Google announced in august 2014 that HTTPS is a ranking signal for websites. That means that having an SSL layer on your website will help your site rank higher. HTTPS, which stands for secure HTTP is another signal that Google's algorithm considers when it comes to positioning your website on the SERP (Search Engine Ranking Page).

The idea behind this technology is a safer internet for everyone. By encrypting communication between visitor and website there are fewer opportunities for hackers to intercept sensitive data. Things are starting to change now that the big G is placing a bigger emphasis on HTTPS and will start giving higher ranking to “secure” sites, or sites that are using SSL layers. Let's take a look at a couple of options for installing SSL on WordPress.

Why use SSL on WordPress?

The potential downside of not having HTTPS on your site is a potential loss in traffic. This is because Google is placing an even bigger emphasis on HTTPS and will start giving higher ranking to “secure” sites, or sites that are using SSL layers. Moz put out some interesting stats on how sites that moved over to HTTPS are reaping the benefits of higher rankings.

Of course, we can be sure that the big sites have made the change quicker than everyone else and are ranking higher anyway so this may be a false signal. Even so, if you have a WordPress site and you'd like to get on Google's good side then it would be wise to install an SSL on WordPress and be ahead of the curve. Millions of WordPress websites will not change to HTTPS and may be left behind as a result.

Most people will want an SSL because they plan on selling something on their website. Ecommerce sites should have encrypted communications between the browser and server to prevent hackers spying on credit card details and personal information involved in the purchasing transaction.Either you plan on selling something through the site or you would just like to get on Google’s good side and have HTTPS before your domain name in the address bar (and of course, have encrypted communications). So now we've established the

Either you plan on selling something through the site or you would just like to get on Google’s good side and have HTTPS before your domain name in the address bar (and of course, have encrypted communications). So now we've established the why, let's look at the how of WordPress HTTPS.

https for websites

 

Making your WordPress website HTTPS

Before getting down to the details we must first look at the types of SSL that are typically used on WordPress sites. Two possibilities are:

  1. You've purchased an SSL layer from your hosting provider.
  2. You plan to use a free SSL from a service like Let's Encrypt.

I recommend SiteGround for both options.

They have been my consistent provider of hosting for years and I've tried every WordPress and shared hosting option available. SiteGround also offers a one-click option to install a Let's Encrypt SSL on each of your websites directly from the control panel.

Install SiteGround's Free SSL via Let's Encrypt

  • Under My Accounts, click ‘Go to cPanel' and on the next screen look for the Let’s Encrypt widget under the Security section.
  • Click the Let’s Encrypt button. Here you’ll be given the option of installing a new Let’s Encrypt Certificate.
  • Select your domain name and add an email address from that domain.
  • Click Install.

That's it!

The manual SSL installation

The plugin method is much easier to implement but as not everyone likes adding plugins to their site here are the manual install details.

Start by making WordPress use HTTPS by default in the admin backend.

  1. Open up the wp-config.php file located in the root of your WordPress install. If you’re website is hosted on a server using cPanel you can open up File Manager, browse to the folder of your domain name, find the wp-config.php, and open the file for editing by right-clicking and choosing ‘Code Edit’.
  2. Add the following line define('FORCE_SSL_ADMIN', true);
    just before /* That’s all, stop editing! Happy Bloggin. */
  3. Save the file.
  4. Go to yoursitename/wp-admin URL and test that https:// appears in the address bar before the domain name. In Chrome, and in other browsers, a green lock will appear before the https:// indicating also that it’s a secure connection.

So that’s the administration backend part done.

Redirects are the key to forcing secure pages on your site. You want visitors that browse to http://yoursitename to be automatically redirected to https://yoursitename.

FTP Setup

It’s time to open up the .htaccess file and create redirects. Control panel won’t by default, allow you to view hidden system files such as the .htaccess file. It can be a little messy to make control panel show hidden files so I prefer to use an FTP program like FileZilla. It’s free, so jump on in.

Skip to editing the .htaccess file if you are familiar with FTP or have access to the htaccess file using control panel. This section explains how to get going with FileZilla.

Look in your hosting control panel for details about your server’s hostname. If you use SiteGround then you’ll find the hostname and IP address under ‘My Accounts’. Either the name or IP can be used and this will be used as the ‘Host’ address in FileZilla.

You will need to create an FTP user and password to connect.

  • In control panel click ‘FTP accounts’.
  • Create a useful login name, ftpaccount@yoursitename.com or something similar is good.
  • Add the password twice.
  • In the directory location make the location point to the root of the web server and not the default location. Change it from /public_html/ftpaccount to /public_html/. That way, when you connect, you are at the top level folder.

Now, using the hostname, username and password we should be able to connect to the server via FTP.

  • Open the root folder of the website.
  • Find the .htaccess file. Right-click the file and choose View/Edit.
  • You will then be asked which program you prefer to edit these types of files with. You can use TextEdit but I try to avoid it as sometimes it can change characters such as inverted commas and this can cause major headaches. If you have any kind of code editing software, like the excellent Sublime Text then use this instead. It makes editing the code a lot easier also due to the clearer formatting and use of color.

Editing the .htaccess file

Add the following lines to the start of the .htaccess file:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Note: you can use the www or non-www versions in the third line, whatever your preference is.

 

Setting the WordPress URL to HTTPS

In the WordPress backend open the General tab
Change the WordPress Address (URL) and the Site Address (URL) to https://yourdomain.com
Check the web address again via your browser and look for errors.

A common issue here is that the green padlock doesn’t appear, or appears briefly, but the https is in the address bar. This is often the result of what’s called ‘mixed content’ warnings. It basically means that your site is still using HTTP for some content.
It could be something simple like an external link on a page. Use Chrome’s inspector to check the page for mixed content.
In several cases, I found that the Mailchimp link on a sidebar, front page, or in the genesis eNews extended plugin was entered as http://. Change the link address to https and check again.
Sometimes it’s that simple.

mixed content warning on https website

The Plugin SSL Installation

Make sure that Google knows about the https site.

If you browse to your website using the HTTPS protocol https://yourdomain.com you should see the green padlock in the address bar, indicating that the SSL layer installation has worked.
However, you’ll want to force visitors to go only to the secure site from now on.
Try the Really Simple SSL free plugin for WordPress to make redirection setup a single-click affair.

really simple ssl plugin for wordpress

Adjusting Google Search Console

We will need to add the HTTPS version of the website into Google Search Console (webmaster tools) so we can track it properly. Open up Google Search Console and add a new site. Google sees the HTTPS version of your site as a brand new entity so you’ll need to add in both the WWW and non-WWW versions of the HTTPS site.
After adding both sites, https://www.yourdoman.com and https://yourdomain.com, and verifying them in Search console make sure that you select the preferred domain to be displayed by Google. Click the cogwheel at the top right of Search Console and click Site Settings (make sure you’re already looking at the details of a domain) and then choose your preferred domain.

Adjusting Google Analytics

Next head over to Google Analytics and open the Admin tab for your domain. Under the Property Column choose Property settings. Change the Default URL to the https:// version.
Then click Adjust Search Console so we can link Analytics with the correct site in Search Console.
Click Edit, select the new https:// version of your site and click Save.

Resubmitting a Sitemap

I’d suggest adding a sitemap to the new site on Search Console so Google can crawl the site again. If you’re using Yoast then this is quite easy. In the WordPress admin go to SEO, click XML Sitemaps and click the XML Sitemap button on the General tab to open up your sitemap URL.
If you see that the sitemap(s) still shows http:// then you’ll need to fix this before submitting. Yoast seems to have a slight bug in that it doesn’t update the sitemaps to https. Here’s the fix:

  • On the SEO module again in the WordPress admin click Search Console and then Settings.
  • Click the button marked ‘Reauthenticate with Google’. This time use the full https:// preferred version of your site. That should fix it.
  • Check again under XML Sitemaps to verify.
  • Unfortunately, this doesn’t always work (please fix this Yoast) but you can disable the XML sitemap functionality in the XML sitemaps section, save changes, refresh, enable the XML sitemap again and check one more time.

If neither of these work then it’s likely there’s an issue with your database. Time to call in the big guns or get your hands dirty.

That should set you up with a nice shiny https:// URL and a green padlock for all the world to see. Now go and promote your secure site.

install ssl on wordpress

Keith Lang - Marketer and Entrepreneur

Keith is the founder of Fat Frog Media. He has worked in the tech, fitness, food, and hospitality industries. Keith helps businesses improve their marketing and conversion rates.