Securing the WordPress website is always a question & there are many points we can cover to secure this platform. But today, we will discuss about one of those points “SSL implementation”. I have already published one article on securing the WordPress which includes all possible points. Please click here to learn how to completely secure WordPress.
Difference between SSL and HTTPS
Before we proceed, let’s understand the difference between SSL and HTTPS.what is SSL ? – The full form of SSL is Secure Sockets Layer. Its the protected technology which enables establishment of encrypted links between browsers and server.
what is HTTPS ? – The full form of HTTPS is Hyper text transfer protocol and its the URL scheme which signals the browsers to establish an encrypted connection layer between server and browser.
SSL working procedure and installation
SSL is provided by your hosting company and you can even buy it from other companies where you don’t host your website. Purchasing the SSL from third party hosting companies is the user choice when it comes to bargaining. Sometime we get lower priced SSL from other companies & we buy it. The process of installation for third party SSL and hosting company SSL is always different. It’s always easy to install the SSL if we purchase from the hosting companies where we host our website.
The SSL certificate is the system generated file which contains strange pattern of alphanumeric characters. Its the file which contains the domain name, SSL expiration date, SSL certificate type, Issuer, Key size and some more information. There is a special procedure to install SSL certificates to our CPANEL. Before SSL installation can proceed on server, we need to paste 3 things, Certificate , Private Key and Certificate Authority Bundle(CABUNDLE). Its pretty easy but still i recommend you to call the hosting support once you purchase it. Once the hosting support confirms the SSL has been installed on the server, you can verify the SSL activation via this link
https://yourdomain.com. If due to any reason the SSL activation fails or takes time, you will see something like below screenshot.
In this article, I’m going to show you how to redirect WordPress from HTTP to HTTPS without moving in any issues. There is a proper procedure to implement SSL redirection in WordPress. I’m going to cover everything from implementing force SSL on WP back-end to front-end. I will assume that SSL for your domain has been purchased and installed on your server. I repeat again, Once after purchasing the SSL certificate from your hosting company, If you don’t understand the procedure to install the SSL, please call your hosting support and I’m sure they will help you.
Backup your website files and database
Whenever making any major changes to website, you must always back it up. The backup should contain files and database both. There are many ways to backup a WordPress website. You can back it up using 3 methods.Method 1 – Install and activate a backup plugin to handle the complete backup job.
Method 2 – Back up via CPANEL/WHM backup functionality.
Method 3 – Manual Backup. Create a zip of your
public_html and export database from phpmyadmin.Migrate from HTTP to HTTPS using WordPress plugin
This is the easiest method for implementing HTTPS force redirect. Install and activate the pluginReally Simple SSL and configure it. Configuring is user friendly and plugin will take care of everything.From HTTP to HTTPS using manual procedure
Step 1 – Login to your wordpress admin dashboard and go toSettings -> General. Change the WordPress address URL and site URL and make sure HTTP is replaced with HTTPS.
If you notice the WordPress address URL field or site URL field as disabled(disabled field doesn’t allow editing) then look up wp-config.php for the following codes. Now replace HTTP with HTTPS
define( 'WP_SITEURL','http://example.com/');
define( 'WP_HOME', 'http://example.com' );
step 2 – Now go to
Settings -> Permalinks and click on save changes. Its good to update permalinks.step 3 – Now open
wp-config.php file and above lines /* That's all, stop editing! Happy blogging. */. Paste below codes if don’t find them. These constant will force WordPress backend to force redirect to HTTPS
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true); //deprecated
step 4 – Open your root
.htaccess file and to the top, paste the below code. Please remember to paste the htaccess redirect code at the very top, otherwise some of your WordPress pages may struggle with HTTPS redirect on front-end.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
step 5 – Manually replace all the HTTP URLs on pages, post, functions.php, header.php, footer.php etc. otherwise some browser won’t display green lock.
step 6 – If still some of your wordpress pages on frontend doesn’t redirect to HTTPS, then possibly
is_ssl() function doesn’t work. Just copy and paste the below codes to functions.php file of your WordPress.
<?php // don't use this line when using in functions.php //remove <?php becauase it exist on top of file
// if site is set to run on SSL, then force-enable SSL detection!
if (stripos(get_option('siteurl'), 'https://') === 0) {
$_SERVER['HTTPS'] = 'on';
// add JavaScript detection of page protocol, and pray!
add_action('wp_print_scripts', 'force_ssl_url_scheme_script');
}
function force_ssl_url_scheme_script() {
?>
<script>
if (document.location.protocol != "https:") {
document.location = document.URL.replace(/^http:/i, "https:");
}
</script>
<?php
}