Even if your WordPress site isn’t powering an e-commerce storefront, there are many reasons to take security seriously. Firstly, it’s easier and safer to administer a WordPress domain via HTTPS. While you could use a self-signed certificate to do so, it’s not an optimal solution. Furthermore, Google gives sites that use HTTPS an automatic SEO boost. If you want to install SSL on your WordPress site, here’s how to do it.
Purchase an SSL Certificate
Obviously, enabling HTTPS on any site requires the use of an SSL Certificate issued by a trusted authority like Comodo, DigiCert or Symantec. Prices can range from as little as $5 per year to hundreds of dollars depending on what you want to accomplish. If you plan to sell anything on your site, an Extended Validation Certificate is a must and will cost you at least $100. Both web hosts we recommend, WHC.ca and GreenGeeks.ca offer SSL certificates at reduced prices.
Submit the Signing Request
Buying an SSL certificate is just the beginning. Once you’ve laid down your money, you’ll need to request a certificate for a particular domain and verify your identity. More specifically, you’ll need to create a Certificate Signing Request and have the Certification Authority (CA) in question like Comodo or VeriSign confirm that you are who you say you are. Once they’ve done that, they’ll send you an actual SSL certificate via email.
Add the Certificate to Your Site
Installing a certificate on a server is simple. All you’re doing is copying a public key that corresponds with the private key generated during the Certificate Signing Request process into your site’s root directory. If your host uses cPanel or another popular administrative back-end program, this is simple. Just go to the SSL section within cPanel, upload the certificate that you received from the Certificate Authority and you’re generally good to go.
Modify Back-End WordPress Settings
Now that your SSL certificate resides on your server, it’s time to make it work with your WordPress installation. You’ll need to force HTTPS for your site by editing a few lines of code.
Open the wp-config.php file and add the line:
define('FORCE_SSL_ADMIN', true);
as well as
define('FORCE_SSL_LOGIN', true);
right before the
/* That's all, stop editing! Happy blogging. */
markup comment.
If you don’t dig manual coding, a WordPress HTTPS plugin will provide you with a handy GUI.
Audit Your Site for Security
It’s important to make sure that your site appears to be secure from the outside. As such, you’ll want to use a browser like Chrome to tour various pages and look for the green padlock icon in your address bar wherever you go. While you’re at it, make sure that the WordPress Address (URL) and Site Address (URL) fields in the General Settings portion of your admin panel are set to HTTPS.
Tie Up Any Loose Ends
If you’re still getting warning signs on your site after installing SSL, use the free Why No Padlock tool to troubleshoot errors. If you use Google Analytics, update your settings in Google Webmaster Tools to recognize the new HTTPS address. If your site is running slower after the upgrade, switch to a more powerful shared or VPS plan. With few exceptions, the preceding actions are all you’ll need to successfully enable SSL on your WordPress site.