Keeping your website secure is very important. If you collect visitor information, or plan to set up an e-commerce store, you should be concerned about protecting your data from hackers against digital theft, digital surveillance, and identity hijacking.
While security is one of the main reasons you may want to migrate your WordPress site from http to https (we’ll explain what this means in a moment), you may also want to do this for SEO reasons.
In August 2014, Google announced that, as part of its bid to further protect users from cyber attacks, it would start treating HTTPS as a ranking signal and prioritizing secure HTTPS URLs over regular HTTP URLs. In fact, studies conducted by leading search engine analysis companies like Moz.com found that over 30% of all first-page Google results use HTTPS and predicted that this number will continue to grow as part of Google’s “HTTPS everywhere” initiative.
If you own a WordPress site, it’s probably a good idea to consider switching your domain address from ‘http’ to ‘https’ sooner rather than later. In this tutorial, we show you how to do this.
How To Add SSL To WordPress For Free Using CPanel AutoSSL
As we provide tutorials for beginners and non-coders, this is not a technical tutorial. The section below provides a brief description of what is involved in changing your WordPress site from http to https and an easy step-by-step tutorial on how to configure your site for https using a free feature of cPanel hosting called AutoSSL. For detailed technical information, please refer to the sources listed at the end of this tutorial, or contact a professional web service provider.
SSL – Basic Overview
What Is SSL?
SSL (Secure Sockets Layer) is the standard security technology protocol for transmitting private documents via the internet. SSL establishes an encrypted link between a web server and a browser and this link then ensures that all data passed between the web server and web browsers remain private, secure and unmodified.
SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world’s computer networks. SSL is essential for protecting your website, even if it doesn’t handle sensitive information like credit cards. It provides privacy, critical security and data integrity for both your websites and your users’ personal information.
The benefits of using SSL include:
- SSL encrypts sensitive information – If sensitive information like credit card numbers, usernames and passwords is not encrypted using an SSL certificate, any computer that gets between the server sending the information and its intended recipient can see the information. SSL makes sensitive information becomes unreadable to hackers and identity thieves.
- SSL provides authentication – An SSL certificate from a trusted SSL provider protects users from being ‘tricked’ by ensuring that they send personal information to the right server, not to computers pretending to be other websites. HTTPS also protects against phishing attacks.
- SSL provides trust – Seeing the HTTPS icon (green padlock) helps to increase trust on your website and gives visitors confidence to buy or do business with you online.
The advantages of using SSL (protecting your business and your customers’ information, increasing trust, improve SEO ranking etc.) far outweigh any disadvantages like cost (see below to learn how get SSL for FREE) and performance (generally only noticeable on highly trafficked web sites which your webhost can help improve).
Once an SSL certificate has been correctly installed and configured on your server for your domain, the URL of your site displayed in visitors’ web browsers will switch from ‘http://yourdomain.com’ to ‘https://yourdomain.com’ with a green padlock icon next to it …
(‘https’ sites display a green padlock next to the web address)
Note: Depending on the page content, sometimes you may see a padlock with a warning sign. Click on the padlock icon for more information on the site’s security status …
(Click on the padlock symbol for site security information)
Adding SSL To WordPress
What Is AutoSSL?
AutoSSL is the solution to one of the biggest pain points that exists for every cPanel & WHM user: SSL installation and renewal. With AutoSSL there are no more forms to fill out, and no more certificates to manually copy into place. Once you enable AutoSSL your websites are automatically secured with a Domain Validated SSL certificate. Perhaps more exciting is the fact that your coverage will never lapse, because at expiration time a new SSL is requested and automatically installed.
You can learn more about AutoSSL here or search online for “cpanel autossl”.
Ask your host if your server supports cPanel AutoSSL and if so, confirm that you can have it enabled for your website for free. Depending on your hosting setup, you may need to purchase an SSL certificate.
Regardless of the SSL option you choose (i.e. cPanel AutoSSL or purchasing an SSL certificate), we recommend asking your hosting provider to install, set up and configure SSL on your server for your domain. Once this has been done, follow the steps below to make sure that everything works correctly on your WordPress site.
We strongly recommend performing a complete backup of your WordPress site (files and data) before modifying any files on your server.
Learn about a WordPress backup plugin that can fully automate your backup process here:
After your hosting provider notifies you that SSL has been installed and configured on your domain, do the following:
Check that SSL is installed. You can do this by going here, then entering your domain name and clicking the ‘Check SSL’ button …
(SSL Shopper – Check SSL Tool)
If SSL has been installed correctly on your domain, you will see confirmation indicators like the ones shown in the screenshot below …
You can also check if SSL is installed on your domain and perform a deep analysis of your SSL configuration by going to Qualy’s SSL Labs …
(Qualy’s SSL Labs)
This provides you with an in-depth SSL report …
Once you have confirmed that SSL has been installed correctly on your server, log into your WordPress admin and go to General Settings.
In the ‘General Settings’ screen, replace the ‘http’ in your WordPress Address (URL) and Site Address (URL) fields …
(Replace ‘http’ …)
With ‘https’ and save to update your settings …
Next, install the SSL Insecure Content Fixer plugin …
(SSL Insecure Content Fixer WordPress Plugin)
SSL Insecure Content Fixer cleans up your WordPress website’s HTTPS insecure content and mixed content warnings.
To install this plugin, go to Plugins > Add New …
(Plugins > Add New)
Search for ‘SSL Insecure’ in the Keyword field to bring up the plugin in the search results and click on Install Now …
(SSL Insecure Content Fixer – Install Now)
Click on Activate …
(Activate SSL Insecure Content Fixer Plugin)
This plugin works out of the box. However, if you need to change the settings, go to Settings > SSL Insecure Content, or click on the Settings link in the ‘Plugins’ screen …
(SSL Insecure Content – Plugin Settings)
This brings you to the ‘SSL Insecure Content Fixer settings’ screen. Remember to save your settings if you make any changes …
(SSL Insecure Content Fixer settings screen)
If you are moving a site with existing content to HTTPS, some of your content may be linking to the ‘http’ version of your domain. In this case, you can do a global search and replace to replace all instances of ‘http://yourdomain.com’ with ‘https://yourdomain.com’ …
(Perform a global search and replace to change ‘http’ links to ‘https’)
You should also change the default URL settings for your domain in your Google Analytics accounts …
(Update your Google Analytics account)
Remember to also add an HTTPS property to your Google Webmaster account …
(Update your properties in Google Search Console)
After completing the above, check your site to make sure that everything is working correctly. If you experience any problems, contact your webhost for help.
Congratulations! Now you know how to add SSL to WordPress.
"If you're new to WordPress, this can stand on its own as a training course and will stay with you as you progress from beginner to advanced and even guru status." - Bruce (Columbus, Ohio)
Disclaimer: This site has no direct association with WordPress, Automattic, or any of the WordPress-related products written about on this site. We may derive a financial benefit or affiliate commission from purchases of products mentioned on this website. All images remain the copyright of their respective owners and are being used solely for training or illustrative purposes.
Did you enjoy this post? Feel free to share this tutorial with anyone who can benefit from learning about WordPress using the links below.