Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

How to Use HTTPS on Your WordPress Site

The Internet isn’t always a safe place, and bad players are always looking for an opportunity. That’s why most companies use the Secure HTTP (HTTPS) protocol for their websites.

Today we’re going to learn about HTTPS, what it is, why it’s important for WordPress sites and a quick guide to adding HTTPS to your new WordPress site.

What is HTTPS?

HyperText Transfer Protocol, or HTTP, is a method used by web servers and clients (browsers) to communicate and transfer webpages and files (note – there are loads of other protocols like FTP, SSH and BitTorrent). When you visit sites that are using standard HTTP it means your communication with the server is traveling un-encrypted.

HTTPS is a secured version of the HTTP protocol which uses SSL (Secured Socket Layer) encryption. This is the safer and preferred method for all types of websites.

How Does HTTPS Work?

How SSL works in the background requires a bachelor’s degree in Computer Science and a solid understanding of cryptography. Thanks to the concept of abstraction, we need not worry about that. Just remember:

HTTP + SSL = HTTPS

In a nutshell, HTTPS uses a public key (available to anyone who wants to visit a website) and private key (kept on the website owner’s server) matching “handshake mechanism” prior to transferring data. Once the handshake is done, the connection is established and the secured session begins. When you visit an HTTPS site, all of this happens almost instantaneously before you see the green indicator in your browser’s address bar.

Do I Need HTTPS On My WordPress Site?

Yes, you should be using HTTPS via a SSL certificate on your WordPress site. In addition to security, the other two big reasons are that search engines and modern browsers prefer HTTPS.

HTTPS Is Secure

With a SSL certificate your connection is encrypted. A virtual tunnel is created through which only the server and the browser can communicate. Nobody else can interpret that channel. Even if the attacker taps into that channel, he wouldn’t be able to make sense of the encrypted data. He would need the private key which is only known to the browser.

HTTPS also ensures data integrity, which is the consistency of the data requested and the actual data received. Consider this example: Someone visits your site for a particular post on XYZ server setup instructions. At the end of the post, you leave an affiliate link. On an unsecured site, an attacker could easily tap into the connection and send your visitor the compromised data. In all probability, he’ll replace your affiliate link with a phishing link. Thus there’s a monumental difference in the data requested and the data actually received – the integrity of the data is destroyed. With SSL, none of this is possible!

HTTPS as a Rank Factor for Search Engines

Having a valid SSL certificate should be a part of your security strategy, but also included as a part of your SEO. In fact, Google has been very upfront about the fact that they take HTTPS into account. Here is a quote from a post at the Google Search Central blog published back in 2014:

…over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.

While they go on to explain that it doesn’t carry as much weight as other elements (namely content), it is still a contributor to your SEO.

Browser HTTPS Preference

Safari Browser HTTP Website Warning

Modern browsers have also made their preferences clear. Most already display “not secure” warnings in the address bar which can be a deterrent to site visitors.

But some browsers are taking a firmer stand. Chrome developers recently announced that the popular browser will soon force all HTTP urls to go to HTTPS. But that’s not all, downloads from HTTP sites will now have an “unsecure” warning. This is their next step towards universal HTTPS for a safer, more secure web.

How to Add HTTPS to WordPress

To add HTTPS to your WordPress site you need to install a SSL certificate. Setting up SSL used to be a complicated and tedious process. It required technical expertise, substantial time and there was a lot of room for error. Additionally the only free option was to use a “self-signed” certificate. This might have seemed like a good option, however because it was not signed by a valid Certificate Authority these would often lead to browsers throwing a warning or even blocking readers from attempting to reach your site

But thankfully, the web is an ever developing place and there are now easy SSL certificate options that anyone can afford and manage. So HTTPS is a must for any new WordPress site.

Let’s Encrypt Free SSL

Cloudways Application SSL

A great, affordable option is to use a free Let’s Encrypt SSL certificate for your website. This can be added and managed through some hosting companies, for example a couple of our favorites include Cloudways and WP Engine. In this case there is typically a “SSL” section where you can manage Let’s Encrypt as well as auto-renewals from within your site’s hosting dashboard. So to add HTTPS to your WordPress site you simply need to enable the option after purchasing your hosting plan.

Alternatively, if your host does not include this feature you can still use Let’s Encrypt. In this case you’ll need to complete your hosting setup and log into your WordPress site. From here you can use a free plugin like Really Simple SSL. The plugin has a setup wizard to install and later renew your SSL certificate for you making the process quick and easy.

Premium SSL Certificate

For many businesses using a paid-for SSL certificate is the best option (or the required one depending on your needs). There are a handful of SSL certificate types, which include:

  • SSL: common, standard option for most blogs/websites
  • Wildcard SSL: for multiple subdomains
  • EV SSL: for e-commerce and sensitive information
  • Multi-Domain: for multiple domains using the same IP

Not all web hosts sell premium SSL certificates, so you may need to purchase the certificate from a third party (like GoDaddy) then import the certificate to your site.

For example, with WP Engine you can use their guide for generating a new CSR (certificate signing request) which will walk you though the following general steps to install a new SSL certificate for your WordPress site:

  1. Navigate to SSL > Add Certificates > Create CSR
  2. Select a certificate type as well as the domain(s) it will be used for
  3. Generate the CSR which you will then provide to your SSL issuer (note – leave this WP Engine page open)
  4. Download your SSL files
  5. Upload the SSL files to the WP Engine CSR page
  6. Verify the certificate and confirm your HTTPS preferences (“secure all URLs” should be default)
  7. Confirm to Upload Certificate

Cloudflare SSL

You can also setup SSL via your Cloudflare CDN. They offer free SSL for all plans (including their free plans), though ideally you’d use Cloudflare in addition to a SSL certificate (free or premium) setup for your main hosting server.

You can read detailed instructions in the Cloudflare documentation, but in summary within your SSL/TLS settings tab you can:

  1. Select a certificate type (for most this is the “universal certificate” option)
  2. Choose the encryption mode (Full-strict is best but requires SSL on your origin server and is only available for premium plans, and Flexible is the only option on free plans)
  3. Select the option to enforce HTTPS
  4. Optional: If using “Flexible” mode, also install the free Flexible SSL for Cloudflare plugin on your WordPress site to prevent redirect loops
  5. Under Cloudflare’s Page Rules add a new rule to force all traffic to SSL:
    • If the URL Matches: http://*your-full-domain.com/*
    • Then the settings are: Always Use HTTPS

Note: Our tutorial is focused on new websites, but if you are just now adding an SSL certificate to an existing website you will also need to complete a few additional steps. These include update existing links in your database to use HTTPS, add a redirect rule for any HTTP links to go to HTTPS (this can be added through your CDN), and confirm within your WordPress dashboard under Settings > General that the “WordPress Address” and “Site Address” fields are using HTTPS in the urls.

Hopefully this guide has been of help! HTTPS is an important part of web security as well as SEO, so we recommend adding it to your website from the get go. But if you have any other questions about adding HTTPS to your WordPress site or installing a SSL certificate leave a comment below.

12 Comments

  1. lillebusy

    How does the boost in seo from having encryption compare to the presumed decrease in seo from having a slower site?

    Reply
    • AJ Clarke

      I honestly think the https increase for SEO is not significant enough to really stress about it. A fast site on the other hand, even if it doesn’t affect SEO too much is better for usability. Think about your visitors #1 and SEO second.

      Reply
    • William

      If your site is slower you should consider using better server software like nginx and enabling HTTP/2 to boost your performance. The slowdown of HTTPS is minimal on modern servers and clients.

      Reply
      • AJ Clarke

        I agree! If you have good hosting you shouldn’t even notice the HTTPS difference in speed.

        Reply
  2. Khürt Williams

    SSL a doesn’t have any significant impact on site performance. Other than that error, great article.

    Reply
  3. Lazlo SpazlPort

    SSL with SPDY protocol is actually faster then a non secured site and i did see a 10-15% increase in rankings for a local business site.

    Reply
  4. DeehoSEO

    HTTPS has been a ranking signal for a while now, see http://googlewebmastercentral.blogspot.co.uk/2014/08/https-as-ranking-signal.html for Matt Cutts comments on the value for SEO purposes. While it’s not an essential for all sites and their are arguments over the need to switch a non HTTPS site to HTTPS, it makes sense to set up new sites as https in preference.

    Reply
  5. Gilbert

    wpexplorer does not use SSL 🙂 A deliberate choice?

    Reply
    • Kyla

      We’re working on it. It’s a bit more of a challenge with a larger, established website. For new sites we 100% recommend using SSL from the get go – for older sites we highly recommend taking your time and consulting professionals (or possibly investing in some help).

      Reply
  6. Shyam

    Well written article! I strongly agree that HTTPS is mandatory for each and every website since major browsers started flagging HTTP sites as non-secure. Also, if any WordPress users are struggling to generate free SSL certificate in 2021 – WP Encryption WordPress plugin is my fav tool

    Reply
  7. Sagar Patil

    Manually installing an SSL certificate on your WordPress website especially if you don’t have cPanel is very hard. That’s why I created the ssl zen plugin that will help you generate a free SSL certificate by Let’s Encrypt. Our plugin is used by more than 50,000 websites globally and we have a very active community.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.