Buying an SSL certificate (or grabbing a free one) is just one piece of the puzzle. Learn how to activate HTTPS on WordPress and reap the benefits of a secured website. In this article we cover all three steps in successfully securing WordPress with SSL, including showing you how to resolve mixed content warnings in WordPress and get the green lock icon in browsers.
1. Acquire & Install Your SSL/TLS Certificate
Before you begin any other steps, you need to have a valid certificate installed on your host, whether it’s free or purchased from a certificate authority (CA) like Comodo SSL. Without a valid certificate installed on your web host, visitors will see a red lock icon and security warnings in their browser.
Cyberia Technologies hosting integrates with Let’s Encrypt SSL, a free certificate authority (CA) backed by major players like Google, Mozilla, and Cisco Systems. The installation is rather simple and can be completed in a matter of seconds. Your domain must be live (DNS records must point to your web host) before your host is allowed to install a Let’s Encrypt SSL certificate. Contact your hosting tech support to see if they feature Let’s Encrypt certificates. Each hosting provider is different, meaning the exact interface will change from the above. If you are a Cyberia Technologies customer and have any questions or trouble, you can email our support.
2. Navigate to WordPress Dashboard > Settings > General
The next step in how to activate HTTPS on WordPress is to configure or “tell” your WordPress installation to use it. This is done by adding the ‘s’ in the URL (http:// to https://) in the fields marked ‘WordPress Address’ and ‘Site Address’. Click ‘Save’ after making changes to both fields.
WordPress will log you out automatically—this is normal. Simply log back in again with your admin account username & password. Now onto the next step!
3. Install ‘Better Search Replace’ Plugin & Navigate to its Settings Tab
This step ensures consistent use of HTTPS instead of HTTP and is the key in how to resolve mixed content warnings in WordPress. We’ll now find and fix any URLs for images, attachments, or theme files that might still use the non-secure protocol.
From your WordPress Dashboard, select ‘Add New Plugin’ and type ‘Better Search Replace’ into the search box. Click ‘Install’ and then ‘Activate’. Next, go to Dashboard > Tools and select ‘Better Search Replace’.
Again, what this plugin does is help you to find all remaining non-secure URL iterations lurking behind and then secure them. The first field is for the old, non-secure URL (notice no ‘S’ in ‘HTTP’). The second field is for the new, secured URL. We’ve highlighted the correct settings with purple. Note: take extreme care not to mistype the protocols, accidentally add/remove a forward slash, or otherwise misspell your domain. You can completely break your website if you are careless.
Next, select all the tables (SHIFT + left click on PC), or one by one if need be (CTRL + left click). Tick the GUID checkbox if your site is new or a testing site. The dry run checkbox must be unchecked to make the necessary changes. Otherwise it only does a test run with zero changes. Click ‘RUN Search/Replace’ at the bottom to finish. If you’re successful, you will see a notice at the top of the page with the number of remnants the plugin found and secured.
That’s it! Now You Know How to Activate HTTPS on WordPress
You’ve successfully learned how to activate HTTPS on WordPress and it will now be served to visitors with an SSL/TLS certificate. Take a quick look for yourself and see if the lock icon is there. If you do not see any lock icon yet, try clearing your browser cache and cookies then refresh the page.
Note 1: This secures your website and everything hosted inside it. If you are loading external pictures, content, or scripts, i.e. using hotlinks or perhaps an iframe, they must be secured separately on their own hosting.
Note 2: It’s a good idea to check and update your Google Analytics and Google Webmaster Tools properties to the newly secured URL (https://).
Note 3: To be thorough, we recommend you setup a 301 redirect from the old, non-secured URL to your newly secured site URL. This is so visitors and search engine bots visiting your site will arrive seamlessly on the secured version. This step is usually done on your web host though it can also be done in WordPress.
Note 4: Your website SEO rankings or “link juice” may take a few weeks to settle, though this is necessary to get through in order to activate HTTPS on WordPress correctly.