactions for users and the servers. While many people may underestimate the difference between http and https, there is a significant difference between the two. Historically, https connections were primarily used when the sites contained sensitive information, but more and more sites are switching of late because of the acknowledged importance. Since a lot of personal information is shared on a daily basis on different websites, using HTTPS makes it very hard for hackers to access your information.
Google has actively been advocating for HTTPS to website owners. It has even further gone to the extent of rewarding secure URLs with some SEO boost.
Why you need HTTPs and SSL?
Some of the reasons you have to move your WordPress from HTTP to HTTPS regardless of how small you intend your business website or simple blog to be include;
- Security- Google made a big announcement last year on their intention to improve the web security by basically encouraging every website owner to switch from HTTPS to HTTPS. It noted that going forward; Chrome web browser would identify the websites that did not have SSL certificates as “Not Secure.”
- As one of their incentives, they announced that all websites that had SSL would have SEO benefits and get higher rankings. Many websites have since switched because of this.
- Most payment companies like PayPal Pro and Stripe now require one to have a secure connection for payments to be done. This means that if your business is accepting payments online on the eCommerce website then having SSL in mandatory
How HTTPSs and SSL work
Every site on HTTPS is given a unique SSL certificate for identification. When a server pretends to be on HTTPS, but its certificate does not match most browsers especially the modern ones automatically send a warning to the user from connecting to that website.
If one visits an HTTPS website and uses the incognito windows for instance, it is identified with Google as not secure. In addition, if one tries to fill out any contact form on HTTP website on the regular mode, it will also be marked as not safe. This ultimately gives your customers and readers a wrong impression of your business which is something you want to avoid by all costs.
What are some requirements for using HTTPS/SSL on WordPress site?
It is not hard to have SSL on your website as the best WordPress hosting companies offer free SSL certificates to their users. Some of these hosting companies include; SiteGround, Bluehost, Liquid Web. WPEngine and Dreamhost. The other alternative is to purchase the SSL Certificate if it is not being offered for free by your hosting company. Upon purchase, you will have to request your hosting provider to help you install it.
Most people would recommend GoDaddy as your hosting company as it manages more than 76 million domains worldwide. When you purchase a certificate, they also get you a McAfee seal secure seal for the website.
How to Set up WordPress to Use HTTPS and SSL
Once you have purchased your SSL certificate and enabled it on your domain name, you then have to set up WordPress to use HTTPS and SSL protocols.
There are two methods you can follow to achieve that, and they are as below;
-
Use Plugin to setup SSL/HTTPS in WordPress
This is an excellent method as it is more comfortable and is suitable for novice people. The steps include;
- You have to install and then activate the SSL plugin.
- When activation is complete, you will then have to visit the setting-SSL page. The plugin automatically will detect your SSL certificate and will then set your WordPress site up to use the HTTPS. It will appear as below:
The good thing about the plugin is that it takes care of basically everything even the problem of mixed content errors. Behind the scenes plugin does the following;
- It checks your website’s SSL certificate
- It sets WordPress to start using https in URL’s
- It sets up redirects from all HTTP to HTTPS
- It searches for URLs in all your content that is still loading from the insecure HTTP sources and then tries to fix that.
Notably, the plugin uses output buffering technique to attempt to fix any mixed content errors. The downside to this is that sometimes it can have a significant negative impact on performance as ideally; all it is doing is substituting content on the site when the page is being loaded. If you are using a caching plugin, expect the impact to be very minimal as it is only seen on the first page load.
When using this method, it is vital to ensure that you leave the plugin active when using your bowser because deactivating it many bring back the problem of mixed content errors.
-
Setup SSL/HTTPS in WordPress Manually
Although this is a more difficult method than using the plugin, it is a performance optimized method and is a long lasting solution. It is difficult because you will need to manually troubleshoot issues and also edit WordPress theme and code files. For those who find this a bit challenging, there is the option of hiring a WordPress developer or just settling for the first method.
The steps include;
- Go to the settings/general page
- Once there, update the WordPress and the site URL by essentially substituting http with https
- Save the changes you have made
- When the settings have been securely saved, you will be automatically logged out and later be required to log in afresh.
- You will then have to manually setup WordPress redirects from http to https. You will do that by adding the below codes to your htaccess files;
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ (. *) $ https://% {HTTP_HOST} %{REQUEST_URI} [L, R=301]
</IfModule>
.
For those who are on nginx servers, they will need to add the below code in order to redirect http to https in the configuration file successfully;
Server {
listen 80;
server name example.com www.example.com;
return 301 https://example.com$request_uri;
}
You need to put your domain name in place of example.com
You will avoid the error of WordPress HTTPS not functioning if you follow these steps as WordPress will then load your whole website using https. You also need to configure SSL in the wp-config.php file if you forcefully want HTTPS and SSL on your login pages or WordPress admin area.
All you need is to add the below code above the “That’s all, stop editing!” line in the wp-config.php file: define (‘FORCE_SSL_ADMIN,’ true);
This line will also work on WordPress multisite networks.
Finally, your website will be setup to start using HPPTS/SSL once you have followed the steps above to the latter. However, getting mixed content errors will still happen. The errors are primarily brought about by sources like scripts, images, and stylesheets that are using the insecure HTTPS protocol in the URLs to keep loading them. If this happens, you will barely see a secure padlock icon on the website’s address bar. For many browsers currently, they automatically block the unsafe resources and scripts. If you are using them, you are likely to see the padlock icon. However, there will be a notification on the browser’s address bar.
You can use the inspect tool to know the content that is served through an insecure protocol. The mixed content error will then be shown on your screen as a warning to you in the console. It will have more exceptional details for each combined content item.
How to fix Mixed Content Error on your SSL Website
Basically, Mixed Content Error is very common and occurs when a certain site does not fully secure all its content or fully protect the content. It mainly happens when a webpage has a combination of both non-secure (HTTP) and secure (HTTPS) content and is delivered over SSL to the said browser.
Although fixing this particular problem can be quite time consuming, it is a very important task.
How to Fix Mixed Content Errors in WordPress Theme
WordPress theme is a prevalent cause of a mixed content error. This, however, will not happen if the WordPress theme being used strictly follows the coding standards.
To fix this, you will have to;
First, use your browser’s Inspect tool to get the resources and also know where they are loading from
Find them in your WordPress theme and then replace them with https
Note that this can be challenging especially for beginners as they can barely see which theme files contains the URLs
How to fix Mixed Content in WordPress Database
As already established, most of the URLs that are not correct will be embeds, files, images and the other data that is stored in the WordPress database.
To fix this, you simply need to identify all the mentions from the previous website URL that initially began with http then replace those with the current website URL which now begins with https.
The easiest way to achieve this is by;
Installing and then activating the Better Search Replace plugin.
After activation visit the tools and Better Search Replace page. Here, add your website’s URL with http under the search
Under the replace field, Add the website’s URP with https
You will see your database tables, and you will need to select all the tables and run a thorough check
Uncheck the box that is next to ‘run as dry run’ option and click on run search/Replace button
The plugin will search your database for URLs that are starting with http when you are done, and it will replace them with https URLs that are more secure. Ideally, this process could take some time depending on how big or small your database size is.
.
How to fix Mixed Content Errors Cause by Plugins
WordPress plugins will load some mixed content resources. However, if you are using a WordPress plugin that strictly follows the coding standards, then there will not be any mix of content errors.
Editing WordPress plugin files is highly discouraged. You should contact the plugin author in case of anything make them aware. In case they are not in a position to fix the problem, or they are unresponsive then you have to find another suitable solution.
In the event that you still encounter the mixed content error, it is recommended that you use the Simple SSL plugin temporarily. This is so that your users are not affected while you work on fixing the issue.
Finally, submit your HTTPS site to Google Search Console
After you have moved from http to https let Google be aware so that you avoid any problems to do with SEO. All you need is go to your Google search console account and then click the button that reads ‘Add a property.’ Once you have done this, you will get a pop up where you will put the website’s new https address.
Once you have added the address to the popup, you will need to verify that you are the owner of the website to Google. There are many ways to prove ownership and all you need to do is select a method, there will be instructions to follow to verify your website.
Finally, when you get your site verified, you will start receiving search console reports for your website by Google. You have to ensure that the http and https versions have been included in your search console. With both versions, go to http version in the Google Search Console and then click on the settings and select the option of ‘Change of Site Address.’
Once that is done, Google will select your new site automatically in the field below, and if it doesn’t then, you will have to select the https version and submit the change of address request.
This will send the message to Google that https version should be treated as your primary version. Google then transfers the website’s entire search ranking to https version, and you will start to see your search ranking.
Conclusion
After all, is said and done, changing your WordPress to https is inevitable given what is at stake especially on the security of your data. There are also many advantages of having https, and the process is also fairly simple especially for people who are doing this for the very first time.