Introduction to HTTPS for WordPress
To have HTTPS, SSL Certificate is needed to be installed on the server.
Let’s Encrypt is a non-profit organization that provides free SSL certificates for everyone, as of Feb 2020 they have issued over 1 billion certificates. The easiest way to get a certificate is to use the EFF certbot tool, their site has complete instructions for installing and updating certificates for several different web servers and operating systems.
For local development, you can create a self-signed certificate using OpenSSL, however this has limited use since any certificate generated will not be trusted by others, so should only be used for private servers.
There is no extra or special settings needed specifically for WordPress at the web server level for HTTPS. WordPress by default is ready to use HTTPS URLs if the web server is properly configured.
The default port for HTTP URLs is port 80, the default port for HTTPS is port 443. These ports not to be opened through any network firewall. Apache includes a mod_ssl module that needs to be enabled and properly configured. If using certbot, it can automatically configure and create the VirtualHost settings needed.
Implementing HTTPS for WordPress
To implement HTTPS support on WordPress, you only need to set the WordPress and Site Address URL to use
https://. You can install WordPress either using HTTP or HTTPS to start, both will work, and you can switch over later.
Go to Settings > General and make sure that the WordPress Address (URL) and Site Address (URL) is https. If not, add ‘S’ after http to make https and save it :
The Site health tools (Tools > Site health) will inform you that your website doesn’t use HTTPS.
Since version 5.7, WordPress can also automatically switch to HTTPS if an SSL certificate is already set up on your server.
Best Practices for HTTPS for WordPress
It is recommended for all production WordPress sites to use HTTPS.
- Use a reputable web host, most provide HTTPS service as a standard.
- Use a SSL Certificate from Let’s Encrypt, they are free and easy to use.
- Serve Static Content from an SSL enabled CDN
You may need to redirect your HTTP traffic to your HTTPS site. For Apache, you can do so by creating two VirtualHost entries for example:
<VirtualHost *:80> ServerName mkaz.blog Redirect / https://mkaz.blog/ </VirtualHost> <VirtualHost *:443> ServerName mkaz.blog DocumentRoot /home/mkaz/sites/mkaz.blog <Directory /home/mkaz/sites/mkaz.blog> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/mkaz.blog/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/mkaz.blog/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/mkaz.blog/fullchain.pem IncludeOptional /etc/letsencrypt/options-ssl-apache.conf </VirtualHost>
Bad Practices for HTTPS for WordPress
- Serving site from both HTTPS and HTTP urls, use HTTPS and redirect.
- Using mixed content, ie. CSS, JS, or images served from HTTP on an HTTPS page
References and Useful Links
- Why should I use HTTPS
- Let’s Encrypt and Certbot
- Apache Module mod_ssl – Official Apache Module Documentation
- Encrypting the Web (EFF.org)
- HTTPS as a ranking signal (Google)
- Best Practices Securing Your Site (Google)
Was this article helpful? How could it be improved?
Log in to submit feedback. If you need suppport with something that wasn't covered by this article, please post your question in the support forums.