Up until now, a website didn’t need to be HTTPS-enabled unless you were collecting credit card information. Google will start to give priority to sites being served over HTTPS and call out sites that don’t. It will become a requirement to enable HTTPS on WordPress for some features.
I’ll show you how to set this all up yourself in this article, but if you’d just prefer to get someone else to do it, I’m happy to help. Just let me know by sending me a message via the form on this page.
Note: The “how to’s” of this article are mostly for WordPress users, but the concepts still apply to others.
If the details interest you, keep reading. If not, you can skip to the action steps.
What is HTTPS?
The “rules” for how your website gets from the host server to a person’s computer or phone is typically HTTP. Basically, the server sends the raw code to the browser, and the browser puts it together into the beautiful display you worked so hard on.
With HTTP, that code is sent as “plain text”, which means if you wanted to you could look at what’s being sent and more or less understand it if you knew a bit of HTML.
This data transfer goes both ways. If you collect email addresses or log into a dashboard or have forms on your site, when it’s only using HTTP all of that data is transferred back to the server in plain text.
So if someone was snooping your website, they could steal all of the information that’s being sent from the form in a browser to your server. Including your login information when you log into the back end.
HTTPS is Secure HTTP. It doesn’t send data in plain text. It encrypts everything, even links to images, so that it’s not as easily discovered. Using HTTPS makes your forms more secure.
You are actually doing your website users a disservice by not using HTTPS. That should strike a chord
How to enable HTTPS on WordPress
It’s not difficult to start using HTTPS, but it is something you’ll probably need to set aside a couple hours for. I’ll walk you through how I put my sites on HTTPS and hopefully that’ll give you an idea of what to do even if you’re on a different host than I am.
What you need first
The way your website tells the browser it’s secure is through an SSL certificate. If you just change all your links to HTTPS, the browser will yell at the person viewing the site as a warning. Some browsers won’t even display the website. The reason is that you need a sort of key that says the URL of your website is authentically secure, not simply pretending to be secure.
So the first step is to get an SSL certificate. There are two options I’m aware of: a free one (the kind I use) and one you pay $30-$50 a year for through your web host.
SSL certs used to cost money. Let’s Encrypt is a wonderful organization that provides free SSL certificates. All you have to do is ask for one.
The catch, though, is that your host needs to support Let’s Encrypt. Mine does (check out Siteground), so it was very simple to switch. If your host doesn’t support Let’s Encrypt, then I’d consider switching hosts. Your other option is to purchase an SSL certificate from your host.
Host-provided SSL certificate
This is the way things used to be. If you wanted to run your site over HTTPS, you could purchase the certificate through them. I did that a couple years ago, and it was around $30 for a year for the certificate.
But seriously, try to find a host that uses Let’s Encrypt.
What you should set up on your website
Once you have a certificate, regardless of how you got it, you can set some things up on your site. Your end goal is to have the green lock show up in the URL bar.
There are code ways to do it, but if you want to try yourself, you can get plugins.
At a bare minimum you should put your admin dashboard behind HTTPS. There are WordPress plugins that make this pretty easy.
Next, at least make sure any pages with a contact or opt in form are behind HTTPS.
The whole site
To really get secure, put the whole site behind HTTPS.
Plugins to help do it for you
I didn’t use any plugins for my set up, but you could. Here are a few options I’ve found but haven’t fully vetted. They look OK from their details, though.
Really Simple SSL – You might need the pro version to fix images in posts, pages, and widgets
CM HTTPS Pro – $30 for the plugin, but it does a lot for you and helps you do the rest. This one looks like it actually updates the database reference rather than do it through redirects.
Easy HTTPS Redirection – This one writes to the .htaccess file on your server, so if you use this plugin make sure you have access to that file in case things go haywire. It does tell you what to remove from the file if necessary.
How I set up my sites with HTTPS
I’m kind of a purist. The more plugins you have the more processing your site needs to load, and the slower it can become. Not to mention each plugin is a different point of failure and just something else to keep maintained.
So when I set up HTTPS, I just did it the manual way. It works just as well, and maybe it takes slightly longer to get set up but it’s really not a big deal at all.
This tutorial assumes your host uses cPanel and offers Let’s Encrypt. If either of those aren’t true, or you’re not sure, I’ll be glad to find out for you.
A note before starting
If you already have a plugin that is supposed to handle some HTTPS activity, like iThemes Security, make sure the HTTPS settings are off. I imagine you’d have had problems before if you had HTTPS settings on without a certificate, but I want to make the point anyway.
Since I don’t know what your website setup is, I can’t guarantee that this will all work as smoothly as it did for me. What I’m outlining below is a simple approach that should be fine. I’m just not responsible if you accidentally screw up your site.
Step 1: Request the certificate
Log into your host and go into cPanel. If your host supports it, you’ll see an app for Let’s Encrypt. Mine was under the “security” section.
Click into it, and then you can pick the domain you’d like a certificate for. One click later, it’ll do some processing and eventually give you a message saying your certificate is approved and active.
If you have options for HTTPS Enforce and External Links Rewrite, turn Enforce on and leave Rewrite off. We’ll fix the external links (images, CSS files, etc) in a couple steps.
Step 2: Change the WordPress URLs to https
Once your certificate is active, log into your WordPress dashboard. Navigate to the WordPress settings, and click “General”. You’ll see two URLs at the top: WordPress Address and Site Address. Change the http to https and save changes.
At this point, the site might kick you out because you logged in under http initially. Just log in again and you should be OK.
Step 3: Check the pages and verify that they’re all secured
The main problem with setting things up for HTTPS is that if ONE element of the page is being loaded over standard HTTP, the whole page (page, not site) will be loaded over standard HTTP, even if the URL says HTTPS. So it’s important to make sure at least the pages you need to be secure are fully secure.
If your website theme was coded well, you won’t have many theme images to adjust.
Where you could really have some work to do is with images on blog posts, pages, and widgets. Because the site URL used to just be HTTP, everything you’ve added up until now is going to load over HTTP. You have to change each reference to HTTPS or the browser will not consider the page to be HTTPS.
Going forward everything will be HTTPS, but you have to do something about the images you’ve added up until now.
A nifty tool for checking your content
Just the other day I came across this tool that will crawl your website and check for non-secure content. It’s super easy to use, and it even helped me find content that I’ve linked to but doesn’t actually exist (oops!). You just enter your URL once you’ve enabled your SSL cert and it will tell you what’s coming through over regular HTML. Those are the pages you will need to fix.
If updating all of your images is just something that’s not going to happen, there’s some code that can be written on a specific file (.htaccess) on your server or you can download a plugin called SSL Insecure Content Fixer to handle it for you. Those won’t actually update the references to be HTTPS. They are supposed to automatically switch the request from HTTP to HTTPS.
If you use the plugin, set it to the “Content” fix, and it should catch most everything. As with any plugin, there could be conflicts and it may not work as you expect. It depends on what else you have.
Need more help?
I know this seems daunting, and I suppose it should. If the technical aspects of what I’ve written here make sense, you should be able to handle this yourself.
If you have any questions about what your setup is like, I’m happy to take a few minutes to check out what you have. I’ll let you know if this process will work as simply as I’ve laid it out.
But if you just really don’t want to have anything to do with this process but realize it’s something you need to have done, let me know. Fill out the form on this page and we’ll get it sorted out.