Skip to Main Content

How to protect your WordPress blog with HTTPS

Divi: the easiest WordPress theme to use

Divi: The best WordPress theme of all time!

With over 600.000 downloads, Divi is the most popular WordPress theme in the world. It is complete, easy to use and comes with more than 62 free templates. [Recommended]

While the Internet has brought a lot of impressive things, part of our lives that it does not always respect is confidentiality. Sharing our information online has sometimes become normal.

I'm not just talking about what we ate at breakfast, but also how we give information that should be better kept private.

Credit card numbers, bank account information, not to mention the login information for the dozens of sites you've probably already logged on to today.

It is time for this information to get the protection it deserves.

However, it is not always up to the visitors to take action, but also these measures are for you as a holder of a WordPress blog.

If your WordPress site manages sensitive information, you must make sure your visitors and customers can trust you. And there are many ways to do it.

In this tutorial, I will show you how to add the HTTPS protocol to your WordPress blog.

What is an HTTPS and SSL protocol?

You have probably heard these two acronyms before. Otherwise, chances are you've seen them at work anyway.

You may have noticed that every time you interact with a secure site (such as your online banking portal), that the address in your browser bar has https: // In front of the place of the usual http: //.

In addition to this, most modern browsers will display a small padlock in the browser bar when you are connected to such a site.

Padlock symbol-in-browser bar

In some cases, you might even see the entire company name displayed.

Secure-website-browser bar-extended

These are signs that the site you are currently visiting has taken steps to protect their traffic and the privacy of their visitors.

The tools for this are the HTTPS and SSL mentioned above. They help to make communication on the internet reliable.

HTTPS stands for HyperText Transport Protocol secured. It differs from HTTP in the way it uses an SSL-certified connection (Secure Socket Layer) to establish a connection between the browser and the server.

The protocol establishes the connection between the two, where, once the relationship is successfully established, only the encrypted information will be transferred.

This means that all plain text information that could be read by all visitors will be replaced by random letters and numbers that are not human readable.

If a hacker succeeds in interfering with the exchange of information, the encryption will not make it easy (but not at all).

The SSL certificate used for such a connection is fixed on the site. Certificates are issued by an authority called certificate (CA) And are unique by site.

In theory, everyone can issue SSL certificates, however, browsers consider only those authorities known to be trustworthy. As a result, the CA features ensure the reliability of the site.

Most modern browsers will warn you if the certificate is not correct, which means that the connection is probably unreliable.

Encryption standards

SSL and HTTPS come with different encryption standards. The oldest is called Shao and is no longer used. His successor SHA1, while still in circulation, is currently eliminated. Google Chrome, for example, will start issuing warnings for sites running on this standard by the beginning of the 2016 year.

Easily create your website with Elementor

Elementor allows you to easily create any website design with a professional look. Stop paying expensive for what you can do yourself. [Free]

The current encryption standard for SSL protocols is SHA2. However, at a certain point, it will give way to SHA3 which is currently under development.

Anecdote: SSL is actually not the correct name for the certificate anymore. The technology was improved in the 90 years and its name changed to Transport Layer Security (TLS). However, the acronym SSL has remained and is obviously used to this day.

Why you need SSL and HTTPS

Learning to add HTTPS and SSL on WordPress is absolutely essential if you run an ecommerce site to accept payments. The financial information of your customers should not be taken lightly.

However, the protocol can also be used to protect other information such as login information, address data and things that many people would like to keep private.

As a website owner, you can also consider adding the HTTPS protocol for selfish reasons as it has become a Ranking factor on Google and other search engines.

Plus, since we are talking about SEO: HTTPS will also help you in your rankings because it Is more lives.

The transition to HTTPS

The first step in moving your website to HTTPS is through the purchase of an SSL certificate. there are several ways to buy a certificate.

The good starting point is probably your hosting company as they often provide certificates as part of their hosting services.

However, there are also a number of third-party providers. To help you, you can consult the list of certification authorities included in Mozilla Firefox.

The costs may vary depending on the provider, your numbers of sub domains and other factors. Unfortunately, if you use multiple websites, it can quickly become expensive.

The cost factor is also one of the reasons I'm waiting for " Let Encrypt ", a free open source certification authority to come (Automattic is among the sponsors).

Once you have installed a certificate, you will need to follow the supplier's instructions. The process is different for everyone, I can not tell you how to do it here.

After that you need to discuss with your hosting provider to implement the certificate and make the transition to the HTTPS protocol on the server side. That's also why turning to your supplier for the certificate could be the easiest option.

that's all ? Okay, now we will focus on the necessary changes to make on WordPress.

How to configure WordPress for HTTPS and SSL

Unfortunately simply adding the certificate is not enough. You need to make additional adjustments on WordPress.

The following steps assume that you want to use HTTPS anywhere on your site, which is usually a good idea.

However, there are also use cases for a few sites on your site. We will come back to this later.

1. Make a backup

Like anything that involves major changes to your blog, your first instinct should be to create a backup. So, if things go wrong, you can always go back to the previous state. Here is a list of plugins that can help you

2. Add SSL to your WordPress dashboard

The first thing we want to do is add an HTTPS connection for all pages on the WordPress dashboard. This way, when someone connects to your site, all the data will be exchanged safely.

To do this, you must add the following line of code to your wp-config.php file:

Are you looking for the best WordPress themes and plugins?

Download the best plugins and WordPress themes on Envato and easily create your website. Already more than 49.720.000 downloads. [EXCLUSIVE]

Define ('FORCE_SSL_ADMIN', true);

Once you've added the line, save the file and send it to your server, it's time to run a quick test. Go to your login page (Https:// to check if everything is working well.

If all is well, you must have a secure connection. However, if you encounter a problem, remove the line from wp-config.php because there will be troubleshooting to do.

However, for the moment, we will assume that everything is fine and we can move on to the next step.

3. Update your

If your admin area has been successfully moved to HTTPS, it's time to do the same for the rest of the site. For this, we must first change your site address.

It's very simple just go to the location Settings> General and add https:// both for your WordPress address (where your installation resides) and the site address (the address that visitors enter on the browser).


Save and that's it. You will probably be prompted to sign in again later.

To make sure your visitors can safely surf your site, you also need to set up a .htaccess redirect. Most people should already have this file on their server (make sure your FTP shows the hidden files) otherwise you have to create one.

In this file .htaccess, add the following lines of code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond% {} HTTPS off
RewriteRule (*). Https: //% {HTTP_HOST}% {REQUEST_URI} [R = 301, L]
</ IfModule>

Now all your visitors should be automatically redirected to the secure part of your website.

How to configure the HTTPS protocol on some pages

I advise you to use SSL everywhere on your site, yet some might not want to use it on some pages.

Here is a case of use for example: You decide to implement secure connections only for sensitive parts of your site such as shop forms, baskets and leave the rest without SSL security.

This goal can be achieved with the WordPress plugin HTTPS (SSL). It lets you choose where to use the HTTPS protocol on your site.


While it is true that the plugin has not been updated for some time, reliable sources claim that it is still possible to use it. If you have problems, I suggest you Better WP Security which has similar features.


In theory, the above should be more than enough to move your entire site to SSL. However, since things do not always go as expected, here are some troubleshooting tips.

1. Mixed content warning

Mixed content occurs when portions of your content continue to be delivered via HTTP while the rest of your site has been moved to the more secure HTTPS.

In this case, modern browsers display a warning, which signals a message of insecurity of your content.

Use the free tool SSL Check to scan your entire site to find unsecured images, scripts and CSS files etc. With this information, you can then take corrective action. An alternative to check singular pages is WhyNoPadLock.

You can also search for the padlock symbol on your browser bar while surfing your site. It will display a warning when you visit a game that uses a mix of content.

If you encounter such a page, you can find the culprit by jetting having a look at the console in the Chrome or Firefox development tools or with an extension such as Firebug.

Easily create your Online Store

Download free WooCommerce, the best e-commerce plugins to sell your physical and digital products on WordPress. [Recommended]

2. Certificates that expire

When your certificate expires, visitors get a strong warning about it and are advised not to browse your site. Therefore, you must not let this happen. Make sure to always renew your certificate in time.

The same warning can also be given for self-signed certificates that are not validated by an outside authority.

3. The domain name of the certificate does not match the site address

Sometimes, the reason your site does not get the go-ahead from browsers is based on the difference between the actual domain name and the one registered on the certificate. If this is the case, you need to resolve it with your authority in your domain.

You can easily decrypt this error using the WhyNoPadLock solution mentioned above. Another server analysis tool is SSL Server Test by " SSL Labs". It is also free and can give you lots of information about your SSL configuration.

4. CDN does not consider SSL

If you're one of the many WordPress users who use content delivery networks to speed up their site, you need to make sure your CDN supports SSL before using it with your CDN. MaxCDN is an example that supports the HTTPS protocol. Check with your provider.

To summarize

If you use a WordPress site that processes sensitive data, you should not bypass the HTTPS protocol. Without encrypted traffic, the risk that your customers' information will be intercepted is simply too great.

In addition to being a responsible service provider, the extra layer of security is also a plus point for search engines. So, if you do not do it for your customers, at least do it for the rankings.

However, it is important to note that the HTTPS protocol is not the alpha and omega of WordPress security. To keep your site really safe, additional steps are needed.

This article features 0 comments

Leave a comment

Your email address will not be published. Required fields are marked with *

This site uses Akismet to reduce unwanted. Learn more about how your comments data is used.

Back To Top