How to Install SSL Certificate and HTTPS in WordPress

What is SSL and why do I need it on my website?

SSL (secure sockets layer) is the standard security technology for establishing an encrypted link between a web server (web hosting account) and a browser (your website). This link ensures that all data passed between the web server and browsers remain private and integral. This is particularly important for forms to encrypt the information the site visitor is entering in the form as it passes to the server.

To establish an SSL link, you need to install an SSL certificate on your website and then change all the URLs on your website to use https instead of http. When the SSL certificate is installed correctly and all the URLs use https, users will see a lock icon in their browser URL field indicating that the site is secure.

SSL as a Ranking Factor

Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode. According to Search Engine Land, we may see 70% of page one results on the Search Engine Results Page going to sites using https by the end of 2017.

All site owners should prioritize installing SSL on their sites as soon as possible, particularly if they have web forms. The process takes about one hour start to finish, mostly to allow for time to double-check everything, contact your web host if needed, fix insecure content, and make changes in Google Analytics and Google Search Console. It’s definitely a process, and you will want to do this when you have a clear head, a clear plate, and not a lot of traffic going to the site.

How do I install SSL on my WordPress website?

Step 1 – Purchase and install an SSL certificate

Many hosts are now offering free Let’s Encrypt SSL certificates or other options via your web hosting control panel. Login to your web hosting control panel and search for SSL. You should be given several options to choose from. WP Engine, Get Flywheel, Blue Host, and many other web hosts offer free SSL. Host Gator will allow you to install a free Let’s Encrypt SSL certificate but it requires contacting their support and must be renewed manually every three months, so I would opt for their $39 license instead.

Be sure to install the SSL certificate on both the www and non-www versions of your site. This is very important to keep your Google page rank after switching to SSL even if you never used the non-www or www with your site in the past. You’ll want to make sure that all URLs resolve to your primary URL using the https, for example:

Should all redirect to
https://askwpgirl.com
OR
https://askwpgirl.com
Depending on what your preferred domain is.

You should never see your site under two different domains as that will cause a duplicate content penalty from Google.

Also, be aware that if you have older domains or parked domains that you need to redirect to your primary domain, you may want to install SSL on those as well as Google may index the old domain with SSL and the 301 redirect does not take place until AFTER the https check is done.

Domain issues with getting SSL installed:

Here are a few challenges I’ve faced:

1 – I had a client on Blue Host for whom the SSL was not able to be verified by Comodo. I was on the phone with Blue Host a few times amounting to about 2 hours of my time to finally get it all worked out. Blue Host’s SSL process involves adding some CNAME records to your DNS Zone File which allows Comodo to verify that this domain resides at this web host. However, this client’s zone records were never propagating to the web, so Comodo couldn’t verify the domain. Comodo needed to send an email to an address that didn’t exist (webmaster@) to get the domain verified. I set up the email for my client, then Comodo was able to verify ownership when I received that email.

2 – At iPower web hosting, you have to first purchase the SSL certificate, then go back to the SSL area in the control panel and tell iPower which domain to apply the certificate to.

3 – At Host Gator, I had a client who has two domains for which we needed to install the SSL (a current domain and an older domain that was pointing to the new domain). However, according to their support team, “When a new SSL is installed to your server it will remove the SSL for your other domains on your cPanel. Our developers are working on a fix at this time, however in the mean time we will need to manually reinstall all of your SSLs each time you order a new SSL.” I only got to this answer after chatting with their support staff many times over the course of a week.

Another issue with this client is that their primary domain was their old domain. This also added an extra layer of complexity. Ideally, you never want to point a primary domain to other domains. So, we made his new domain name the primary domain name and added the old domain as an addon domain to get the SSL installed properly on it. (See the htaccess rule below I used to make sure the SSL redirects work to point the addon or parked domain to the one site.)

4 – On GoDaddy, a client had their domain forwarding to WP Engine using a domain forwarder at GoDaddy instead of an A Record. This created some difficulty getting the domain’s SSL installed at WP Engine. I removed the forwarder and set the A Record and CNAME at GoDaddy to point to the client’s WP Engine account, then added this domain at WP Engine and got the SSL installed on it.

These are all random examples of issues you can face in getting SSL installed. My general advice is to get your domain situation cleaned up and not have any forwarders placed on domains for which you want to install SSL. You can edit the .htaccess file on the server after the SSL certificates are installed to do whatever redirects you need to do on the domains. WP Engine handles redirects quite well via their client portal, so there is no need to edit the .htaccess file for domain redirects.

Check the status of your SSL installation here: https://www.sslchecker.com/sslchecker

Step 2 – Change your WordPress General Settings to use https

The installation of the SSL certificate can take up to a few hours or days. It typically takes a couple hours or less. You can check the status of the installation in your web host’s control panel or simply visit the site using https. If the site displays fine using https, then your certificate is installed. If the site displays the warning that the certificate is not valid, then the SSL is not yet installed. If the process takes more than a day or two, contact your web host directly to find out what the hold up might be.

Blue Host’s SSL installation is typically very smooth. The smoothest and easiest I’ve encountered so far. When I went to visit the sites, the WordPress General Settings were already set and all the URLs seemed to be using SSL.

At WP Engine, you need to login to your client portal after the SSL is successfully installed and go to the SSL section and set the following:

For all websites regardless of host, you will want to also do/check the following:

1 – Login to your WordPress Dashboard.

2 – Go to Settings > General.

3 – Change the two URLs in the General Settings to use https, like this:

4 – Click Save Changes.

You will be kicked out of the WordPress Dashboard and need to re-login.

If these fields are greyed out, then the URLs are set in the wp-config.php file which you can edit using the File Manager on your web host’s control panel or via FTP. Set both the URLs to use https.

Step 3 – Rewrite URLs using the Better Search and Replace Plugin

Before doing this step, I highly recommend you backup your database just in case you make a mistake. You want to be very mindful in rewriting URLs.

Next, you will want to rewrite your site’s URLs to all use https for your images, media files, and internal hyperlinks. To easily and quickly do this:

1 – Go to Plugins > Add New.

2 – Search for the Better Search and Replace plugin and install and activate it:

3 – After the plugin is activated, go to Tools > Better Search Replace.

4 – Search for your site URL with the http and replace the URL with https. Select the wp_options, wp_postmeta, and wp_posts tables, then run the search and replace. Be sure to uncheck Dry Run so it actually runs.

Step 4 – Check for the green lock icon in the browser.

If all goes well with the above two steps, the site should show a lock icon when you visit it from different browsers:

Chrome Lock Icon
Safari lock icon

Step 5 – Resolve Mixed Content issues.

If any pages come up with the lock open (not secure):

1 – Right-click (ctrl+click Mac OS) on any part of the page and choose Inspect from the contextual menu. (This works best in Firefox and Chrome).

2 – Click the Console tab in the Inspector, and scroll through the Console to find any messages about “mixed content” like this:

In the example above, the mixed content is coming from the Revolution Slider slider that the person has on their home page. You may find similar mixed content being delivered via options set for the theme, sliders, visual layout builders, widgets (particularly text widgets), and other plugins. These are often not caught by the Better Search and Replace above.

You will need to manually edit these URLs in the plugin, theme settings, stylesheet, or widget area.

Tip: You can install the Really Simple SSL plugin to handle any sites that are being challenging to get to show the lock icon. In general, I do not like to use force SSL plugins if I can help it, and WP Engine is already doing this for you, so you don’t need to do it. On other hosts that aren’t managing rewrites of http to https for you, the Really Simple SSL plugin is very helpful and can save a lot of aggravation and time in finding and replacing mixed content: https://wordpress.org/plugins/really-simple-ssl/

Step 6 – Clear website, hosting, and browser cache.

To avoid troubleshooting mixed content issues that don’t exist, be sure to completely flush any cache that the web host might provide. For example, at Site Ground and Get Flywheel, you will want to login and flush the cache completely from the control panel. At WP Engine, you can go to your WordPress dashboard’s WP Engine section and flush the object cache.

Also, flush your browser cache and any other caching plugins you might have installed.

Then return to Step 5 to check for mixed content.

How do I inform Google of my change to https?

Step 1 – Change site to use HTTPs in Google Analytics settings.

1 – Login to your Google Analytics account.

2 – Click the Gear icon in the lower-left column.

(Six months from now this may be in the upper-right, lower-right, upper-left corner of the page. As soon as I publish something, Google moves this around. So, just look for the gear icon or some sort of Admin link.)

3 – Click on the Property Settings and change the Default  URL to use https:// as shown below.

Click Save to save this change.

4 – Return to the admin page and click the View Settings and make the same change there and click Save.

This will not impact any previous analytics data but will allow Google Analytics to now track https URLs from this time forward.

Step 2 – Add the site with https to Google Search Console.

You should have already had your site added to Google Search Console using http for the URLs. If not, you will want to add your domain with http both the non-www and www and with https both the non-www and the www to Search Console. For instructions on this process, please see: Submitting Your WordPress Site to Google Search Console.

Step 3 – Submit Domain Name Change to Google.

If you migrate your site from HTTP to HTTPS, Google treats this as a site move with a URL change. This can temporarily affect some of your traffic numbers. See the site move overview page to learn more.

SSL SEO Considerations

Not doing the change to https correctly can greatly effect your SEO. For example, if you fail to install SSL on your www domain while using the non-www, the traffic from the www will not get redirected correctly to the non-www because browsers first check for http status before they do any other Apache redirects.

Be sure to test all the domains that your site can be found under past and present to make sure they redirect correctly to your primary domain.

.htaccess Rules for pointing parked domain to primary domain

If you have a parked domain, you will want to make sure that the http and https for this domain (if Google has indexed the https for it in the past) both point to the primary domain by editing your .htaccess file on the server with these redirects:


RewriteEngine on
RewriteCond %{HTTP_HOST} ^olddomain.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.olddomain.com$
RewriteRule ^(.*)$ https://newdomain.com/$1 [R=301]

Write to me!

Please comment below with any issues are questions you may have on this process. I will improve these instructions as needed to address any common issues people face.

Angela Bowman

Front-end WordPress developer since 2007 building highly custom websites for nonprofits and small businesses. Experienced in nonprofit administration, grant writing, and technical writing. Love high altitude hiking and backyard chickens.

View all posts by Angela Bowman

21 comments on “How to Install SSL Certificate and HTTPS in WordPress

  1. Hello Angela,

    Thank you for your very useful post. Your article makes installing and configuring SSL certificates on WordPress a breeze! Also, I couldn’t help but smile when I looked at your domain name. Greetings from a fellow tech lass!

    – Larryssa

  2. Hi Angela,

    Great detailed article about SSL!. Being a dev team, We faced difficulty in generating Let’s Encrypt SSL certificate several times on an unsupported host and finally developed an easy to use WordPress plugin to generate free SSL certificate – https://wordpress.org/plugins/wp-letsencrypt-ssl/

    As SSL installation on different hosts involves different process, Our main focus is atleast to help with the SSL certificate generation. If you find our plugin worth for non-techy WordPress users, please refer it in this awesome article and I would be very thankful!.

  3. Safari claims the cert is invalid yet Chrome, Firefox and (new) Edge claim it’s valid.
    [It’s one of those Let’s Encrypt SSL certs for WP.]
    What to do now? I can’t expect customers to reset their cache, install a new version of safari, or use a different browser, right?

    BTW, it’s: safari v5.1 on win10, and the redirect is correct (from http to https), along with all embedded URLs.

    Ideas?

  4. Thanks for this great tutorial. Didn’t know about the Better Search and Replace plugin, I will use it. Nowadays the HTTPS in necessary for every website.

  5. admin.
    I have two versions of same website added, http and https, and the results and stats are completely different to these two. For example, https version has 590 incoming links, and the http version has only 5! The current website is on SSL and has https of course, with a redirect from http to https.

    • Hi Mark,

      You should be using the https as your primary source of info and stats since the site is using https. So, what you say makes sense. The https should have all the incoming links, etc. Basically, if everyting is redirecting correctly, then you can ignore the http stats.

  6. At this moment, inside Google Search Console they say that if you change your website address from http to https, it does not require any further action. Amazingly, I have two versions of same website added, http and https, and the results and stats are completely different to these two. For example, https version has 590 incoming links, and the http version has only 5! The current website is on SSL and has https of course, with a redirect from http to https.

    • Hi Budi, That’s wild. I do add all versions of the site to GSC (http://www, https://www, https://, and http://). What I would probably do in your case is to do a search and replace using the Better Search and Replace plugin on the wp_posts table and change all URLs that use http:// to https:// — use the full URL to your domain, of course. You might still have a lot of old content serving up as http. I then only pay attention to the https GSC info. Also, make sure your Google Analytics uses https as well in the settings.

  7. [* Shield plugin marked this comment as “0”. Reason: Human SPAM filter found “oy” in “author_name” *]
    Angela,

    I got the SSL cert and used a wp plugin to get started. I’m at a loss with how to verify w google.
    This morning will be spent following your directions. I don’t have any site developers. It’s just me.

    Thanks for the much needed info! Crossing my fingers.

Leave a Reply

Your email address will not be published. Required fields are marked *