WP Thinker

The WordPress Playground

How to Force SSL in WordPress

Force SSL in WordPress

Transitioning your WordPress website from HTTP to HTTPS has plenty of benefits. For one, it will remove that “Not secure” message next to the website URL in your browser. Additionally, it will begin encrypting sensitive information, making logging into WordPress and processing payments more secure. For that reason, it’s mandatory for using any payment plugins in WordPress or eCommerce WordPress plugins. Moreover, enabling SSL will boost your search ranking and award a padlock icon, indicating your website is secure. With that said, let’s get into how to force SSL in WordPress.

1. Purchasing and enabling SSL certificate (Optional)

Do you have an SSL certificate enabled? If the answer is not, verify whether your web hosting provider paired it with your plan. If they haven’t, buy it separately after deciding which type of SSL certificate fits your website the best. Then, contact your hosting Customer Service so they can install and activate it. Finally, choose one of two ways to force SSL in WordPress:

2. Force SSL in WordPress with a plugin (Easy)

Installing a WordPress plugin for this purpose, for example, a popular option, Really Simple SSL (wordpress.org/plugins/really-simple-ssl), makes method 3 obsolete. Furthermore, it can also take care of discovering and redirecting HTTP to HTTPS of files on your WordPress website, this making method 4 unnecessary too. Now, if that sounds too good to be true, it is. Only the first part (moving website URL from HTTP to HTTPS) is free, while any additional features we mentioned (and many we haven’t), require a Premium version. So, if you’re on a budget, skip to method 4 after doing this:

  1. Click on Go ahead, activate SSL! button that appears on all pages of your WordPress Admin Section.
  2. You’ll be redirected to the Settings > SSL page access it again using the left sidebar).
  3. Make sure Enable WordPress 301 redirect and Mixed content fixer (Premium version only) options are toggled on.

3. Force SSL in WordPress manually (Hard)

Are you a fan of DIY and want to avoid the negative performance impact of WordPress plugins? Here’s how forcing SSL in WordPress manually works:

1. Change General Settings

To do this, follow the steps in method 4, sub-method 1 of our guide on fixing the WordPress keeps logging out problem. Then, change “http” to “https” in both WordPress Address (URL) and Site Address (URL) like this: http://yourwebsite.com -> https://yourwebsite.com

Tip. Don’t forget to click on Save Changes below.

2. Change wp-config.php (Recommended)

If you want to transition your WordPress Admin section login URL to SSL too, edit wp-config.php as suggested in the sub-method 2 below. Only instead of the code in step 5, use this one: define('FORCE_SSL_ADMIN', true);

3. Edit .htaccess

Finally, it’s time to set up a permanent redirect from your old URL to the new one. To do this, you’ll want to open the .htaccess file. Like wp-config.php, it is located in the root folder of your WordPress website. With that said, paste this code below the default .htaccess code:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

4. Edit Nginx configuration (Optional)

The method above is used when your WordPress website is hosted on Apache servers, which most are. If yours is hosted on Nginx, you’ll have to open the configuration file, then paste the following code:

server {
    listen 80;
    server_name yourwebsite.com yourwebsite.com;
    return 301 https://yourwebsite.com$request_uri;
}

Tip. Replace yourwebsite.com with your actual domain name.

4. Fix Mixed Content error in WordPress

Even though your website is now using SSL, you might still not see the padlock icon. Furthermore, a warning such as Insecure content blocked, or mention of “unsafe scripts” might appear. This simply means that links to some of your WordPress files still use “http”. To get rid of insecure content after enforcing SSL in WordPress, do this:

1. Find which files are insecure (Optional)

Here are 2 ways to discover insecure files on your website:

  • Chrome. Right-click anywhere on your website frontend. Select Inspect, then switch over to the Console tab. Take note of Mixed Content errors, and check URLs mentioned under “insecure image/video/embeds (PDF, video)/galleries”, etc.
  • External services. Free online services will crawl your website and list unsafe files. Some examples include:
    • https://www.jitbit.com/sslcheck/
    • https://www.ssllabs.com/ssltest
    • https://www.sslchecker.com/insecuresources
    • https://www.whynopadlock.com/

2. Mixed Content error in WordPress database

The best and least labor-intensive way to solve the Mixed Content error in WordPress database is to install a WordPress plugin, once again. Although we’re not affiliated, Better Search Replace (wordpress.org/plugins/better-search-replace/) is well-suited for this. So, we’ll use it for demonstration:

  1. Go to Tools > Better Search Replace in the left sidebar in your Admin Dashboard.
  2. Under Search for, enter your website URL with “http”. Under Replace with, do the same with “https”.
  3. For Select tables, highlight all tables on the list.
  4. Put a checkmark in front of Run as dry run?
  5. Click on the Run Search/Replace button.
  6. The plugin will search your database for unsafe files, and transition their URL to “https”. This can take a while.

3. Mixed Content in WordPress theme or plugins (Optional)

If the Mixed Content error mentions “stylesheet” or files ending in “.css”, the active WordPress theme you installed is to blame. Similarly, various WordPress plugin files can stop you from fully transitioning to SSL. This is rare with renowned themes or plugins, and troubleshooting is difficult for beginners. So, we recommend doing one of the following:

  • Contact the theme/plugin developer and ask for help or an update.
  • Find an alternative plugin or use a different theme.
  • Pay for a Pro version of a plugin such as Really Simple SSL.
  • Pay an independent WordPress developer to fix the issue.

5. Update your website on web services

To wrap this up, you must let website services know you transitioned to SSL like this:

1. Google Search Console (Mandatory)

Google treats “http” and “https” URLs as two separate websites. So, to avoid SEO penalties, you must follow these steps:

  1. Log in to the Google Search Console with your account.
  2. Click on Add a Property button in the top right corner.
  3. Select Website from the drop-down list.
  4. Enter your website URL with “https” before clicking on Add.
  5. Now, verify the ownership of your website using one of the Recommended or Alternate methods. Google will show instructions once you select one of them.
  6. After the transition is approved, Google will transfer search rankings, and you’ll see search console reports for the new website.

Recommended. If you use Google Analytics, log in to your account and go to the Admin tab. Click on Property Settings, then under Default URL select https:// in front of your website link.

2. Sitemap, CDN, other links (Optional)

You might also need to update your website URL on the following web services:

  • Sitemap. Using Yoast SEO (wordpress.org/plugins/wordpress-seo)? You don’t need to. But if you aren’t, from your Admin Dashboard, go to SEO > Features > XML Sitemaps > toggle to Off. Now, select On to regenerate it.
  • CDN. Log in to your account for a CDN service, and change the URL manually in the settings, if possible. Some CDN services transition automatically, while others ask you to contact their Customer Support.