How to Use SSL and HTTPS with WordPress

Everyday we give away our personal information on the internet. In the past hour alone I paid off my credit card, bought a book, saved a copy of my friends’ addresses, sent out emails and did some grocery shopping.

Sharing our information is so common now that we don’t think twice about it.

This is where SSL comes in. SSL protects the details we share online, preventing it from getting into the wrong hands.

Using SSL – and in turn HTTPS – to protect your WordPress site and its visitors doesn’t have to be difficult and complicated. In this post we’ll look at what SSL is and how to use it. Let’s break it down.

What is SSL?

SSL (Secure Socket Layer) started out as a method for increasing security between a website and its end user in 1994 by Netscape Communications as they saw the need for this technology increase.

The Internet Engineering Task Force (IETF) logo
The Internet Engineering Task Force (IETF)

SSL was later revised and released for the first time as version 3.0 in 1996, but contained vulnerabilities. It was officially taken over by the Internet Engineering Task Force (IETF) in 1999 and was vastly improved.

At this point, SSL was renamed to TLS (Transport Layer Security), but it’s still widely referred to as SSL or TLS / SSL. Its purpose remains the same to this day and the technology has become the standard for website security.

When Should You Use SSL?

Last year Google announced giving search ranking boosts to sites using SSL. Over time the search engine plans to increase this boost, but in the meantime you’ll only see about a 1% increase, giving everyone a chance to switch over.

Other than that, if your site requires users to log in or provide personal information such as their name, address, credit card details and the like, you need SSL protection. Without it, your user’s information can be easily compromised.

How Does SSL Work?

SSL works by encrypting information passed between a site’s server to the browser rather than having it remain viewable in plain-text, meaning text would be arranged in a seemingly random string of illegible letters and numbers rather than in human-readable words.

To create a secure SSL connection on a website, the site’s owner needs to get an SSL certificate from an issuing company, referred to as a Certificate Authority. Once the service is purchased, the website and company details are given to the authority such as their name, address and phone number.

Some of the details needed to register an SSL certificate including address and phone number
This is some of the information required to register for a basic SSL certificate. Other more secure certificates are more involved.

In turn, the site owner receives a public and private key. The private key shouldn’t be shared with anyone – much like a password – but the public key doesn’t have to remain perfectly hidden.

They are a string of cryptic letters and numbers that distinctly fit together mathematically – like a matching key and lock! They are created by a Secure Hash Algorithm.

The public key is then submitted with your previously entered information to the authority in a file called a Certificate Signing Request.

A public key that looks like a random long block of letters and numbers
Public and private keys are entered into WHM (in this example) to be verified by the Certificate Authority.

The authority verifies the information to make sure it’s accurate – and that you’re not a scammer or hacker – and if everything checks out, the SSL certificate is signed with an SHA.

The actual SSL certificate is then issued. This is the stage where a website is now able to use an SSL-encrypted connection.

When a user visits a protected site, the site’s server matches its SSL certificate with the private key and when it fits together, an encrypted link between the site and its server, and the user and their browser, is created.

What Does an SSL Protected Site Look Like?

The prefix https will appear in front of a URL rather than the default http. You will also notice a green padlock appear in the address field of your browser.

SSL in Google Chrome with a https URL prefix and green padlock
This is what a site with SSL looks like in Google’s Chrome browser. The padlock differs in various browsers.

If a site has chosen to purchase an Extended Validation SSL Certificate, your address bar will be entirely green or will have the company’s name with a green background appear before the URL.

EV SSL Certificates in Safari use a green front for the company name
This is an example of an EV SSL certificate in the Safari browser. The address bar isn’t completely green and the company name does not have a green background like other browsers, but instead, uses a green font.

Extended Validation Certificates typically offer more security and are issued once the company has gone through and passed a more thorough application process. They are asked to provide proof of their physical address and legal operation on top of the standard requirements.

When SSL Stops Working

If an SSL certificate has expired, is self-signed or becomes invalid, the padlock turns red and sometimes has a line through it as well.

An example of a browser warning of an invalid SSL certificate before going to site.
Most browsers will launch a page that warns you of invalid SSL certificates before you continue to an untrusted site.

When the certificate has expired, the site owner simply needs to renew their SSL through their authority and the encryption will be renewed. It’s best not to let them expire at all to keep the security of your site seamless.

You are using a self-signed certificate if you applied for and issued your own SSL certificate and you did not go through a Certificate Authority for them to validate you or your certificate.

Most browsers only trust SSL certificates handed out by trusted Certificate Authorities and will display a warning for all sites using a self-signed certificate. If you have purchased an SSL certificate from a company that is not a high ranking Certificate Authority, your site may still be recognized as using a self-signed certificate.

A browser warning of an expired SSL certificate before proceeding to site.
Most browsers will also warn you when a site’s SSL certificate has expired before proceeding to the unprotected site.

An SSL certificate may become invalid for many other reasons, such as if the SHA encryption is outdated.

Hashing is the conversion of a lot of information written as characters into a shorter size often referred to as a key and it is done through a set of mathematical rules that are applied. As technology advances, stronger hashing is necessary to keep security strong.

SHA0 is no longer used and SHA1 is being phased out by many browsers including Internet Explorer. Chrome will begin to issue warnings starting January 1, 2016 for sites who still use SHA1. The current standard for encryption is SHA2 which will eventually also be phased out in favor of SHA3.

An SSL certificate can also appear to be invalid if the browser cannot verify it with the authority. This can happen if the domain name of the certificate does not match the actual site which is using it.

The best way to resolve these issues is to update your SSL certificate with your authority and follow their instructions.

A yellow yield sign appears in the address bar for sites with an insecure SSL certificate
One of my sites has images that are still linked under the http prefix and so the SSL certificate is not completely safe. The address bar shows a yellow yield sign in the Chrome browser.

If a yellow padlock appears with a mini yield sign, the likely cause is links in your site still refer to an unsecured page. Make sure that all your images, menu items and links use https in the URL.

To easily find the source of an invalid certificate you can use the free tool Why No Padlock. It instantly informs you of the specific problem including invalid images and scripts.

Using SSL with WordPress

Once you have your SSL certificate ready to go you can use it with your WordPress site.

Don’t forget to backup your entire site before you make any changes to prevent you from losing everything if something goes wrong. Once that’s done you can continue.

To set up SSL in both a single or Multisite install, first edit your wp-config.php file and add the following line of code. It will force both logins and access to the WordPress admin area to use SSL:

Just make sure it’s placed above the “stop editing” line as shown below:

Now we’re going to set a 301 redirect so that anyone visiting your site will be automatically redirected to your secure site using https instead of http.

Edit your .htaccess file, or create a new one if it doesn’t already exist. If you already have one, place the following code above everything that’s already there.

Don’t forget to replace “mysite.com” with your domain and make sure that you enter in the correct server port if yours isn’t 80.

Now visit your site to test it out. If https appears in your URL with a green padlock beside it you’re all set to go.

Conclusion

Having an SSL certificate for your site is an essential step in protecting your site and its visitors, but it’s not the only security measure you should consider using. To further ensure your site is safe for everyone, you could also use a WordPress security plugin, such as Wordfence or iThemes.

If you need more pointers on how to use SSL with WordPress for your specific needs, you can check out the Administration Over SSL page in the WordPress Codex.

Interested in a free SSL certificate? On November 18, 2014, the Electronic Frontier Foundation (EFF) released an announcement that they are working on an opensource project to make SSL certificates free and with the ability to install them in just a few clicks. It will become available in mid 2015.

There are plugins out there that can help you set up SSL on your site, but do be aware that they may not be up-to-date and compatible with the latest version of WordPress.

Sometimes it may be okay to use slightly older plugins if many people, including yourself, have had success with them during testing, but your site’s security isn’t something you want to take a chance on.

If you want even more in depth information on site security, also take a look at our other in-depth posts WordPress Security Essentials: Say Goodbye to Hackers and WordPress Security: The Ultimate Guide.

As time goes on, there are more and more reasons to secure your site with SSL. What are yours? Let me know in the comments below.

Image Credits: IETF Trust, DigitalOcean, Bruno Pedro.