Open in app

Sign in

Write

Sign in

How to Add SSL to Your WordPress Website

by Jerry Doremus

Jerry Doremus
7 min readJul 10, 2016

SSL and Your WordPress Website

Most of my savvy readers are probably familiar with what Secure Socket Layer (SSL) is, so for this post, I am focusing on how to add SSL to your WordPress website to quickly gain an edge over your non-secure competition. While many businesses have opted to go the WordPress.com route whereby SSL is now automatically added to their websites, most will find over time that the WordPress.org solution is better for a number of reasons including full control over your site’s configuration. This is discussed in more detail here: WordPress.org vs WordPress.com. This post will examine the WordPress.org approach.

Adding SSL to your website adds a number of perks, but the decision to upgrade to SSL should not be taken lightly. This is particularly true in cases where you have an established presence in various social media channels that tie back into your company blog where posts and images originated from a once non-secure web server. In short, once you opt to add SSL to your website, do so for the long haul and for the right reasons. If you sell products, it’s a given. More on this item in the Social Media section of this post.

SSL Perks

By adding SSL, you immediately improve your website and open up more options:

  • More Secure
  • Build Trust and Credibility
  • Higher Performance leveraging HTTP/2
  • Improved SEO and Rankings
  • Better Referral Data in Analytics

Types of SSL

When looking at SSL for your website, there are essentially three general options:

  • Traditional SSL Certificate (paid and they come in a myriad of options from single to multi-domain)
  • Let’s Encrypt SSL (free, but depends on your web host configuration and needed options)
  • Flexible SSL (free through CloudFlare)

Traditional SSL Certificates

With traditional certificates, there isn’t any free lunch, but at the end of the day, you end up with the best solution in terms of end-to-end security. Reputable providers include Digicert and Comodo among others. The options include simple standard single website certificates such as the Comodo Positive SSL Certificate for $9/yr. all the way up to the Extended Validation (EV) Multi-Domain Certificate for $390/yr. on average if you purchase the maximum period of two years. You have to work with your web host to enable these certificates on your web hosting server, and there’s typically a one-time setup fee involved. In all configurations, whether it’s a Let’s Encrypt or traditional certificate, you need to have it renewed every few months. Check with your web host first to see what they offer before shopping around for a better deal because you may get a better package with them, but definitely, shop it.

Let’s Encrypt SSL

The Let’s Encrypt option is fairly new to the SSL arena. The mission behind the non-profit Internet Security Research Group (ISRG), the group responsible for developing this version of SSL sought to allow anyone the capability of adding SSL to their website for free and quickly secure a majority of insecure websites on the internet as a result. A noble endeavor indeed. While the service is free, in reality, you still need someone to configure a web server to work with their certificates. Some web hosts and CDN vendors can manage the binding of the certificate to your website and manage the renewal process for you. The folks at SiteGround.com have reduced the entire process to one click, but you have to opt into one of their web hosting plans to get the service. What is interesting about this type of certificate is that it acts like a traditional certificate without the associated costs.

Flexible SSL

With CloudFlare’s Flexible SSL option, you can add SSL to your website for free. While it is similar to Shared SSL, you can bypass most of the limitations of the shared model such as those required by your web host like capped image data weights. Depending on how your domain name is configured, you may not need to get your web hosting vendor involved and it’s possible to do it all yourself. Because Flexible SSL is not a full end-to-end solution, you could potentially use it as a last resort.

Domain Naming System (DNS) and CloudFlare

For most of you, the term DNS can be very confusing, this is understandable. To keep this portion of the post as straightforward as possible, we’ll only focus on cloud DNS services such as CloudFlare. CloudFlare is a Software as a Service (SaaS) offering that allows anyone to instantly add a number of valuable services to their website for free. If you are not part of a larger company who has a dedicated network engineer on staff for leveraging SaaS providers like CloudFlare, you can still do quite a bit yourself because it’s easier than you think. Have a discussion with your Web host technical support as to what your options are. The two biggest talking points revolve around domain name servers and e-mail MX records. If you company email is separate from your website domain, then it’s a pretty straightforward process with replacing your name servers at CloudFlare, otherwise, it’s a bit more complicated and you may want some extra help.

Content Delivery Network (CDN)

CDNs are yet one more approach to setting up SSL with WordPress, but it’s not mandatory. With your website, if you have the Jetpack plug-in installed and active, there is an optional service called Photon. Photon, similar to CloudFlare is not a true CDN service but emulates the image asset delivery portion of a CDN in the fact that it provides a performance boost to serve up your website’s image content faster to users regardless of where they reside in the world.

A number of CDNs such as KeyCDN and many web hosting companies now offer the Let’s Encrypt option along will allowing you to supply your own traditional certificate. With CDNs, the process can be a bit involved dealing with zone files, I have found web hosts offer a more frictionless experience such as SiteGround’s one-click process.

SSL and HTTP/2

In examining your site’s performance, CloudFlare now offers the HTTP/2 protocol. Think of HTTP/2 as an instant performance boost for your site similar to, but unlike a CDN, as it offers true multiplexing of data. HTTP/2 relies on SSL being present to work through your internet browser, so once your site is set up with SSL via CloudFlare, you can enact the HTTP/2 service for free. From a CDN perspective, both KeyCDN and MaxCDN are now offering HTTP/2 also as another option.

Legacy Content

While the above set of options gets you 95% of the way through the process, there are some other considerations to think about. Within your website, if there are any absolute (http://www.yourwebsite.com/yourlinks.php) vs relative (../yourlinks.php) links pointing to content/images in posts or web pages via HTML, CSS or JavaScript files, they will need to be fixed by updating all links to relative to continue working. Otherwise, the users may see a mixed content symbol attached to the green padlock icon informing them of mixed secure and insecure content on your site. This situation will likely deter them from using your website further. You can resolve this issue in a number of ways, but the easiest way is with the Really Simple SSL or SSL Insecure Content Fixer plug-ins. I have had the best overall results with the former while the SSL Insecure Content Fixer offers a higher level of control over what is modified.

Social Media

Once you have gone ahead and made your website secure, there’s a high probability that your existing posts on Facebook and other social media services will now be broken, especially any images from your web server supporting the posts. The first step is to check them ASAP once you have performed the SSL conversion to determine what is and isn’t working. If they are broken, you can choose to remove the original posts and replace them or not, it’s your call. This same issue could also apply to any of your followers or media services who have posted content from your non-secure site in the past. You will have little if any control over this issue.

Google AdWords

If you have an active AdWords campaign in motion and perform the SSL conversion, make sure to go into your AdWords account ASAP and update your web address to the new secure address to make sure users can get to your website as planned. A better approach would be to delay the campaign launch until the SSL process is done or vice versa.

Other Considerations

For our more technically inclined readers, you can also check out these deep dive articles on items already mentioned and other things you can do to ensure a smooth transition to an SSL-secured website: Smashing Magazine’s: Free SSL For Any WordPress Website; Key CDN’s excellent article: Complete Guide — How to Migrate from HTTP to HTTPS or Google’s: Planning on moving to HTTPS? Here are 13 FAQs!

Web Hosting vs DIY SSL Setup

While we have discussed a number of ways that you can add SSL to your WordPress website, achieving true end-to-end encryption requires working with your web hosting provider at some level and is recommended for professional results. They can connect everything on the back-end whether you opt for a traditional or Let’s Encrypt certificate. If on the other hand, you want to dip your toes in the SSL water before diving in, Flexible SSL is another option.

WordPress
Wordpress Web Development
Ssl Certificate

--

--

Jerry Doremus

Written by Jerry Doremus

218 Followers

Design professional who is passionate about UX/UI, design and a WordPress enthusiast.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams