If you’re looking to install an SSL certificate and switch your WordPress website to HTTPS, you’re not alone. As far back as 2014 Google was calling for all sites to be encrypted, to make the web a safer place to browse. Since then they’ve confirmed that security is a marker in determining placements, and that this year they will be alerting Chrome users when they visit an insecure site. If you haven’t already made the switch – now’s the time.
In case you’re still not sure what SSL and HTTPS are, they stand for Secure Socket Layer andHyper Text Transfer Protocol Secure. An SSL certificate authenticates the identity of a website and encrypts any information transferred between the user and the server – for example when someone submits personal information via contact, sign up, or checkout form. You’ll recognise a site that’s encrypted by the padlock symbol that appears in the browser window, and if a site is trying to use an invalid certificate you’ll quite often be shown a warning message.
Some hosting providers provide free SSL certificates with your account, for example via Let’s Encrypt. Alternatively, you can buy a certificate either direct from your hosting provider or direct, although when doing that latter you should check you have the ability to install a third party certificates as not everyone will allow you to do so. If there’s already a certificate installed you can move forward, otherwise your provider will be able to help you carry out the installation via your hosting account.
Just having the SSL certificate installed will not automatically mean that all pages, WordPress or not, will be served security. Within your WordPress site, the first step is to go to Settings > General and change the Site and WordPress Address URL from HTTP to HTTPS:
On doing this you will be prompted to sign in again.
The next step is to make sure all images and other resources are also loaded over HTTPS. If your site is relatively small, you can go through pages individually and change any reference in the embedded images from http:// to https:// so that they’re loaded securely. If your site is bigger, you may need some assistance doing this by running a query on the database to make sure all URLs are updated.
Theoretically any scripts and resources used to make your theme or plugins work should switch over automatically, so long as they are being enqueued correctly, but if you’re still not seeing the padlock it’s time to look there next. If you don’t feel comfortable making changes to your own theme, you can ask a web developer to do this for you – they simply need to ensure that any scripts or files called are done so securely over HTTPS rather than HTTP.