Grabbing a SSL/TLS certificate isn’t the only step to get your WordPress site to work correctly over HTTPS. Today we’ll cover all three steps required to resolve mixed content warnings on your WordPress site and display the green lock icon for visitors.
1. Install your SSL/TLS certificate
Before you begin any of the other steps, you need to have a valid certificate installed on your host. Without this, you and your visitors will get a red lock icon and a few security warnings.
Cyberia Technologies hosting integrates with Let’s Encrypt SSL, a free certificate authority backed by major players like Google, Mozilla, and Cisco Systems. Installation is rather simple and can be completed in a matter of seconds. Your domain must already be live before Let’s Encrypt will allow you to install SSL.
Each hosting provider is different. Contact your technical support to find out if they feature Let’s Encrypt certificates. If you are a Cyberia Technologies customer and have questions or trouble, you can email our support.
2. Go to WordPress Dashboard > Settings > General
Now that you’ve already installed your SSL certificate, you must “tell” WordPress to use it. You can do this by adding the ‘s’ in the website URL (http:// to https://). Click ‘Save’ after making changes to both fields.
WordPress will log you out automatically. Simply log back in again with your admin account. Now onto the next step.
3. Install ‘Better Search Replace’ plugin & go to Settings tab
This step fixes mixed content warnings for your attachments, images, and theme files that are still using the non-secure protocol.
From your WordPress Dashboard, select ‘Add New Plugin’ and type ‘Better Search Replace’ into the search box. Click ‘Install’ and then ‘Activate’. Next, go to Dashboard > Tools and select ‘Better Search Replace’.
We want to find all the remnants of the non-secure URL lurking behind and secure them. The first field is for the old, non-secure URL. The second field must contain the new, secure URL. We’ve highlighted the correct changes with purple. Note: take extreme care not to mistype the protocols or misspell your domain. You can completely break your site otherwise.
Next, select all the tables (SHIFT + left click on PC), or one by one if need be (CTRL + left click). Tick the GUID checkbox if your site is new or a testing site. The dry run checkbox must be unchecked to make the necessary changes. Otherwise it only does a test run with zero changes. Click ‘RUN Search/Replace’ at the bottom to finish.
That’s it! You’ve successfully completed the WordPress database search & replace step! Your WordPress site is now fully secure over SSL/TLS. and visitors will see the lock in the upper left corner of their browser. Take a look for yourself! If you don’t see the lock, try clearing your browser cache and cookies then refresh.
Note 1: This only secures your own WordPress site and everything hosted inside of it. If you are displaying external pictures or content, i.e. using hotlinks or an iframe, those resources still need to be secured on their own hosting.
Note 2: It’s a good idea to update your Google Analytics and Google Webmaster Tools properties to the new secure URL (https://).
Note 3: You should setup a 301 redirect from the old non-secure URL to your new secure website URL. This is so users and bots visiting your old URL will arrive seamlessly on the secured version of your website. SEO rankings, or “link juice”, can take a few weeks to fully settle, though it is worth it in the long term.