Buying an SSL/TLS certificate (or using a free one) is just one of a few steps to secure your WordPress website over HTTPS. Learn how to activate SSL on WordPress and benefit from serving a secure website to visitors. In this article, the process of activating SSL/TLS is broken down into three steps, including how to fix mixed content warnings in WordPress and showing the green lock icon in your browser.
1. Buy and Install Your SSL/TLS Certificate
Before you begin any other step, you need to have a valid certificate installed on your web host, whether it's free or one you bought from a certificate authority (CA) like Comodo SSL. Without a valid CA-signed certificate installed (self-signed certificates aren't considered secure in production), visitors will get the red lock icon and/or see a security warning in their browser.
Cyberia Technologies web hosting integrates with Let's Encrypt SSL, a free certificate authority (CA) with backing by major companies like Google, Mozilla, and Cisco. The installation is simple and can be done in a matter of seconds. Your domain must be live (DNS records must be pointing to your host) before Let's Encrypt will issue an SSL certificate. Each web host is different and the interface will differ as a result. For example, a cPanel host might allow you to install an SSL certificate through an interface like this:
Contact support at your hosting provider find out if they offer Let's Encrypt SSL/TLS certificates. If you are a Cyberia Technologies customer and have any questions or trouble, you can email support.
2. Navigate to WordPress Dashboard > Settings > General
The next step in how to activate SSL on WordPress is to configure or "tell" your WordPress installation to use it. This is done by adding the 's' in the URL (http:// to https://) in the fields marked 'WordPress Address' and 'Site Address'. Click 'Save' after making the changes to both fields.
WordPress will log you out automatically—this is normal. Simply log back in again with your administrator username & password, and you're for the next step!
3. Install 'Better Search Replace' Plugin & Navigate to the Settings Tab
This step ensures your WordPress site uses HTTPS consistently instead of HTTPS for only some links and HTTP for the rest. Though this step is key to fix WordPress mixed content warnings, it requires some level of technical competence. To accomplish this, we'll need to find and replace the links in the database pointing to images, attachments, or theme files that are still using the non-secure protocol.
From your WordPress Dashboard, select 'Add New Plugin' and type 'Better Search Replace' into the search box. Click 'Install' and then 'Activate'. Next, go to Dashboard > Tools and select 'Better Search Replace'.
Referencing the screenshot above, the first field is for the old, non-secure domain (take note of the absence of 's' in 'http'). The second field is for the new secure domain protocol (https). The correct settings to be used are highlighted in purple.
Remember to take extreme care not to mistype or misspell anything in either field. Double check protocols, the placement of the colon, if the double forward slashes are present, etc. Making a backup of your database might not be a bad idea either, since a mistake here can potentially break your website.
Next, select all the tables (SHIFT + L Mouse click on PC) or select them one by one (CTRL + L Mouse click). Tick the GUID checkbox if your site is new or is a test site. The dry run checkbox must be unchecked in order to run the operation.
To finish, simply Click 'RUN Search/Replace' at the bottom. If successful, you will see a notice at the top of the page with the number of non-secure URLs the plugin was able to find and secure.
That's it! Now You Know How to Activate SSL on WordPress
You've learned how to activate SSL on WordPress and your site will be served to visitors with a green lock icon. If you don't see a lock icon yet, refresh the page or try another browser.
Note 1: This secures your WordPress site and everything hosted inside it. If you have external pictures, content, or third party scripts, i.e. hotlinked content or embedded iframes, they must still be secured on their own host.
Note 2: It's a good idea to review your Google Analytics and Google Search Console properties to the newly secured URL (https://).
Note 3: To be thorough, we also recommend you setup a 301 redirect from the old, non-secure URL to your secure domain. This way visitors and search engines trying to reach your site will seamlessly arrive on the secure domain. This can be done either by your host or from inside WordPress.
Note 4: Your website SEO rankings or "link juice" may take some time to settle, though this is necessary in order to activate SSL on WordPress correctly.