WordPress Security: Installing SSL
WordPress security – and SEO – is incomplete without SSL and HTTPs. Secure Socket Layers encrypt your visitors’ data when they access your blog, making it a lot harder to snoop and intercept your users’ traffic. Google, in its turn, motivates bloggers to secure their websites with SSL and HTTPS by rating secure sites higher than blogs without SSL. More so, Internet denizens are increasingly aware of the dangers of insecure HTTP connection instead of HTTPS. Therefore, adding SSL to your WordPress helps you gain a positive reputation among your readers.
You can add SSL certificate from your hosting provider. Pricing differs – while some providers offer SSL certificate as a standalone feature, others bundle it with their hosting plans. Some hosts offer free SSL. A standard certificate like Comodo Positive SSL for a small business website, personal blog typically remains cheaper than EV SSL certificate for an eCommerce site.. You can also get an SSL certificate for free.
Free VS Paid SSL Certificates
Paid SSL certificates, typically provided by WordPress hosting, have one advantage over free SSL – technical support.
Free SSL certificates are available through such nonprofits as Let’s Encrypt or firewall solution providers like Sucuri (working with the same Let’s Encrypt). CloudFlare offers free SSL certificates that come bundled with their free plan, too. Free SSL may or may not come with the tech support option – it depends on your subscription type (if you’re ordering via Sucuri or CloudFlare).
The good news is most hosting providers now support Let’s Encrypt free SSL certificates, and have comprehensive installation guides for them.
Changing Internal URLs to HTTPS
Installing SSL certificate is a fairly simple affair involving little intervention on your part. Here is how to add SSL and HTTPS to your WordPress blog:
Go to Settings → General → find WordPress Address and Site Address and change “http” to “https” in both cases.
Redirecting HTTP to HTTPS
If your website already has some content posted, you need to set up a redirect. Go to the main directory of your web hosting, typically called “htdocs” or, in some cases, it’s dubbed after your site’s name. Find a file “.htaccess” and include the following:
RewriteEngine On
RewriteCond %{SERVER_PORTZ} 80
RewriteRule ^(.*)$ https://www.[blog].com/$1 [R,L]
Note: the [blog] is the domain of your website. Voila! You’ve just added an automated redirect that will send HTTP request to HTTPS instead.
Useful Plugins
Alternatively, you can use a plugin to set up your site to run over SSL. Such plugins will complete all of the manual work for you, but you still need to buy an SSL certificate – or get a free one. Note: always backup before you introduce changes to your blog!
Here are some plugin suggestions:
- Really Simple SSL is a lightweight plugin that only requires installation and activation. It will make the changes to your “.htaccess” file to configure it to run over HTTPS.
- WP Force SSL force-redirects HTTP traffic to HTTPS, and you don’t need to mingle with coding. All you need is change HTTP to HTTPS in your admin dashboard’s general settings (WordPress Address and Site Address).
- If you use Cloudflare for your SSL, consider using the Cloudflare SSL plugin to avoid having to tweak the code manually.
Verify If It Works
Once you’ve installed your SSL certificate, verify whether it’s configured correctly. Try SSL Server Test by SSLLabs to make sure your SSL works as it should.
As you can see, in just a few easy steps, you will deliver better security to your visitors and improve your website’s authority. But SSL certificate doesn’t mean your WordPress blog is completely secure – it just encrypts the traffic between your readers’ browsers and your site’s server. If you are serious about your WordPress security, check out Blogger’s Guide to WordPress Security by Alex Grant for more tips on safeguarding your WordPress sites.