This article provides tips and references for working with WordPress and SSL (HTTPS). Setting up WordPress to use SSL -- particularly migrating an existing site over to SSL -- can get quite complicated and there are plenty of issues that you can run into. Unless you are technically proficient with the subjects covered here, it may be best to have a WordPress developer do this for you. WP NET support can also help, but this may incur development charges as this kind of work is not always covered by our Managed WordPress support service.
There are many helpful articles and tutorials available on the web to help you set up and use WordPress with SSL / HTTPS. Following are some of our recommendations:
Fresh Install WordPress with SSL
If you are building a new WordPress site and intend to run it under SSL, provided that you use the
https:// prefix in your site URLs from the beginning, everything should work fine.
In WordPress Admin -> Settings, check that your using the HTTPS prefix for WordPress Address (URL) and Site Address (URL). Once you have done this, all references and links you create as you add posts, pages and other content will also use the HTTPS prefix.
The only additional consideration is whether you want to force all pages to load as HTTPS. To do this will require either using a WordPress plugin or adding Apache
.htaccess rules to handle the redirects for you. Please read on or refer to some of the links at the beginning of this article for help and suggestions for implementing this. If you get stuck and need some help, please open a support ticket and we'll be happy to help.
Migrating a WordPress Website to use SSL
If you are changing a site that has not previously used SSL, or you are moving your site from a development server without SSL to a live server with SSL, you will need to migrate the site over to use the HTTPS prefix. In these cases, simply changing the WordPress HOME and SITE URLs is often not sufficient. The reason for this is that images and other references in your posts, pages and other content are not affected by these settings, so when you view a page using HTTPS you may get mixed-content warnings in your browser. For detailed explanations and help, please refer to some of the links at the beginning of this article.
Resolving Mixed-content Errors
There are a couple of ways of going about resolving mixed-content errors, but care must be taken to ensure that your site continues to work correctly.
1. Perform a search and replace across your database
Not for the faint hearted! Extreme care must be taken when doing this and always make a backup first. There are a few tools we recommend for doing this:
Search and Replace - Download
This is a free plugin that can perform search and replace operations across your WordPress database.
WP Migrate DB Pro - Purchase
This is one of our favourite plugins. It includes superb features for migrating WordPress databases and the search-and-replace is rock-solid. This is our go-to plugin for this task.
You can use the free version, WP Migrate DB to export your WordPress database and rewrite URLs in the process. This does not modify your database directly, it downloads a copy to your local machine. You will need to use phpMyAdmin to import the modified database.
WP Migrate DB (and Pro) are the only search-and-replace plugins we're aware of that allow you to also rewrite post GUID columns. If you're migrating a site from a dev server to production, this is usually what you want to do. You can read about GUIDs, and when you should and shouldn't rewrite them, here and here.
BackupBuddy - Purchase
BackupBuddy includes a database search and replace function. You can find this on the Tools page of the BackupBuddy Server Information page. Instructions are available on the iThemes Codex.
2. Use a WordPress plugin
There are a few plugins available that will resolve many mixed-content issues for you by rewriting URLs on-the-fly. For some cases this may be the simplest solution, although doing this dynamically may degrade site performance.
Once you have SSL installed on your site and you have dealt with mixed content issues, there are a few other questions that will come up:
- Do you want to force all public pages of your site to use SSL?
- If not, what pages to you need to use SSL and how should you implement it?
- Do you want to use SSL for the WordPress Admin and / or login page?
Where to Use SSL
We recommend that you run your entire site under SSL (the front-end public pages and the WordPress Admin). The reason for this is that all WP NET servers now support HTTP/2 under SSL, so you will benefit from the performance and security improvements in HTTP/2.
For WooCommerce users running SSL, there is an option in WooCommerce -> Settings -> Checkout: Force secure checkout. This will redirect users to an HTTPS page for the checkout process, and redirect them back to HTTP for other pages. However, as stated earlier - with HTTP/2, it's better to just run your entire site under HTTPS.
Plugins to the Rescue
There are a number of plugins available to help you with redirection and managing SSL on your site, our recommendations are:
- iThemes Security - this has excellent support for handling SSL, you can force the WordPress Admin and login pages to use SSL, force SSL site-wide or just for selected pages.
- Easy HTTPS Redirection
Using SSL for the WordPress Admin
If you want to use SSL for the WordPress Admin and / or login page, you should add one or both of the following to your
/* SSL */
define( 'FORCE_SSL_LOGIN', true );
define( 'FORCE_SSL_ADMIN', true );
As mentioned earlier, running WordPress under SSL can get complicated, if you need help open a support ticket and we'll be happy to help. Please note that performing database rewrites and implementing custom SSL set up for your site may incur development fees.