This article provides tips and references for working with WordPress and SSL (HTTPS). Setting up WordPress to use SSL - particularly migrating an existing site over to SSL - can get quite complicated and there are plenty of issues that you can run into. Unless you are technically proficient with the subjects covered here it may be best to have your WordPress developer or WP NET Support do this for you.
Fresh Install WordPress with SSL
If you are building a new WordPress site and intend to run it under SSL, provided that you use the https:// prefix in your site URLs from the beginning, everything should work fine.
In WordPress Admin -> Settings, check that your using the HTTPS prefix for WordPress Address (URL) and Site Address (URL). Once you have done this, all references and links you create as you add posts, pages and other content will also use the HTTPS prefix.
Migrating a WordPress Website to use SSL
If you are changing a site that has not previously used SSL, or you are moving your site from a development server without SSL to a live server with SSL, you will need to migrate the site over to use the HTTPS prefix. In these cases, simply changing the WordPress HOME and SITE URL is often not sufficient. The reason for this is that images and other references in your posts, pages and other content may not be affected by these settings, so when you view a page using HTTPS you may get mixed-content warnings in your browser.
Resolving Mixed-content Errors
There are a couple of ways of going about resolving mixed-content errors, but care must be taken to ensure that your site continues to work correctly.
1. Perform a search and replace across your database
Not for the faint hearted! Extreme care must be taken when doing this and always make a backup first.
There are a few tools we recommend for doing this:
Better Search Replace - Free Download
This is a free plugin that can perform search and replace operations on your WordPress database.
WP Migrate DB - Free Download or Purchase Pro version
This is one of our favourite plugins. It includes superb features for migrating WordPress databases and the search-and-replace is rock-solid. This is our go-to plugin for this task.
You can use the free version, WP Migrate DB to export your WordPress database and rewrite URLs in the process. This does not modify your database directly, it downloads a copy to your local machine. You will need to import the modified database afterwards. WP Migrate DB Pro supports search and replace directly on your live database.
WP Migrate DB (and Pro) are the only search-and-replace plugins we're aware of that allow you to also rewrite post GUID columns. If you're migrating a site from a dev server to production, this is usually what you want to do. You can read about GUIDs, and when you should and shouldn't rewrite them, here and here.
BackupBuddy - Purchase
BackupBuddy includes a database search and replace function. You can find this on the Tools page of the BackupBuddy Server Information page. Instructions are available on the iThemes Codex.
2. Use a WordPress plugin
There are a few plugins available that will resolve many mixed-content issues for you by rewriting URLs on-the-fly. For some cases this may be the simplest solution, although doing this dynamically may degrade site performance.
- Really Simple SSL
- SSL Insecure Content Fixer (be sure to read the FAQ)
HTTPS Redirection
Once you have SSL installed on your site and you have dealt with mixed content issues, there are a few other questions that will come up:
- Do you want to force all public pages of your site to use SSL?
- If not, what pages to you need to use SSL and how should you implement it?
- Do you want to use SSL for the WordPress Admin and / or login page?
Where to Use SSL
We recommend that you run your entire site under SSL (the front-end public pages and the WordPress Admin). The reason for this is that all WP NET servers now support HTTP/2 under SSL, so you will benefit from the performance and security improvements in HTTP/2.
Plugins to the Rescue
There are a number of plugins available to help you with redirection and managing SSL on your site, our recommendations are:
- iThemes Security - this has excellent support for handling SSL, you can force the WordPress Admin and login pages to use SSL, force SSL site-wide or just for selected pages.
- Easy HTTPS Redirection
As mentioned earlier, running WordPress under SSL can get complicated, if you need help open a support ticket and we'll be happy to help. Please note that performing database rewrites and implementing custom SSL set up for your site may incur development fees.
