1. Get your SSL certificate from your host
The first thing to do is to get in touch with your hosting company and ask them to install SSL on your site. Most hosts will ask you to pay an annual fee for it, ranging from $19 to $99 a year.
Good news if your website is hosted on Vidahost, SiteGround, WPEngine or DreamHost, they can provide you a SSL certificate for free, and assist you with the whole process of going secure.
2. Update WordPress URL
Once your host has added SSL on your account, your website should be accessed through the URL https://yourwebsite.com. If you can access your site through this address, it’s time for you to start setting up WordPress for HTTPS.
The first step to do so is super easy. Just log into your WordPress dashboard and visit the Settings > General section.
Simply update the WordPress Address (URL) and Site Address (URL) to HTTPS, as shown in the image below. Save the settings and you’ll be logged out of your WordPress dashboard.
3. Force SSL admin in wpconfig.php
Use your FTP to edit the wp-config.php file, located at the root of your WordPress install. Append the following:
define('FORCE_SSL_ADMIN', true);
This constant easily enables and enforces WordPress administration over SSL, adding extra security to your WordPress dashboard.
4. Redirect HTTP to HTTPS
At this stage, HTTPS is already working on your website. But there are a few things left to do. The first one is to redirect the http traffic to https.
Over the years, many websites have linked to your site using http://, so there are gonna be a lot of people still accessing the http version of your site.
So what you have to do is to redirect all the traffic to the secure, https site. This is done by using the .htaccess file, located at the root of your WordPress install. Open the file and add the following in between the <IfModule mod_rewrite.c> tag:
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Please note that .htaccess redirects can be a bit tricky, and sometimes will work perfectly on one host and not on another.
If the code above doesn’t function properly, simply revert the changes and get in touch with your hosting provider support. They’ll be happy to provide you the correct .htaccess redirect that works on their servers.
5. Make all your links https
Alright, now we have HTTPS properly set up, and the HTTP traffic is automatically redirected to the HTTPS site. But there’s one more thing to do before we can call it a day: Replacing all HTTP links on your site by their HTTPS equivalent. This is done in two distinct parts:
Hardcoded links in theme files
Let’s start with your theme. If you’re using a WordPress theme from the WP repository, from ElegantThemes or any other free/premium theme shop and haven’t done any changes to it, you have nothing to do. However, if you’re using a custom theme or a theme that you modified yourself, there might be some HTTP links hardcoded somewhere.
Have a look in your theme files (especially header.php and footer.php) and update each internal hardcoded HTTP link to its HTTPS version.
Internal links in database
When writing posts or pages, there are strong chances that you inserted HTTP internal links. In order to update your links, you can edit each post and page, but this will be a very time-consuming task.
Instead of dealing with so much hassle, there’s a super simple and fast solution to update all internal links in your database: Using SQL queries.
There are several ways to run SQL queries. Most of you probably have a cPanel installed on your server. This is the case if your host is Vidahost, HostGator or InMotion Hosting, for example.
To access phpMyAdmin from cPanel, simply log into cPanel and click the phpMyAdmin icon in the Databases section.
Make sure to backup your database, in case something goes wrong. Once done, run the following two queries:
UPDATE wp_posts SET post_content = replace(post_content, 'http://yoursite.com', 'https://yoursite.com' ) ; UPDATE wp_posts SET post_content = replace(post_content, 'http://www.yoursite.com', 'https://www.yoursite.com' ) ;
Here you go. The queries have updated all your internal links from HTTP to HTTPS. Now, your WordPress site is fully SSL compliant and you should see a green padlock in your address bar, showing your visitors that your site is fully secure.