Switching your WordPress site to SSL

Https for your domain makes sense these days for a bunch of reasons; You offer an encrypted link connection to your visitors which provides security. It’s not very expensive either. You can get affordable certificates via NameCheap (A popular hosting provider).

I got mine via MediaTemple because I’m rather lazy and their dashboard has this fancy thing to install a certificate with just one click. But you can get them cheap via NameCheap from ~$10 per year or so.

Getting started

First you need a SSL certificate. I’ve been stumbling around a lot on this – Which one to get, what sort of security. For most users a domain validation certificate will be just fine. This validates your domain to make sure it’s the real thing but doesn’t ensure the owner or business using that domain.
So you’ll get the security lock but not your organization name in the address bar. I have this for my site https://ajdg.solutions/.
ssl-lock

Install the certificate

Buying and setting up the actual certificate varies per hosting provider and server setup. Your hosting provider should have a manual on that and such setup is beyond the scope of this article. If you can’t figure it out (Sometimes it’s rather tricky) check with your hosting providers support service.

Switching your WordPress site to SSL

This consists of 4 general parts. I found that the order I write them in here works best. But ultimately that’s up to you. Any order *should* work. I would follow the order in this post though. It gives you the least trouble and broken links along the process of switching.

1. Make WordPress use HTTPS

The first bit is to go into your WordPress dashboard and switch out the main urls to use HTTPS. Change both the addresses to use https instead of http.
ssl-settings

2. Force SSL for the WordPress dashboard

Second you’ll want to force the WordPress dashboard to use your SSL Certificate as well.
Edit your wp-config.php file and add the following line somewhere in the file. I’ve added it just below line 53 in my files.
define('FORCE_SSL_ADMIN', 1);

3. Force visitors to use https

Next you’ll want your visitors to actually *use* HTTPS and force them to do so without breaking any existing urls.
Edit your .htaccess file to redirect anyone coming to http to go to https.

The default file will look like something like this:
# BEGIN WordPress

RewriteEngine On

RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Change it to this:
# BEGIN WordPress

RewriteEngine On

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

This redirects everyone coming to http to https. Easy. This also redirects any existing bookmarks and stuff. So there are 0 broken links.

4. Change local assets to use https

And lastly – This is really the more tedious part. To avoid unnecessary SSL plugins you’ll want to go over your pages and recent posts and edit them. Change all local assets such as pictures you added to those pages and posts to use https.

This may take a bit to get to but without doing so the SSL stuff will not fully work and your page will not show as secured in most major browsers – They’re a picky bunch.
For my site (mentioned above) it took me about 1 hour to go over the pages and swap the urls out. I didn’t bother with the blog posts but new and future posts will use HTTPS because of your earlier made changes.

Final

And that’s really it. No need for SSL plugins or fancy functions to dynamically swap out urls. You can do so, but if you change things manually and permanently. It’s absolutely pointless. It saves you a plugin… Reason enough for me.

If all went well all your pages (except for older posts) should now show the little HTTPS lock in the browsers address bar.