How to manually set up an SSL certificate for a WordPress website

by | Dec 6, 2020 | WordPress | 0 comments

What is an SSL certificate?

SSL stands for Secure Sockets Layer.

An SSL certificate is a small data files that creates an encrypted link between a web server and a browser.

The certificate uses two keys to encrypt data – a public one and a private one, making the data more secure as it passes between the server and the browser.

Why do you need an SSL certificate?

It improves security

Having an SSL certificate stops data thieves from stealing any website data that your website visitors enter on your website. This is very important if you are asking for personal details or asking for people to make payments. Here is a video from Google explaining a little more about SSL and how data can be stolen.

It builds trust with your website visitors

When browsing the internet it quickly becomes obvious if a website is using an SSL certificate or not. If it is you will see a padlock in the browser just before the URL (website address). If it is not using an SSL certificate you may see a warning. Sometimes your browser may block access to the website.  We have become conditioned not to trust a website without a padlock.

It helps your SEO

Google announced back in 2014 that websites will do better in the organic search results if they were classed as secure.

Where do you get an SSL certificate?

Your hosting company should be able to provide a free basic SSL certificate which is enough for most small businesses. Third party businesses such as Global Sign provide SLL certificates to hosting companies. If your hosting company is charging you for your SSL certificate it may be time to move hosts.

How do you install an SSL certificate?

[Please note this is a technical tutorial – always back up your website before making changes to the functionality. Web hosting accounts can vary and this tutorial may not work for you. This tutorial is intended to cover the majority of web hosting accounts]

Installing an SSL certificate takes a few steps. The process starts on your website and finishes on your hosting account.

Step 1: Update the WordPress settings

In your WordPress settings update the WordPress URL and the website URL by replacing the http with https.

Step 2: Update your http links to https

If you have any links on your website that go to the unsecured version of your site, i.e the http version, this will give ‘insecure content’ errors in your website visitors browser. To avoid this you need to update all your links to be https instead of http.

To do this, download the plugin Better Search Replace and replace http://your-website-URL  for https://your-website-url.

Make sure you take a backup before you do this! Make sure you type in the URL correctly.

The plugin will correct all your URLs.

Step 3: Update your .htaccess file

Now you need to set up WordPress redirects from HTTP to HTTPS by adding some code to your .htaccess file. In your hosting account, go to the file manager and find the .htaccess file.   This is in the root (top level) of your website files. Add the code below.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

 

Step 4: Force the admin to load over SSL

You need to tell your website you want the admin area to be secure too. Find the wp-config.php file. This will be in the same place as the .htaccess file. Add the code below at the end, above where it says ‘that’s all stop editing’.

define(‘FORCE_SSL_ADMIN’, true);

Step 5: Activate the SSL certificate

The exact ‘how to’ of certificate activation depends on the hosting provider you are using but each provider should provide you with a detailed tutorial for how to enable the certificate on your website.

It normally involves finding the certificate provider name in your web hosting control panel – e.g ‘Let’s encrypt’.

Then you activate it and say which website you want it activated on if you have more than one.

It’s that simple!

If you have a problem

If you encounter problems you can temporarily activate the simple ssl plugin until you can hire some help ( you can hire me) or spend more time debugging.

Why I don’t recommend relying on a plugin to set up the SSL certificate.

If you are on WordPress, I recommend NOT using a plugin to set up your SSL certificate.

I see lots of tutorials out these saying the opposite – but let me tell you why it’s good to avoid adding another plugin to your site if you can.

Setting up an SSL certificate is a one off job. Once it’s done you don’t need to do it again.

It’s a fairly easy job to do, even if you are a bit of a technophobe. Even if you prefer someone to do it for you, it’s a 5 minute job so it shouldn’t cost much to do it.

Having a plugin comes with risks – read some of the risks in my blog post about plugins. 

So, the less reliance your have on plugins, the easier your site is to maintain and there is less risk of something going wrong. The less plugins you have the more stable, quicker and secure your website is.

Now, if you ARE a tech phobe and you are building your website yourself, first I would say, fair enough, a plugin helps (but be warned you may have problems in the future).

If you paid a developer to build your site and they used a plugin then shame on them… You now have to decide if you want to keep it or tidy up your build by removing it.

If you are fairly capable tech wise and set up your own website then put the extra five minutes effort in and set your SSL certificate up properly.

Problems with SSL plugins

I have experienced two specific problems with websites that use SSL plugins.

  1. When the plugin is disabled, the site is no longer secured. Why would the plugin ever be disabled? Sometimes there are plugin incompatibilities that cause some plugins to automatically disable themselves. You may also need to disable the plugin for debugging purposes.
  2. There is a slight time overhead with page loading due to the fact that URLS are not changed in the database but dynamically changes when the page is loaded.
  3. The plugin can cause website errors that take longer to fix than if you just did the set up manually.

 

Conclusion

I always manually install SSL certificates for my clients – I prefer to do that rather than add another plugin that just needs to be maintained.

It makes your life easier in the long run to do it right and to do it manually from the start.

So, do you have an SSL plugin on your site? Are you tempted to remove it?

 

Share

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

About Karen Weider

I have been building strategic, marketing websites since 2011. I have supported many business as they get online and grow their business and I firmly believe that planning is crucial to online success.

I help women who are action takers and want to build their own website and I support established who are looking for a long term website strategic & technical partner.

I love working with change makers who are following their heart and have been called to share their message and make a huge impact in the world.

Join my free Facebook group

For business women who want tips and challenges to help plan a visible, valuable website.

Join here >>

Share This