The Internet isn’t always a safe place, and bad players are always looking for an opportunity. That’s why most companies use the Secure HTTP (HTTPS) protocol for their websites.
Today we’re going to learn about HTTPS, what it is, why it’s important for WordPress sites and a quick guide to adding HTTPS to your new WordPress site.
What is HTTPS?
HyperText Transfer Protocol, or HTTP, is a method used by web servers and clients (browsers) to communicate and transfer webpages and files (note – there are loads of other protocols like FTP, SSH and BitTorrent). When you visit sites that are using standard HTTP it means your communication with the server is traveling un-encrypted.
HTTPS is a secured version of the HTTP protocol which uses SSL (Secured Socket Layer) encryption. This is the safer and preferred method for all types of websites.
How Does HTTPS Work?
How SSL works in the background requires a bachelor’s degree in Computer Science and a solid understanding of cryptography. Thanks to the concept of abstraction, we need not worry about that. Just remember:
HTTP + SSL = HTTPS
In a nutshell, HTTPS uses a public key (available to anyone who wants to visit a website) and private key (kept on the website owner’s server) matching “handshake mechanism” prior to transferring data. Once the handshake is done, the connection is established and the secured session begins. When you visit an HTTPS site, all of this happens almost instantaneously before you see the green indicator in your browser’s address bar.
Do I Need HTTPS On My WordPress Site?
Yes, you should be using HTTPS via a SSL certificate on your WordPress site. In addition to security, the other two big reasons are that search engines and modern browsers prefer HTTPS.
HTTPS Is Secure
With a SSL certificate your connection is encrypted. A virtual tunnel is created through which only the server and the browser can communicate. Nobody else can interpret that channel. Even if the attacker taps into that channel, he wouldn’t be able to make sense of the encrypted data. He would need the private key which is only known to the browser.
HTTPS also ensures data integrity, which is the consistency of the data requested and the actual data received. Consider this example: Someone visits your site for a particular post on XYZ server setup instructions. At the end of the post, you leave an affiliate link. On an unsecured site, an attacker could easily tap into the connection and send your visitor the compromised data. In all probability, he’ll replace your affiliate link with a phishing link. Thus there’s a monumental difference in the data requested and the data actually received – the integrity of the data is destroyed. With SSL, none of this is possible!
HTTPS as a Rank Factor for Search Engines
Having a valid SSL certificate should be a part of your security strategy, but also included as a part of your SEO. In fact, Google has been very upfront about the fact that they take HTTPS into account. Here is a quote from a post at the Google Search Central blog published back in 2014:
…over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.
While they go on to explain that it doesn’t carry as much weight as other elements (namely content), it is still a contributor to your SEO.
Browser HTTPS Preference
Modern browsers have also made their preferences clear. Most already display “not secure” warnings in the address bar which can be a deterrent to site visitors.
But some browsers are taking a firmer stand. Chrome developers recently announced that the popular browser will soon force all HTTP urls to go to HTTPS. But that’s not all, downloads from HTTP sites will now have an “unsecure” warning. This is their next step towards universal HTTPS for a safer, more secure web.
How to Add HTTPS to WordPress
To add HTTPS to your WordPress site you need to install a SSL certificate. Setting up SSL used to be a complicated and tedious process. It required technical expertise, substantial time and there was a lot of room for error. Additionally the only free option was to use a “self-signed” certificate. This might have seemed like a good option, however because it was not signed by a valid Certificate Authority these would often lead to browsers throwing a warning or even blocking readers from attempting to reach your site
But thankfully, the web is an ever developing place and there are now easy SSL certificate options that anyone can afford and manage. So HTTPS is a must for any new WordPress site.
Let’s Encrypt Free SSL
A great, affordable option is to use a free Let’s Encrypt SSL certificate for your website. This can be added and managed through some hosting companies, for example a couple of our favorites include Cloudways and WP Engine. In this case there is typically a “SSL” section where you can manage Let’s Encrypt as well as auto-renewals from within your site’s hosting dashboard. So to add HTTPS to your WordPress site you simply need to enable the option after purchasing your hosting plan.
Alternatively, if your host does not include this feature you can still use Let’s Encrypt. In this case you’ll need to complete your hosting setup and log into your WordPress site. From here you can use a free plugin like Really Simple SSL. The plugin has a setup wizard to install and later renew your SSL certificate for you making the process quick and easy.
Premium SSL Certificate
For many businesses using a paid-for SSL certificate is the best option (or the required one depending on your needs). There are a handful of SSL certificate types, which include:
- SSL: common, standard option for most blogs/websites
- Wildcard SSL: for multiple subdomains
- EV SSL: for e-commerce and sensitive information
- Multi-Domain: for multiple domains using the same IP
Not all web hosts sell premium SSL certificates, so you may need to purchase the certificate from a third party (like GoDaddy) then import the certificate to your site.
For example, with WP Engine you can use their guide for generating a new CSR (certificate signing request) which will walk you though the following general steps to install a new SSL certificate for your WordPress site:
- Navigate to SSL > Add Certificates > Create CSR
- Select a certificate type as well as the domain(s) it will be used for
- Generate the CSR which you will then provide to your SSL issuer (note – leave this WP Engine page open)
- Download your SSL files
- Upload the SSL files to the WP Engine CSR page
- Verify the certificate and confirm your HTTPS preferences (“secure all URLs” should be default)
- Confirm to Upload Certificate
You can also setup SSL via your Cloudflare CDN. They offer free SSL for all plans (including their free plans), though ideally you’d use Cloudflare in addition to a SSL certificate (free or premium) setup for your main hosting server.
You can read detailed instructions in the Cloudflare documentation, but in summary within your SSL/TLS settings tab you can:
- Select a certificate type (for most this is the “universal certificate” option)
- Choose the encryption mode (Full-strict is best but requires SSL on your origin server and is only available for premium plans, and Flexible is the only option on free plans)
- Select the option to enforce HTTPS
- Optional: If using “Flexible” mode, also install the free Flexible SSL for Cloudflare plugin on your WordPress site to prevent redirect loops
- Under Cloudflare’s Page Rules add a new rule to force all traffic to SSL:
- If the URL Matches: http://*your-full-domain.com/*
- Then the settings are: Always Use HTTPS
Note: Our tutorial is focused on new websites, but if you are just now adding an SSL certificate to an existing website you will also need to complete a few additional steps. These include update existing links in your database to use HTTPS, add a redirect rule for any HTTP links to go to HTTPS (this can be added through your CDN), and confirm within your WordPress dashboard under Settings > General that the “WordPress Address” and “Site Address” fields are using HTTPS in the urls.
Hopefully this guide has been of help! HTTPS is an important part of web security as well as SEO, so we recommend adding it to your website from the get go. But if you have any other questions about adding HTTPS to your WordPress site or installing a SSL certificate leave a comment below.