How to Configure WordPress to Use an SSL Cert
In today’s world, EVERY site needs to be served over https. Don’t take just my word for it – take the word of one of the biggest internet companies around: Google. Take a look at their developer’s article titled: Why HTTPS Matters.
Below is the step by step instructions on what to do once the SSL certificate is installed. Got a question? Feel free to ask by posting a comment below.
Step One – Do a full site backup (files & database)
Step Two – Install cert. (Let’s encrypt is automatic)
Step Three – Go to “Setting” -> “General” -> change the WordPress-address (URL) + Site address (URL)
Step Four – Force https via htaccess file. (Code included at bottom of this post)
Step Five – Fix mixed content issues with the plugin Better Search Replace and then uninstall the plugin. (Search: http://www.example.com or http://example.com / Replace: https://www.example.com or https://example.com )
Step Six – Update site in google and bing webmaster tools
Step Seven – Sit back, relax and have a cold drink as you are done.
Down below are two sets of code. The first set is to redirect to https://www. And the second set is to redirect to https:// (if you are doing this on a live site then do NOT switch from www to naked or vise versa as it will mess with SEO)
Keep in mind that both set’s of code will work for most cases if you have a single site in your account (it’s not suggested to have more than one site per account for security reasons.) or each site within your account have their own domain name and they all follow the same rules. (i.e. all use www or all are naked domains.) If you have a special case feel free to comment below with what your environment entails and I’ll try to help as best as I can.
Additional notes – Ignore anyone saying to use a plugin like Really Simple SSL. Do it right the first time and you won’t have to worry about fixing it down the road if your site needs to scale big.
This code was updated 30JAN18 as soon as it was brought to my attention that when using the naked to www + http to https code snippet if you were to try accessing the site via “www.example.com” the redirect would result in having an extra ‘www’ in the url. I have tested the new code on my this site and it appears to be working like it should. If you find that it is not working as it should please let me know as soon as possible.
Awesome guide, now I can get rid of another plugin and make WordPress installs lighter! Maybe a couple suggestions: Step 2: Go to “Setting” -> “General” -> change the WordPress-adress (URL) + Siteadress (URL)
Make the text bold or larger for which set is intended to do what :
“THE FIRST SET is to redirect to https://www. And THE SECOND SET is to redirect to https..”
Just to make it dummyproof 🙂
Again thanks! Looking forward to implement this on other WordPress installs!
@Robin Bakker – Glad you found it useful! Also, thanks for the suggestions. I’ve implemented them. 🙂
Do you have an example when the Webserver is MS IIS?
I don’t have any examples geared specifically for an IIS server. Ideally it is suggested to not run a WordPress site on a windows server as it’s not really designed for one. If you can I’d say move to a linux based host.
If you can’t migrate to a linux server – here is a write up for how to do redirects on an IIS server: https://blogs.msdn.microsoft.com/kaushal/2013/05/22/http-to-https-redirects-on-iis-7-x-and-higher/
I’m not sure if the search and replace will work or error out. The rest should probably be the same.
Do I install the SSL on the staging long domain name first? Or do I go into general settings and change there first to real domain name, and then force HTTPS?
You are talking about two different areas here. A staging area and a live production site.
Is the live production domain name already pointed at that server or does the site need to move to the server where the domain is pointing?
Are you wanting to take the site live right now or is it not ready yet?
Once those two questions are answered I can better assist you with your specific use case scenario.
Hi Brian, What if the site http://www.example.nl links to http://www.www.example.nl (so a double WWW) Any idea how I can fix this?
Hello Robin – can you show me what you have in your htaccess file?
Hi Brian. Thanks for this blog post. I have a couple of queries to ask. I recently moved a client of mine to SG’s hosting service. His old site was plain ‘HTTP’ and I used the free Let’s Encrypt (provided by SG) to ensure the ‘HTTPS’ version.
Steps 1 and 2: Done.
For the 3rd step, SG has a ‘switch’ to turn on to enforce HTTPS. It says: “It forces your site to work entirely over an encrypted HTTPS connection. The redirect is performed on server level and works for any website.”
So, that’s what I did (i.e. I switched it on). I did not insert any code in the .htaccess file. My question is: Do I still need to insert the code in the .htaccess file or SG has taken care of that via the ‘switch’?
Step 4: Done.
Step 5: What do I need to update in the Google search console? Also, do I need to change anything in Google Analytics?
Also, the next time, I want to use the codes you provided. Do I need to copy the brown text as well (in the code above)?
My apologies for the amount of questions I asked. Quite a noob at it.
#3 – I believe that switch actually injects their version of htaccess script so you are fine flipping that switch. (Just as long as you do what you did and fix the mixed content by doing the search and replace on the database.)
#5 – you have to add the https version of the site to search console and set your preferred url. Google analytics shouldn’t even miss a beat as is.
Step 3: Yes, I used a plugin called Better Search Replace to fix mixed content issues. So I believe that’s taken care of.
Step 5: Okay. I’ll have to add a new property, so I’ll do that.
I believe all the steps above will ensure that there is no (or very minimal) effect on the SEO, because obviously don’t want to lose the backlinks received etc, correct?
Yep. You might see a drop in your analytics for a month or two, but it’ll bounce right back.
Could you provide your great information with some photos
Good Suggestion! I will look into doing this over the next week or two. 🙂
Recently our charity finally got round to SSL, found this link via the word press Facebook group, I struggled, Brian helped me on one of the websites and I sailed on to complete the other 4, great guy, great teacher, thanks Brian
Thank you Alison for the kind words! I’m just glad I could help. 🙂
A question for you before I go live with this.
I’ve followed your guide (I wanted to get rid of Really Simple SSL as it had a major failure when I upgraded to WP 5.3. And I have had to revert back to 5.2.4).
I’ve put in the changes you’ve on my staging site and all looks well.
But I have a query. Your code for the .htaccess file for a non www site has:
RewriteRule ^(.*) http://%1/$1 [R=301,L]
My query is, should the first RewriteRule
really be http?
Your code snippet for www sites has it as https: for that bit.
I just want to be sure before I go live with it.
It probably should be https instead of doing a possible two-step redirect.
I have a second query. I want to double check where this rule should be put in the .htaccess file.
This should be first rule right?
So I put the code in before the caching software code in the htaccess file. and ahead of the stuff my security software puts in.
Is my aim to put this code in at the very top of my htaccess file?
That is correct – you want it to be the first rule in your htaccess file.
Essentially you want it first so that there is no actual real talking or delivery of content unless it is over a secure channel.