Buying an SSL/TLS certificate (or using a free one) is just one of a few steps to secure your WordPress website over HTTPS. Learn how to activate SSL on WordPress and benefit from serving a secure website to visitors. In this article, the process of activating SSL/TLS is broken down into three steps, including how to fix mixed content warnings in WordPress and showing the green lock icon in your browser.
Before you begin any other step, you need to have a valid certificate installed on your web host, whether it's free or one you bought from a certificate authority (CA) like Comodo SSL. Without a valid CA-signed certificate installed (self-signed certificates aren't considered secure in production), visitors will get the red lock icon and/or see a security warning in their browser.
Cyberia Technologies web hosting integrates with Let's Encrypt SSL, a free certificate authority (CA) with backing by major companies like Google, Mozilla, and Cisco. The installation is simple and can be done in a matter of seconds. Your domain must be live (DNS records must be pointing to your host) before Let's Encrypt will issue an SSL certificate. Each web host is different and the interface will differ as a result. For example, a cPanel host might allow you to install an SSL certificate through an interface like this:
Contact support at your hosting provider find out if they offer Let's Encrypt SSL/TLS certificates. If you are a Cyberia Technologies customer and have any questions or trouble, you can email support.
The next step in how to activate SSL on WordPress is to configure or "tell" your WordPress installation to use it. This is done by adding the 's' in the URL (http:// to https://) in the fields marked 'WordPress Address' and 'Site Address'. Click 'Save' after making the changes to both fields.
WordPress will log you out automatically—this is normal. Simply log back in again with your administrator username & password, and you're for the next step!
This step ensures your WordPress site uses HTTPS consistently instead of HTTPS for only some links and HTTP for the rest. Though this step is key to fix WordPress mixed content warnings, it requires some level of technical competence. To accomplish this, we'll need to find and replace the links in the database pointing to images, attachments, or theme files that are still using the non-secure protocol.
From your WordPress Dashboard, select 'Add New Plugin' and type 'Better Search Replace' into the search box. Click 'Install' and then 'Activate'. Next, go to Dashboard > Tools and select 'Better Search Replace'.
Referencing the screenshot above, the first field is for the old, non-secure domain (take note of the absence of 's' in 'http'). The second field is for the new secure domain protocol (https). The correct settings to be used are highlighted in purple.
Remember to take extreme care not to mistype or misspell anything in either field. Double check protocols, the placement of the colon, if the double forward slashes are present, etc. Making a backup of your database might not be a bad idea either, since a mistake here can potentially break your website.
Next, select all the tables (SHIFT + L Mouse click on PC) or select them one by one (CTRL + L Mouse click). Tick the GUID checkbox if your site is new or is a test site. The dry run checkbox must be unchecked in order to run the operation.
To finish, simply Click 'RUN Search/Replace' at the bottom. If successful, you will see a notice at the top of the page with the number of non-secure URLs the plugin was able to find and secure.
You've learned how to activate SSL on WordPress and your site will be served to visitors with a green lock icon. If you don't see a lock icon yet, refresh the page or try another browser.
Note 1: This secures your WordPress site and everything hosted inside it. If you have external pictures, content, or third party scripts, i.e. hotlinked content or embedded iframes, they must still be secured on their own host.
Note 2: It's a good idea to review your Google Analytics and Google Search Console properties to the newly secured URL (https://).
Note 3: To be thorough, we also recommend you setup a 301 redirect from the old, non-secure URL to your secure domain. This way visitors and search engines trying to reach your site will seamlessly arrive on the secure domain. This can be done either by your host or from inside WordPress.
Note 4: Your website SEO rankings or "link juice" may take some time to settle, though this is necessary in order to activate SSL on WordPress correctly.
In this day and age, your business website needs safeguards in place to protect against cyber attacks. Though our managed WordPress hosting customers benefit from several security measures, many web hosting providers don't offer any mitigation against website hacks/data loss. No matter which web host you use, we'll share with you 5 easy steps to secure WordPress and protect from hackers. These should be easy to implement and won't involve any coding.
Wrong. Indeed, the public does see headlines about their personal data being dumped on the dark web from a big corporate hack every year or so. Yahoo, Sony, and Equifax are some of the (in)famous data breaches you may have heard of. But if you think only enterprise businesses are in a hacker's crosshairs, you're being misled. Without mitigation, you may be choosing to put your business (and customers) at risk.
Use a security plugin for WordPress, like Wordfence or iThemes Security, to shut down the most common attack vectors without much setup. Many critically important features are included even with the free version of Wordfence. When you visit the Wordfence Options tab inside the Dashboard, you can customize the thoroughness of scans and log keeping. Within just minutes, you will enjoy significantly greater protection.
Creating backups is important, not only in the event of an infection you can't clean, but also in case your website breaks (i.e. after a bad update). We recommend a regular schedule of weekly or monthly WordPress backups by default. If you need to run a different backup schedule, you might want to factor in the following:
Luckily, there is no shortage of both free and premium backup tools, so you only need to be aware of what's needed as a minimum. A complete WordPress backup consists of two parts: the standard PHP files, images, etc.—and the database (a specially exported .SQL file). You need both parts to have a working backup—if you try to restore an old backup without the database, your backup is worthless.
We recommend UpdraftPlus or Duplicator to create a restore point or snapshot. The backups can be stored on your web host or externally in Google Drive, Dropbox, or AWS. If you're a Cyberia Technologies hosting customer, you're already benefiting from server-side automatic backups, meaning there is no need a third party solution. Server-side WordPress backups can be restored by logging into the control panel.
Cloudflare is a DNS (domain name service) provider built on a philosophy of security and speed. The free plan from Cloudflare even includes DDoS protection, a global content delivery network (CDN), zero-trust access protection for 5 users, & more.
It's well known by the WordPress community that you can visit the default login page for any WordPress site by going to www.thewebsite.com/wp-login.php. Given how popular WordPress is, this means anyone can try to gain entry to your website through this very predictable login slug. Changing it to something unique enough that an outsider can't guess will remove this potential attack vector.
By default all WordPress database tables start with "wp_" as a prefix, meaning any hacker can easily predict your database structure. MySQL injections and other database vulnerabilities become much easier from that point onward. Use a tool to customize your WordPress table prefixes to something completely unique/random, i.e. "w2ZbEq_". If you're a Cyberia Technologies customer, you can randomize the database prefix via the 1-click security tab in WordPress Toolkit. Otherwise you can search for a plugin in the WordPress repository to automatically do this.
Your business and your customers rely on the safety and security of your website. Although none of the above 5 steps will guarantee you won't be hacked, you'll avoid becoming low-hanging fruit for hackers. Since most small businesses don't recover from security breaches, it's worth it to review our 5 easy steps to secure WordPress and protect from hackers every so often.