PHPMatters Help You Better Hosting Your PHP-based Sites
How to Use SSL and HTTPS to Secure Your WordPress Site

How to Use SSL and HTTPS to Secure Your WordPress Site

Secure Socket Layer is the most basic security technology used to guarantee an encrypted connection between a server and a browser, greatly eliminating the possibilities of data eavesdropping by hackers. Therefore, many WordPress sites, especially the e-commerce ones or some large websites requiring information submission have used SSL, so that their domain names simply look like “”, along with a lock icon before the website links.

After knowing what SSL is and its main function, in the following, we’d like to tell you how to use it to secure your WordPress site using the “HTTPS link”.

Preparation – Have a SSL Certificate

Firstly, you should make sure that you have the SSL certificate. Generally, you can purchase one from your hosting providers at the price ranging from dozens of dollars to hundreds of dollars. Or, you can place an order from some SSL providers like GlobeSSL and SSL Shopper.

Here, we have to mention that what we talk about is the utilization of private SSL, but not the shared SSL certificate.

  • Shared SSL – You can start a secure online connection with HTTPS. However, you are not allowed to showcase your own domain but the one offered by your web hosts. If you insist your domain name, this certificate may not work, or your readers may encounter the security warning message.
  • Private SSL – the private one simply safeguards your own domain, but not the domain of your hosting provider.

Secondly, you have to ensure that you have the dedicated IP address. Generally, the purchase of a dedicated IP can be added into the order form automatically when you buy the SSL certificate with your web host. However, the process of switching to a dedicated IP requires around 5 hours, so you need to wait until the switching is finished.

Install SSL Certificate

Different web hosts may have different installation processes for SSL, but generally, the process includes requesting a CSR, sending the CSR and RAS Key to the certificate provider and submitting the RSA Private Key.

In the following, we’d like to take HostGator as an example, telling you how to install SSL on its shared web hosting package.

  • Step 1 – Finish the form of Certificate Signing Request at this page.
  • Certificate Signing Request

  • Step 2 – Get the SCR feedback from HostGator and save it.
  • Step 3 – Purchase a SSL certificate and send the SCR feedback to the certificate provider.
  • Step 4 – Get the authorized certificate and a private CA Bundle from the SSL provider.
  • Step 5 – Enter this form using the information you get earlier and submit the form.
  • Step 6 – Pay for the installation

If you feel time-consuming to handle all of these steps on your own, you can simply ask your web hosts to offer and install SSL for you. Just check the following three hosting companies that offer such a convenient service.

Set Up WordPress for the Utilization of SSL

Now, you can set up your WordPress to use the SSL certificate. Here, we highly recommend you to use the WordPress HTTPS (SSL) plugin. Upon the installation, click the HTTPS tab in your backend admin for the configurations of SSL settings.

SSL Settings

In the General Settings page, you need to enter all the information required to set up your SSL successfully.

SSL General Settings

  • SSL Host – Enter your domain name.
  • Port – By default, it is TCP 443. Or, you can ask the port number from your web hosts.
  • Force SSL Administration – Tick the option for the security of your login page and admin page.
  • Force SSL Exclusively – If you want to force all the webpages on your site to HTTPS, do not tick this box.
  • Remove Unsecure Elements – If you can make sure that everything, especially your templates and plugins, on your site is accessible over HTTPS, you’d better enable this function.

The rest options including debugging mode, enabling proxy and deciding the admin menu location should be determined based on your needs. Then, click the Save Settings button.

Here, we want to talk more about the “Force SSL Exclusively” option. Personally, we do not recommend you to enable this function. Besides the security concern, forcing SSL to every webpage also benefits your site SEO.

As announced by Google Webmaster Central Blog at August 6, 2014, this main search engine simply gives more ranking benefits to those who use HTTPS. In this case, transforming all your HTTP links to HTTPS ones needs to be taken into account.

Also, if you have several sub-domains or add-on domains, you should use the Domain Mapping function of this plugin. Otherwise, your readers may encounter the security warning like the pop-up box showed in the following, which end up driving them away from you.

Domain Mapping

Security Warning Message

Warning Message

Besides, if you do not want your entire site to be accessed using HTTPS, you should tick the option of Force SSL Exclusively in the General Settings. Thus, you can find a special box appeared at the editing screen of your webpage. In the following example, we simply decide the admin menu location at the sidebar.

HTTPS Sidebar Box

Thus, when editing any webpage of your site, you can decide whether to force it to HTTPS by ticking the box.

Finally, you need to go back to the General Settings of your dashboard, checking whether the WordPress Address and Site Address are HTTPS links. If not, you should change them manually and save the settings.