Make your WordPress site accessible over HTTPS by implementing SSL on cPanel hosting, Cloud server, Cloudflare, EasyEngine, Cloudways.
Securing a website is not optional and as important as content, design, or SEO. One of the essential tasks of securing the site is to configure SSL/TLS (Secure Socket Layer/Transport Layer Security) certificate, so your website is accessible only through HTTPS.
HTTPS (HyperText Transfer Protocol Secure) ensure the data transaction between a client (browser) to the server is encrypted. Data could be anything from username, email, password, or credit card if you are running an online store.
Lately, HTTPS is also included in search ranking signal, so it’s not just for e-commerce sites but applicable to all. The good thing is you can get it started in FREE.
Let’s get into technical details.
You may offload the SSL handshake at multiple levels.
- Web Server
- Load Balancer
- Network edge/CDN
The prerequisite for configuring your website accessible over HTTPS is SSL/TLS certificate.
Let’s Encrypt offers a FREE certificate, and there are some more, which I mentioned here. And if you want to buy Symantec, Thawte, GeoTrust, etc. then you may get it from SSL Store. Let’s see the implementation details. The following, I’ve used my test domain (techpostal.com) with a Genesis theme.
As a best practice, take a backup before making changes, so in case something goes wrong, you can rollback.
Most of the top shared hosting like Site Ground, Bluehost offer a FREE certificate under all the plans. If you are hosting your site on cPanel hosting, then the following steps would help you.
The below example is from Site Ground but should work with any cPanel hosting provider.
- Login to Site Ground
- Go to My Accounts >> Go to cPanel
- Go to WordPress toolkit under Tools
- Click Manage under Actions
- Click Configure SSL
- It will open a popup, select Enable SSL and change
SiteGround will provision Let’s encrypt certificate for your domain and make the necessary modifications in WordPress, so it’s accessible over HTTPS.
You can validate by accessing your URL with https in the browser. In my scenario – it would be https://techpostal.com
This indicates my WordPress site has SSL enabled, which is good but there is a small problem.
The problem is that the site is accessible over HTTP and HTTPS both, which is not good and has to do one more configuration change to ensure all requests are served only over HTTPS.
- Go to cPanel
- Scroll down a bit and click Let’s Encrypt under the Security section
Turn ON HTTPS Enforce & External Link Rewrite
Congratulation! You’ve successfully enabled the certificate for your WordPress site hosted on shared hosting. Verify by accessing a few pages to ensure it works as expected.
Note: some of you have reported that images are not showing as it tries to load over HTTP. If you are encountering this issue, you can fix it by installing the SSL Insecure Content Fixer plugin. The default configuration worked for me.
If your hosting provider doesn’t offer free SSL, then you may want to try out Site Ground.
Personally, I would prefer to have an SSL handshake terminated at a network edge device or CDN.
Below instructions are based on Nginx on Ubuntu 16.04 using FREE cert offered by Let’s Encrypt. However, if you are using Apache HTTP server, then refer this for traditional cert, and this for let’s encrypt.
- Login to your Cloud/VPS server with root
- Install the Let’s Encrypt client
apt-get install letsencrypt
- Generate the certificate for the domain
letsencrypt certonly --webroot -w /var/www/html -d techpostal.com -d www.techpostal.com
Note: change the
--webroot with your actual DocumentRoot location. In the above command, I’m generating a cert for domain including www, so if someone tries to access using www it will not give certificate error.
- It will prompt to enter the email address
- Accept the terms & condition
It will take a few seconds, and you will get a confirmation with notes, including cert location.
IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to firstname.lastname@example.org. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/techpostal.com/fullchain.pem. Your cert will expire on 2017-11-10. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s configure Nginx to listen on port 443 and provide SSL cert details.
- Edit the Nginx configuration file /etc/nginx/sites-available/default and add the following in
listen 443 ssl default_server; listen [::]:443 ssl default_server; ssl_certificate /etc/letsencrypt/live/techpostal.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/techpostal.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:15m; ssl_session_timeout 15m;
- Restart the Nginx
service nginx restart
Now, you should be able to access WordPress hosted on a cloud through HTTPS.
In default + above configuration, Nginx is listening on port 80 (HTTP) and 443 (HTTPS) both, which means a website is accessible on both protocol. To ensure all the request is served over HTTPS, you can install Really Simple SSL plugin.
- Once a plugin is installed, Go to Settings and click “Go ahead, activate SSL!”
- Once activated, you will get a confirmation
Verify by accessing a site with http:// and you will notice it will be redirected to https://. Additionally, you may also want to test your site for any SSL/TLS vulnerabilities.
Great! WordPress site is successfully secured with an SSL certificate on the Cloud server.
One of the easiest ways to add SSL to a website is through Cloudflare. Cloudflare offers many performance & security advantages, including FREE SSL cert.
If you are using their service already, then here is how you can enable it quickly.
- Log in to Cloudflare and go to Crypto tab
- Ensure SSL setting is not Off (Flexible is good)
- Scroll down a bit, select ON for “Automatic HTTPS Rewrites.”
Easy, isn’t it?
Note: If you notice mixed content issue, then you may need to install Cloudflare Flexible SSL plugin as I explained here.
If you’ve installed WordPress with
http:// using EasyEngine then you can upgrade to
https:// with the following command.
- Login to EasyEngine server and execute below command
ee site update yourwordpresssite.com --letsencrypt
root@techpostal:~# ee site update techpostal.com --letsencrypt Letsencrypt is currently in beta phase. Do you wish to enable SSl now for techpostal.com? Type "y" to continue [n]:y Downloading LetsEncrypt [Done] Please Wait while we fetch SSL Certificate for your site. It may take time depending upon network. Let's Encrypt successfully setup for your site Your certificate and chain have been saved at /etc/letsencrypt/live/techpostal.com/fullchain.pem Configuring Nginx SSL configuration Adding /var/www/techpostal.com/conf/nginx/ssl.conf Adding /etc/nginx/conf.d/force-ssl-techpostal.com.conf Added HTTPS Force Redirection for Site http://techpostal.com Creating Cron Job for cert auto-renewal Reload : nginx [OK] Congratulations! Successfully Configured SSl for Site https://techpostal.com Your cert will expire within 89 days. root@techpostal:~#
Just one simple command and you are done.
To enable Let’s Encrypt SSL certificate on WordPress site managed through Cloudways, you got to do the following.
- Login to Cloudways platform >> Applications
- Select the WP site >> SSL Certificate
- Enter your email & domain name and click “Install Certificate.”
- It will take a few minutes, and once done, you should see it has successfully enabled on the domain name.
The good thing is you don’t have to worry about certificate renewal as Cloudways take care auto-renewal automatically. Cloudways offer a FREE trial, so you can give a try to see how it works for you.
So that was all for today about implementing SSL/TLS certificate correctly in WordPress. I hope this helps.