WordPress.org

How do I make my whole website secure?

To make your entire website secure, you simply need to change your home url and site url to use HTTPS instead of HTTP. Please read how to change the site url.

How do I make only certain pages secure?

In the Publish box on the add/edit post screen, a checkbox for 'Force SSL' has been added to make this process easy. See Screenshots if you're having a hard time finding it.

I changed my SSL Host and now I can't get into my admin panel!

Go to /wp-content/plugins/wordpress-https/wordpress-https.php and uncomment (remove the two forward slashes before) the line below, or go to your wp-config.php file and add this line. Hit any page on your site, and then remove it or comment it out again.

define('WPHTTPS_RESET', true);

I'm getting 404 errors on all of my pages. Why?

If you're using a public/shared SSL, try disabling your custom permalink structure. Some public/shared SSL's have issues with WordPress' permalinks because of the way they are configured.

How do I fix partially encrypted/mixed content errors?

To identify what is causing your page(s) to be insecure, please follow the instructions below.

1. Download Google Chrome.
2. Open the page you're having trouble with in Google Chrome.
3. Open the Developer Tools. How to access the Developer Tools.
4. Click on the Console tab.

For each item that is making your page partially encrypted, you should see an entry in the console similar to "The page at https://www.example.com/ displayed insecure content from http://www.example.com/." Note that the URL that is loading insecure content is HTTP and not HTTPS.

Most insecure content warnings can generally be resolved by changing absolute references to elements, or removing the insecure elements from the page completely. Although WordPress HTTPS does its best to fix all insecure content, there are a few cases that are impossible to fix.

• Elements loaded via JavaScript that are hard-coded to HTTP. Usually this can be fixed by altering the JavaScript calling these elements.
• External elements that can not be delivered over HTTPS. These elements will have to be removed from the page, or hosted locally so that they can be loaded over HTTPS.
• YouTube videos - YouTube allows videos to use HTTPS. How to embed a YouTube video.
• Google Maps - Loading Google maps over HTTPS requires a Google Maps API Premiere account. (source)

Is there a hook or filter to force pages to be secure?

Yes! Here is an example of how to use the 'force_ssl' hook to force a page to be secure.

function custom_force_ssl( $force_ssl, $post_id ) {
    if ( $post_id == 5 ) {
        return true
    }
    return $force_ssl;
}

add_filter('force_ssl' , 'custom_force_ssl', 10, 2);

You can also use this filter to filter pages based on their URL. Let's say you have an E-commerce site and all of your E-commerce URL's contain 'store'.

function store_force_ssl( $force_ssl, $post_id ) {
    if ( strpos($_SERVER['REQUEST_URI'], 'store') !== false ) {
        $force_ssl = true;
    }
    return $force_ssl;
}

add_filter('force_ssl', 'store_force_ssl', 10, 2);