How To Setup SSL and HTTPS in Your WordPress
One of the key steps in ensuring that your WordPress site is secure is installing a valid SSL certificate. This will enable users to your site to exchange information with it via secure, encrypted transfer protocols. Setting WordPress to force the use of secure transfer protocols and deciding when to force it takes a little work, but is not that hard. It also requires making some decisions about when to require a secure transfers of information.
What Is SSL?
SSL is the standard for exchanging information securely–via cryptographic encryption–between a website and the browser. I’m not going to get into the technical details of how it works, but the short version is that SSL is a way to establish a trusted connection between the server and a web browser. Once that relationship is in place the server will encrypt data before transmitting it in a way that only its intended recipient can decrypt it.
This method of security accepts the fact that any data transmitted over the internet can, and likely will be, intercepted at anytime by a hacker or a government agency fishing for information. By sending the data encrypted, we ensure that if anyone but the intended recipient gets the data they will have what is effectively gibberish. Giving them gibberish is preferable to giving them confidential correspondence, private records, credit card numbers or any other private data.
Using SSL requires that your server has a valid SSL certificate installed. An SSL certificate, which must be purchased, tells the browser important details about your sites security. In most browsers, when you go to a secure site, you will see a lock or similar icon in the address bar, showing you details about the SSL certificate.
SSL is a must for any eCommerce site and is recommended to be used whenever any sensitive information is exchanged, including passwords. I will not cover the process of adding the certificate to your hosting package, as its different for each hosting provider. One of the marks of a good managed WordPress hosting company is how easy they make it for you to set up your SSL certificate.
Once your SSL certificate is installed, when someone visits your website they will be able to access it via secure HTTP, or HTTPS. I said “they will be able to” not “they will” in the last sentence as just adding the certificate is not enough. You will need to configure WordPress to force visitors to use HTTPS. These are settings you have some granular control on.
When we say “using SSL” what we mean is that the exchange of information between the server and browser is happening via the HTTPS protocol instead of the unsecured HTTP protocol. Doing so requires a valid SSL certificate, but that is not the end of the discussion.
Where To Use HTTPS
You can force your site visitors to use HTTPS when logging in, when using the admin, on every part of your site or on certain parts of your site. There are two ways to look at this question. One is to enable it only when needed, that way you don’t put the extra hurdle of authentication on access to non-sensitive exchanges. The other is better safe than sorry–use SSL everywhere.
Recently Google announced that they would start considering use of HTTPS as a positive in calculating search rankings. This means that using HTTPS will not only benefit your site’s security, but boost its SEO as well. The HTTPS everywhere approach also helps prevent the potential for human error, where you overlook a setting and expose sensitive data.
The downside of using SSL everywhere is that the HTTPS transfer protocol is slower than the unsecure HTTP transfer protocol. This is because the data must be encrypted before being sent, and decrypted before being displayed. That adds processing time for both the server sending the data and for the web browser receiving the data.
Since page load time is so important for user experience and SEO, you need to ask yourself if securing non-sensitive data–like the content of a page that is free for anyone to see is really worth the trade-off in performance. What that trade off is depends on many factors, and is something you should measure on your site to see if it is significant or not.
In many cases this trade-off is worth it compared to sharing sensitive, private information with the world. As I said before, HTTPS is a must for any sort of eCommerce site. In addition, if you’re storing any type of sensitive information, HTTPS should be used. Some types of data, such as medical data require HTTPS for transmission. Be sure that if you are ever hired to create a site that allows users to transmit medical or financial information to or from it, that your client consults with a lawyer about the security needs. What those security needs are should be included that in the scope of your agreement to create the site.
Setting UP SSL Manually In WordPress
There is a constant that you can set in your wp-config.php file to force the use of a secure connection in the admin. FORCE_SSL_ADMIN will require that a valid SSL certificate is in place and HTTPS is being used to access any part of the WordPress administration.
This constant is false by default. You can enable it by adding on line of code to your site’s wp-config.php:
define( ‘FORCE_SSL_ADMIN’, true );
There is a great article in the codex you should read if you want to get into the gritty details of configuring HTTPS on your site, such as how to require SSL on all front-end pages. Personally, if I can’t do everything I need with those two constants in wp-config.php, I’ll use a plugin to do it, which is what I will cover in the next section.
Using The WordPress HTTPS Plugin
There is a great, free plugin called WordPress HTTPS (SSL) that makes all of this setup very easy. The plugin has not been updated in awhile, and currently is only listed as being tested up to 3.5.2, but I can tell you from personal experience that it works just fine in WordPress 3.9 and WordPress 4.0.
This plugin does two things. It allows you to set global SSL settings for your site–or sites on a multisite installation. If you don’t force SSL for all content, the plugin also allows you to set specific posts or pages to force HTTPS.
Configuring your global settings is very easy. From the plugin’s admin screen it gives you an option for your site–or each of the sites in the multisite installation–to require HTTPS for the admin, to require if for the whole site and to remove unsecured content.
This plugin also gives adds a metabox to each post editor, allowing you to set that individual post or page to force HTTPS. This is very useful if you only have a few pages that require secure transfers, such as an account management page or a sales page.
Remember: SSL Is Not Enough
Installing and configuring SSL is an important step in securing your WordPress site and your users data, but it is not all you need to do. Every site is as weak as its weakest password. SSL does not affect what the end user, or someone who has cracked their password does with the data they receive.
Forcing strong passwords, keeping WordPress and your plugins up to date, scanning for malware and locking out botnet attacks are important steps in securing your site as well. Having an SSL certificate will not prevent any of those, as once a malicious script is installed on your site, whether its transferring your data securely or not is irrelevant. All of this can be covered of course by using a quality security plugin such as WordFence, iThemes Security or a service such as Sucuri. You might also be interested in our post about WordPress security, as well as our post about what to do when your WordPress website get’s hacked.
Setting up an SSL certificate and configuring WordPress to use HTTPS is an important first step in the process of securing your site. As you’ve learned in this article, doing so is actually very easy.