Hardening

SSL/HTTPS Security for WordPress Websites

HTTPS is essential for modern WordPress security. Learn how to properly implement SSL certificates and configure WordPress for secure encrypted connections.

S
Sarah Chen
7 min read
1,712 views
SSL certificate padlock showing secure HTTPS connection for website

Why HTTPS Matters

HTTPS encrypts data transmitted between your website and visitors' browsers. Without it, sensitive information like passwords, credit card numbers, and personal data travels in plain text, readable by anyone intercepting the connection.

Beyond security, HTTPS is now essential for SEO (Google uses it as a ranking factor), browser trust (Chrome marks HTTP sites as "Not Secure"), and user confidence in your website.

How SSL/TLS Works

The Encryption Process

  1. Browser requests secure connection
  2. Server sends SSL certificate
  3. Browser verifies certificate authenticity
  4. Encrypted session key is exchanged
  5. All data is encrypted during transmission

Certificate Types

  • Domain Validated (DV) - Basic validation, quickest to obtain
  • Organization Validated (OV) - Verifies organization identity
  • Extended Validation (EV) - Highest trust level, displays organization name

Obtaining an SSL Certificate

Free Options

Let's Encrypt is the most popular free option:

  • Fully automated issuance
  • 90-day validity with auto-renewal
  • Widely supported by hosting providers
  • Certbot for easy management

Paid Certificates

Consider paid certificates for:

  • Extended validation requirements
  • Warranty protection
  • Wildcard certificates for subdomains
  • Enterprise support needs

Hosting Provider Certificates

Many hosts include free SSL certificates. Check your hosting control panel for one-click SSL installation.

Installing SSL on WordPress

cPanel/Plesk Installation

  1. Access your hosting control panel
  2. Find SSL/TLS section
  3. Install certificate for your domain
  4. Enable auto-renewal if available

Manual Installation

For VPS or dedicated servers:

# Install Certbot
sudo apt install certbot python3-certbot-apache

# Obtain certificate
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

# Auto-renewal test
sudo certbot renew --dry-run

Configuring WordPress for HTTPS

Update WordPress URLs

In Settings > General, update both URLs:

  • WordPress Address: https://yourdomain.com
  • Site Address: https://yourdomain.com

Force HTTPS in wp-config.php

define('FORCE_SSL_ADMIN', true);

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

Redirect HTTP to HTTPS

Add to .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Fixing Mixed Content

What Is Mixed Content?

Mixed content occurs when HTTPS pages load resources (images, scripts, stylesheets) over HTTP. Browsers block or warn about this, breaking site functionality.

Finding Mixed Content

  • Browser developer tools console
  • Why No Padlock online tool
  • SSL Labs SSL Test

Fixing Database URLs

Update URLs in database using search-replace:

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_posts SET guid = REPLACE(guid, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_options SET option_value = REPLACE(option_value, 'http://yourdomain.com', 'https://yourdomain.com');

Use Search Replace Plugin

For safer database updates, use a plugin like Better Search Replace.

HSTS Implementation

What Is HSTS?

HTTP Strict Transport Security tells browsers to always use HTTPS, even if the user types HTTP.

Apache Configuration

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

WordPress Implementation

add_action('send_headers', function() {
    header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
});

HSTS Preload

Submit your domain to the HSTS preload list for maximum protection. This is permanent, so ensure HTTPS works perfectly first.

Certificate Monitoring

Expiration Alerts

SSL certificates expire. Set up monitoring to alert before expiration:

  • Use certificate monitoring services
  • Enable hosting provider notifications
  • Set calendar reminders

Certificate Transparency

Monitor Certificate Transparency logs for unauthorized certificates issued for your domain.

Conclusion

SSL/HTTPS is essential for WordPress security. Obtain a certificate, configure WordPress properly, fix mixed content issues, and implement HSTS for complete protection. Monitor certificate expiration to maintain continuous security.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

WordPress Cloaking Attack: When Google Sees Different Content Than Visitors
WordPress Cloaking Attack: When Google Sees Different Content Than Visitors

Cloaking attacks show different content to search engines than to human visitors. Learn how hackers...

January 14, 2026
SSL Certificates and HTTPS: Why Your WordPress Site Needs Them
SSL Certificates and HTTPS: Why Your WordPress Site Needs Them

SSL certificates encrypt data between your website and visitors. Learn why HTTPS is essential for...

December 26, 2025
Securing the WordPress wp-config.php File
Securing the WordPress wp-config.php File

The wp-config.php file contains your most sensitive WordPress settings. Learn how to protect this...

December 20, 2025

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started