Using SSL and HTTPS for Your WordPress site?

Home - WordPress Security - Using SSL and HTTPS for Your WordPress site?

Using SSL & HTTPS for Your WordPress site?

Sharing information on the internet is common. Yet, we hardly give it a second thought. Every day, we share our personal information over websites or on other platforms. This sharing can be in the form of paying for bills/services using a credit card. Also, it might be sharing addresses, emails or even grocery shopping. These can threatens your WordPress website security.

As a website owner, you have a huge responsibility of keeping the information. You must keep it up to the relevant security standards, and to ensure its confidentiality. Thus, that is where SSL comes in. The purpose of SSL is to protect the information that users share online. Besides this, SSL prevents it from getting misused by the wrong person

 Furthermore, the workings of SSL are simple. SSL encrypts the information that get passed through the site’s server to the browser. As a result, it avoids information that remains view-able as plain-text. Hence, it means the text get arranged into random illegible numbers and letter instead of readable words

Why Secure Socket Layer (SSL) is important?

The importance of protecting user information on the internet can get determined. More so, from the fact that in 2016, Google announced to boost the search ranking of websites using SSL. While you could see a 1% increase at that time, the search engine has planned to increase the boost with time. Hence, it gives everyone a fair chance to switch over.

Besides, you need an SSL protection, if a user must provide personal information on your site like address, name, and credit card details among others. Otherwise, you are more likely to compromise on the user’s information.

Creating a Secure SSL Connection

To create a protective SSL connection on your website, you need to get the SSL certificate. However, you should get it from the issuing company, known as Certificate Authority. It can maintain security of every site including online eCommerce store. You can also read about how you can secure your eCommerce site.

Once the purchase gets made, company and website details get provided to the authority. These includes your address, name and phone number. Likewise, the site owner in turn receives a private and public key. The public key need not get kept hidden. However, the private key is like a password, and must not get shared with anyone.

Like a matching lock and key, these are a simple string of cryptic numbers and letters. However, they mathematically and distinctly match together. Typically, they get built by a Secure Hash Algorithm.

Later, the public key gets submitted to the authority with your entered information. Also, they get submitted in a file known as Certificate Signing Request. The authority then checks the accuracy of the information through verification. Also, it ensures that you are not a hacker or scammer. Once things are clear, the SSL certificate get signed, using a SHA.

The website becomes eligible to use SSL-encrypted connection after the certificate get issued. Hence, when a user visits an SSL site, the server matches the private key with the SSL certificate. If the combination matches, an encrypted link gets established.

The link is between the user and its browser, as well as the site and its server.

Appearance of an SSL protected website

The default prefix is HTTP. But, another prefix ‘https’ will start appearing along with the URL. Moreover, the green padlock will get displayed in the browser’s address field. It also refers to an SSL protected site.

The address bar turns green when you buy an SSL Certification with extended validity. Or, it will have the name of the company (with a green background appearing before the URL). An extended validation certificate offers extra security.

The certification gets issued once the company passes a much-detailed application process. Besides, the standard requirements, the company must provide proof of their legal operation.  Additionally, they must provide their physical address.

Using SSL with Your WordPress based website

The ready SSL Certificate can get used in a WordPress site. However, before you make any further changes, you must back up the entire site. As a result, you will prevent losing everything, in case of making a wrong move.

The steps discussed below get used for both single and multi-site installations. Firstly, edit the following code in your wp-config.php file. This will force both the access and logins to the WordPress admin area for using SSL. define (‘FORCE_SSL_ADMIN’, true);

Ensure it get placed simply above the line that says- /* That’s all, stop editing! Happy blogging. */

The next step is to set a redirect- 301. Hence, website visitors are automatically redirected to your SSL secured site. However, you must use https rather than HTTP.

If the .htaccess file does not exist already, create a new one or edit the existing one. In the case of having one already, place the code above all the things that are already there.

 <IfModule mod_rewrite.c> RewriteEngine OnRewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$$1 [R,L] </IfModule>

When you place the code, do not forget to edit the domain and server portal well. It is time to test the efforts, visit the URL of your site. If you see a green padlock next to the URL, you have successfully attempted the SSL Certification.

When does your SSL stops working?

If an SSL Certificate becomes invalid, is self-signed or has expired. Thus, the padlock either turns red or gets a line through it sometimes. To renew the encryption, the site owner must get the SSL renewed. Nonetheless, it is through the authority once the certificate gets expired. To keep seamless security throughout, do not let the certification expire. Also, ensure you renew it timely.

Self-signed certificates

If in case you are using a self-signed certificate, it means you have applied for one. Besides, you have issued your certificate. Thus, you did not pass through a Certificate Authority. Furthermore, the authority did not confirm you or the Certificate.

To keep the distinction, many browsers only show trust for SSL Certificates. These get issued by an authority of confidence. Alternatively, the browsers display a warning on every site using a self-designed certificate. Thus, it is important that you only go for the high-ranking Certificate Authority.

Otherwise, your site might still get recognized for using a self-signed certificate. Yet, your SSL Certificate may become invalid for many other reasons. Also, it may become invalid like an outdated SHA encryption. If the browser fails to verify the authority certificate, SSL certificate becomes invalid.

This usually happens when the certificate’s domain name does not match with the actual site that uses it. The best way to go about these issues is to update the certificate with authority. Also, ensure you follow the instructions.


Hashing uses a set of mathematical rules. These get applied to convert the entire information written as characters to a key. Moreover, to keep the security high, you need robust hashing. This is because the technology advances.

With many versions of SHA, SHA0 is no longer usable. Besides, SHA1 has already got phased out by the majority of browsers. These includes Internet Explorer.

Google Chrome announced to issue warnings after January 1, 2016, for sites using SHA1 by that time. Later the encryption standard of SHA2 was also somewhat discontinued. However, this was in favor of encryption standard SHA3.

The Yellow padlock

If you notice a mini yield sign with a padlock, it shows that the links of your site refer to some unsecured page. Thus, ensure the menu items, all the images, and links use ‘https’ in their URL.

However, if you like to know the source of an invalid certificate, use Why No Padlock as the free tool. It instantly informs you of the particular problem that may be prevalent. Besides, it includes the scripts or images.


Obtaining an SSL certificate to protect user information on your site is vital. Also, it is necessary to earn the confidence of the visitors. However, that is not the only security solution you can get. Ensure the integrity of your site by choosing premium WordPress security plugin. For example, iThemes Security Pro or Wordfence. To get more pointers about using SSL with WordPress, consider the specific requirements. Also, you may get the help from WordPress Codex page section ‘Administration Over SSL’.