The fact is inevitable that WordPress is targeted by a large number of hackers and spammers. With the need for increasing security day by day, it has become imperative to maintain utmost security of your WordPress site. One of the best measures that can be taken for securing your WordPress site is by making your site a HTTPS link. WordPress HTTPS are a lot more secured than the basic WordPress sites.
In this article, we have discussed the reasons to make your WordPress HTTPS and different techniques to do it effectively.
Reasons to Make HTTPS for WordPress
Before knowing the tips for making WordPress HTTPS, it is imperative to have a clear idea about HTTPS. In fact, HTTPS stands for Hypertext Transfer Protocol Secure, and it is the outcome of adding the Hypertext Transfer Protocol (HTTP) to the SSL protocol. In simpler words, it is the technique of adding more security to a standard HTTP links.
HTTPS prevents white-tapping and attacks or threats from middlemen on your website. The need for HTTPS arises specifically for unencrypted networks where any person on the same network can access sensitive information about your WordPress site. By upgrading to HTTPS from HTTP, you secure your WordPress site and gain the confidence of your audience, visitors or customers.
In fact, viewers like to do business with websites having SSL certificate because it ensures that the website is protect, and the risk of fraud is negligible. Overall, making your WordPress HTTPS is the most effective way to protect the data presented in your website and to prevent the risk of identity theft.
At present, the majority of the popular sites use HTTPS in order to provide a safe and secured environment to the prospective customers. PayPal.com is an example of this kind of websites where you can find the verification from SSL, confirming that the website you’re managing is not any fraudulent website.
Preparation – Have a SSL Certificate
Firstly, you should make sure that you have the SSL certificate. Generally, you can purchase one from your hosting providers at the price ranging from dozens of dollars to hundreds of dollars. Or, you can place an order from some SSL providers like GlobeSSL and SSL Shopper.
Here, we have to mention that what we talk about is the utilization of private SSL, but not the shared SSL certificate.
- Shared SSL – You can start a secure online connection with HTTPS. However, you are not allowed to showcase your own domain but the one offered by your web hosts. If you insist your domain name, this certificate may not work, or your readers may encounter the security warning message.
- Private SSL – the private one simply safeguards your own domain, but not the domain of your hosting provider.
Secondly, you have to ensure that you have the dedicated IP address. Generally, the purchase of a dedicated IP can be added into the order form automatically when you buy the SSL certificate with your web host. However, the process of switching to a dedicated IP requires around 5 hours, so you need to wait until the switching is finished.
Install SSL Certificate
Different web hosts may have different installation processes for SSL, but generally, the process includes requesting a CSR, sending the CSR and RAS Key to the certificate provider and submitting the RSA Private Key.
In the following, we’d like to take HostGator as an example, telling you how to install SSL on its shared web hosting package.
- Step 1 – Finish the form of Certificate Signing Request at this page.
- Step 2 – Get the SCR feedback from HostGator and save it.
- Step 3 – Purchase a SSL certificate and send the SCR feedback to the certificate provider.
- Step 4 – Get the authorized certificate and a private CA Bundle from the SSL provider.
- Step 5 – Enter this form using the information you get earlier and submit the form.
- Step 6 – Pay for the installation
If you feel time-consuming to handle all of these steps on your own, you can simply ask your web hosts to offer and install SSL for you. Just check the following three hosting companies that offer such a convenient service.
Set Up WordPress for the Utilization of SSL
Now, you can set up your WordPress to use the SSL certificate. Here, we highly recommend you to use the WordPress HTTPS (SSL) plugin. Upon the installation, click the HTTPS tab in your backend admin for the configurations of SSL settings.
In the General Settings page, you need to enter all the information required to set up your SSL successfully.
- SSL Host – Enter your domain name.
- Port – By default, it is TCP 443. Or, you can ask the port number from your web hosts.
- Force SSL Administration – Tick the option for the security of your login page and admin page.
- Force SSL Exclusively – If you want to force all the webpages on your site to HTTPS, do not tick this box.
- Remove Unsecure Elements – If you can make sure that everything, especially your templates and plugins, on your site is accessible over HTTPS, you’d better enable this function.
The rest options including debugging mode, enabling proxy and deciding the admin menu location should be determined based on your needs. Then, click the Save Settings button.
Here, we want to talk more about the “Force SSL Exclusively” option. Personally, we do not recommend you to enable this function. Besides the security concern, forcing SSL to every webpage also benefits your site SEO.
As >announced by Google Webmaster Central Blog at August 6, 2014, this main search engine simply gives more ranking benefits to those who use HTTPS. In this case, transforming all your HTTP links to HTTPS ones needs to be taken into account.
Also, if you have several sub-domains or add-on domains, you should use the Domain Mapping function of this plugin. Otherwise, your readers may encounter the security warning like the pop-up box showed in the following, which end up driving them away from you.
Security Warning Message
Besides, if you do not want your entire site to be accessed using HTTPS, you should tick the option of Force SSL Exclusively in the General Settings. Thus, you can find a special box appeared at the editing screen of your webpage. In the following example, we simply decide the admin menu location at the sidebar.
Thus, when editing any webpage of your site, you can decide whether to force it to HTTPS by ticking the box.
Finally, you need to go back to the General Settings of your dashboard, checking whether the WordPress Address and Site Address are HTTPS links. If not, you should change them manually and save the settings.