Welcome to our 9-part series of the Ultimate Guide to Protecting Your WordPress Website.
This is Part 6: Secure Your Site with SSL
You won’t have to be too technical to do these yourselves and I’ll be here showing you on the screen, step by step how to do it.
Here are a few things you’ll need to prepare before starting:
- WordPress Administrative Area Login URL which is typically in most cases /wp-admin after your domain name
- Your WordPress administrative username
- Your Password
Today I’m going to show you how to secure your WordPress website with SSL.
If you really want your site to be secure, why not use the same security e-commerce sites use to protect credit card data?
SSL is a technology that encrypts data sent between users and your website. It changes the ‘http://’ to ‘https://’ and is another layer of security that can keep your site safe.
Of course you can’t just turn on SSL. You need to actually have an SSL certificate. You can set this up with your host and you may be pleasantly surprised to discover that SSL is included in your hosting package.
Take a look and see — it might be a feature you’ve never used and can now take advantage of to secure your site.
Last year Google announced giving search ranking boosts to sites using SSL. Over time the search engine plans to increase this boost, but in the meantime you’ll only see about a 1% increase, giving everyone a chance to switch over.
If your web host does not have SSL certificates, here are a few resources to purchase SSL.
- Affordable SSL certificates from Namecheap
- If you don’t have WordPress web hosting already, Siteground offers free 1 year SSL with GoGeek plan.
- WPEngine offers 1 year SSL for $40/year.
If website is not built yet – it’s best to get SSL installed and configured before starting the website build, so that you can avoid errors with mixed content.
Configuring SSL
Once SSL certificate is installed – in order to enable on the site, you have to go to Settings > General and change WordPress Address and Site Address to start with https instead of http.
If you have an established site – use plugins to avoid “Mixed Content” errors. Mixed content errors happen when the website is configured to use https but some scripts, pictures, links or other content elements are configured with http.
The most common are pictures embedded in posts or pages – since those are stored in the database, they are stored with their http address and cause “Mixed Content” errors when previewing the page or post they are in.
In this case, we use plugins to ensure that all content on the website is converted to https, before the page or post is loaded into the browser.
These plugins do not alter your database, they simply intercept everything before load and change any http to https. Even though these plugins come with settings, they do not need to be configured, unless the website uses some sort of proxy or other special network configurations.
In that case, please seek professional help. Here is a list of recommended plugins:
- https://wordpress.org/plugins/really-simple-ssl/
- https://wordpress.org/plugins/wordpress-https/ (it has not been updated in a few years, however as of this video it is still working.)
- https://wordpress.org/plugins/https-redirection/
Thanks for watching this video.
Bookmark this page, subscribe or save it somewhere so you can check back when we publish Part 7/9 next week!
Looking for previous episodes of the Ultimate Guide to Securing Your WordPress site?
- Part 1: Changing Your Admin Username
- Part 2: Enable Two Factor Authentication
- Part 3: Limit Login Attempts
- Part 4: Disable File Editing via the WordPress Dashboard & Eliminate PHP Error Reporting
- Part 5: Hide Your WordPress Version
If you got any questions or comments, please comment below.