WordPress and HTTPS: This is how the website becomes secure

HTTPS ensures secure data transmission between the server and web browser. And the encrypted pages also rank better on Google. It is therefore doubly worthwhile for companies to make their website secure.

Google plans to mark all websites that are not encrypted as unsafe in Google Chrome soon. It was also announced in August 2014 that HTTPS will also have a positive effect on the Google ranking. It is therefore worth taking on the topic of HTTPS twice.

What are HTTPS and SSL?

HTTPS ensures secure data transmission between the server and web browser, as the data is transmitted in encrypted form. The encryption is done using SSL (Secure Sockets Layer) or TLS (Transport Layer Security).

If we disclose our data, in particular our account data when making online purchases, we expect this to be encrypted before it is transmitted. That is why most online shops are already SSL-certified. Many providers of payment systems, such as PayPal, even require SSL certification.

Google is now going a big step further and wants not only online shops, but all websites to switch to HTTPS. With its market power, Google is driving this topic forward.

However, simply changing the website address from HTTP to HTTPS is not enough. You also need a valid SSL certificate, otherwise you risk that most browsers will warn you not to access your website.

This is how the WordPress website becomes secure with HTTPS and SSL

1. Obtain a valid SSL certificate

You can get a valid SSL certificate from various certification bodies. One of the largest providers is Comodo, StartSSL offers free certificates for non-commercial purposes, and Bundesdruckerei is a German provider.

Some hosters also offer SSL certificates free of charge or for a monthly surcharge as part of their web hosting packages. If you obtain your certificate from another provider, you may need to clarify with your hoster whether the certificate can be installed on your server.

How the certificate is set up depends on the respective host and server. Once installed, visitors can already reach your website using HTTPS. In order for this to be a prerequisite for all your users, you still have to make a setting in WordPress.

2. WordPress Settings

In the general WordPress settings, change the WordPress address (URL) and website address (URL) from http to https.


3. Redirects

By default, when visitors to the website enter the url in the browser’s address bar, it is redirected to http. With a redirect you can specify that the visitor is forwarded to the secure page. You specify the redirects of the urls in the .htaccess by adding the following:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

You can test the redirects with “Fetch as Google”.

If you also want to force a secure connection for the admin area, you can set the constant FORCE_SSL_ADMIN to true in wp-config.php:

define( ‘FORCE_SSL_ADMIN’, true );

What else needs to be considered when switching to HTTPS?

  • In addition to the HTTP domain, also register the HTTPS domain in the Google Search Console to prevent the switch from having a negative impact on your rankings.
  • Rename URLs of images, scripts, styles, iframes in the database: change them to relative paths or use URLs without HTTP/HTTPS protocol specification). A suitable PHP script for renaming is interconnect/it. If you don’t make these adjustments, your pages will continue to be marked as unsafe because they will still contain unsafe links.
  • Temporarily provide a sitemap for both HTTP and HTTPS. After a while, the HTTPS variant will suffice.
  • If you are using caching plugins, clear the cache if necessary.

This article first appeared on digitalmobil.com.

In 3 Schritten zum Gratis Blog Previous post Create a free blog with WordPress.com in 3 steps
Next post Security in WordPress – The 8 biggest mistakes in WordPress websites