Securing your WordPress website with (HTTPS)
Website visitors like to feel safe, the safer they feel, the longer they stay on your site and the more likely they are to come to you for your products or services. Fairly recently, the various browsers (Chrome, Firefox, Edge, etc) have begun to flag sites that don’t have SSL certificates as ‘Not Secure’, placing a warning in the address bar. This is inevitably going to worry some of your visitors, but is reasonably simple to sort out.
So, what is an SSL certificate and how do we apply one to a WordPress site?
SSL provides secure, encrypted connections between networked computers; between the web server and the user’s web browser software. This is particularly important on eCommerce sites, where personal data linked with financial information is being transmitted. To apply SSL encryption, you need an SSL certificate, these are available from a number of certificate authorities and come in various ‘strengths’ – the more secure they are, the more expensive they become.
If you’re running an eCommerce site, most payment companies like PayPal, Stripe, Authorize.net, etc will require you to have a secure connection before accepting payments.
For most WordPress sites a free SSL certificate is more than enough, the browser software will show the secure padlock in the address bar and your visitors will feel safe. But if you’re going to handle credit card payments yourself, you’ll need to talk to your server administrator and one of the certificate authorities – here is a good place to read more.
Applying a free SSL Certificate to a WordPress site
If all you’re looking for is a padlock in the browser address bar and an https:// address, then you just need a basic certificate. These can be applied in a number of ways …
- Your host – The best WordPress hosting companies offer free SSL certificates for all their users. Login to your hosting account cPanel dashboard, find the ‘Security’ section and see if you have the option to apply a free certificate. Switch it on if so and then read the next section below regarding updating WordPress.
- Route traffic via Cloudflare – Cloudflare provide a number of services for businesses, non-profits, bloggers, and anyone with an Internet presence. Their most popular service allows you to route all you traffic via their network, which not only helps to speed sites up, but also helps to stop hacking and denial of service attempts. Alongside these, there is a very useful and free SSL encryption service, which you can switch on and off very simply. To set it all up you’ll first need to route your traffic via their servers – Visit their site, have a read and set up an account, it’s all free. If you need some help, please give us a shout.
- Apply a LetsEncrypt certificate on your server – Tricky … unless you are happy with Linux command-lines and know what you’re doing, you’re going to need help. You’ll also need shell access to your server, which most hosts don’t allow. And you’ll need to reapply the certificate on a regular basis. We’d suggest you seek help from your host on this, or give us a shout.
Updating WordPress to serve https rather than http
Once you’ve applied your SSL certificate, you may well have to tell WordPress to serve up the site with an https address, otherwise it’ll just carry on serving the pages ‘insecurely’. First, test to see whether you need to make any changes by opening the site in your browser. If the padloack appears that’s a good first step. Now try manually entering the site address with http:// at the front. Hopefully, it’ll autmatically redirect and you’ll be served the pages with the padlock showing. Job done. If not, read on …
By far the simplest way to force an SSL certificated WordPress site to serve up its pages via https is to use a plugin. There are a number of plugins that can do this. One of the most popular is Really Simple SSL, it takes away all the hassle, click that link, install and follow the instructions. Once you’ve done that, check the site is showing a padlock and redirecting to https when you enter the address with an http at the front.
Hopefully your site is now reporting as secure. There are a few cases where some things will still need tweaking – For example, if you set your site up and had it running before you applied the SSL certificate and changes, your theme and possibly plugins, may have http links in their settings; your logo and/or favicon for example. Go through all your settings, changing any http references to https, save and reload the site. If you’re still having problems, give us a call, it’s often a simple fix and we’re great at spotting such things.
Is SSL good for SEO?
Whilst the main point of having an SSL certificate is to provide encrypted traffic, according to most SEO experts, secured sites seem to rank higher. This does make sense; people will naturally visit a secure site over a non-secure one and will stay longer, Google will ‘see’ this via its analytics engine and will therefore rank the site more highly.