These days there are a lot of cases of website hacking can be witnessed and if you’re a WordPress website owner, especially a site which involves online transactions or having an eCommerce site, then you should make your website more secure by using HTTPS and obtaining an SSL certificate. Every person using your website would think twice before sharing their personal financial details, and when your website is secure then there are more chances of them doing online payments on your site.
You can read more about SSL (secure socket layer), which explains that it is a protocol to send data in an encrypted and secure form between the browser (clients side ) and web server for secure communication and secure (https://) identification of a network server. HTTPS connects on port 443, while HTTP is on port 80.
HTTPS encrypts users’ browser connection to your server, making it your website a lot more secure and hence discourages hackers. SSL certification is used to identify the website, you might have noticed websites like Facebook or Amazon using these techniques to make them secured.
Another big advantage of using HTTPS and SSL is that payment gateways like PayPal, Skrill, etc… requires a website to have HTTPS and SSL before allowing them to use their services and also google sees these websites as more search engine friendly which means you are also improving your website’s overall SEO.
Why use SSL (https://)
There are lots of reasons to use SSL on WordPress Powered websites and blogs. If you’re going to run an online store or an ECommerce Website developed on WordPress, you have to use HTTPS for the payment process. If you have very sensitive information and need to send it to the client in a secure way which can be packet sniffer for stealing items like a credit card or login details.
In case, if you are using WordPress for health Professional related website, you need to secure patients details for online booking appointment to make it confidential. As well, if you are collecting donations and need to authorize the donation process. So it’s better to secure data online by requesting the client to download a certificate on your machine first and then continuing the process of payment or for any other data transfer.
In a simple way, we should use SSL to Boost Customer Confidence in your Web Sites. Formidable Forms is the best WordPress plugin for creating forms that give a very high customization flexibility for content. In addition, you will get complete support once you have purchased the Formidable forms plugin from their website.
How to Acquire an SSL Certificate?
Now you must be wondering how to get an SSL certificate for your website? Well, it’s really simple, just ask your web hosting company for an SSL certificate and you can purchase it from them. Usually, it costs between $10 – $250, and your website hosting company will install that certificate onto your server.
The most important thing is to have a Certificate on your hosting platform. Most of the hosting companies also provide SSL certificates with different prices as follow:
WPEngine
WPEngine is a Managed WordPress Hosting company. Recently, It started providing SSL Certificates to its users free of cost. The Free SSL Certificate comes with all pricing plans.
DreamHost
DreamHost is one of the old established WordPress Hosting companies in the World with over 1.5 million sites hosted on their platform. Recently, they also started Let’s encrypt free SSL certificates for its clients. Yes, You can get the free SSL certificate on DreamHost as well.
BlueHost
BlueHost is considered as one of the most reliable WordPress Hosting company. It also provides SSL Certificates
HostGator
Hostgator, famous for its 1 penny hosting coupon and cheap plans also provides SSL certificates. Pricing starts from $50 and if obtained the SSL certificate from another company, Hostgator team will install it for only $10.
Inmotion Hosting
Inmotion Hosting is a Premium Web hosting company that provides different types of SSL certificates.
WPWebHost
With GeoTrust SSL certificates you can start conducting secure online transactions with confidence, quickly and cost-effectively. All of the SSL certificates enable up to 256-bit encryption and can be used to secure servers used for Web sites, intranets, extranets, and other online applications.
GoDaddy
Protect transactions and customer data with an SSL Certificate. Standard SSL £43.99/year – Verifies your domain control & secures your site.
Hostmonster
eCommerce features will SSL secure server.
SSL Specific Providers
SSL2BUY
SSL2BUY is one of the best SSL certificate providers across the globe and provides complete web security solutions to small and independent businesses. They are an official partner of leading certification authorities including Comodo, Symantec, GlobalSign, Thawte, GeoTrust, AlphaSSL, and RapidSSL. Hence, they have a broad range of SSL products including DV, OV, and EV SSL to secure a single website, subdomains or multiple domains.
Also, SSL2BUY delivers peerless services including 24/7 customer support, 30 days full refund policy, unlimited re-issuance and lower prices.
Comodo
Comodo is one of the famous SSL certificates provider company with cheap prices. You can get almost all types of SSL certificates from Comodo.
GeoTrust
GeoTrust is also a well-known name in the SSL industry. It provides all kinds of SSL certificates ranges from a single domain to extended domain validations and company’s SSL.
There are other ways to get your SSL certificate on your hosting, so you should consult with your hosting provider company. I am not going to in detail about how to get your own SSL certificate, although it’s possible to have created your own private and public keys and install requesting a public key to install on the client machine. You can grab a free SSL certificate using Let’s Encrypt as well.
How to Configure HTTPS and SSL on Your Website
If you already have a website that is running on an HTTP (Non-SSL) protocol, then you need to migrate from HTTP to HTTPS in a very careful manner. Here is a great write-up for migrating your site from HTTP to HTTPS.
For new sites, you need to change your URL in the general settings from your WordPress dashboard area for example change: https://wparena.com/ to https://wparena.com.
For existing WordPress sites, you need to add the following code to your .htaccess file in order to make it work properly:
1. <IfModule mod_rewrite.c>
2. RewriteEngine On
3. RewriteCond %{SERVER_PORT} 80
4. RewriteRule ^(.*)$ [R,L]
5. </IfModule>
Make sure to change www.yoursite.com with your own site’s URL.
Additionally, you can secure admin and login pages by adding the below two lines of code in the wp-config file, as it will force all admin and other users to log in through secure HTTP’s page. The details about Securing Admin on Administration_Over_SSL.
define(‘FORCE_SSL_LOGIN’, true); define(‘FORCE_SSL_ADMIN’, true);
Setting up SSL and HTTPS on selected pages
WordPress HTTPS (SSL) Plugin
To do this you will need to download and install the WordPress HTTPS (SSL) Plugin. To change settings according to your needs go to the plugin’s setting page which could be found in the HTTPS tab in your dashboard.
Firstly, add a hostname which is most probably your website’s URL that is the root/parent domain. If it is a shared SSL certificate then ask your web host for the details. If you are using a different port then add it in the port field. To use HTTPS on the admin area pages simply check the force SSL administration option.
To add SSL on some specific pages, check the force SSL exclusively box and only the pages with this option enabled will activate HTTPS, this is helpful for pages where transactions would be made.
If you want to use the WordPress HTTPS (SSL) Plugin, follow these steps as well:
- Change all the URL’s media/js etc through the Blue velvet WordPress plugin from HTTP to HTTPS
- If you do not have the green https color you can look for insecure files at whynopadlock.com
- Submit your https version to the webmaster tools as well
WordPress Plugins For HTTPS (SSL)
There are WordPress Plugins to protect the posts or pages as follows:
1. WordPress HTTPS (SSL)
If you’re having partially encrypted/mixed content errors or other problems, please read the FAQ. If you’re still having trouble, please start a support topic and I will do my best to assist you.
2. SSL Insecure Content Fixer
It’s quite common to use WordPress as the host for an online shop, and that often means having an order page that needs to be encrypted via SSL. You don’t want your customers providing credit card details or other sensitive information over an unencrypted connection! But some WordPress plugins don’t take SSL into account, and merrily load scripts and stylesheets without encryption. This plugin attempts to fix this problem, where there are simple solutions. How it does this is described in this blog post.
3. WPSSL (WordPress with SSL)
This plugin will force a WordPress post or page to use https instead of HTTP. It is based on “Dwamian’s Per Page Force SSL” plugin, but this has been updated for use with WordPress 3.x. Additionally, when a page is “forced” into SSL mode, it will make sure that all page elements are loaded via https (so that you won’t get warnings). If you have to link to a 3rd party external file, use the wpssl_showlink function (it will switch it between HTTPS and HTTP).
4. Restrict Content Pro – Stripe Payment Gateway
When using this add-on, your subscribers will stay on your site throughout the entire registration process, instead of being redirected to an outside site, such as PayPal. The user simply enters their credit card information and clicks Register.
Securely Process Credit Cards: All credit card transactions are processed securely through Stripe and no sensitive information is ever stored on your server.
Note: you should still always have a valid SSL certificate installed on your registration page.
4. Admin SSL
Admin SSL secures login page, admin area, posts, pages – whatever you want – using Private SSL. Once you have activated the plugin please go to the Admin SSL config page to enable SSL, and read the installation instructions.
Wrap Up
Installing and configuring SSL is an important step in securing your WordPress site, The most important for any website, its security, as once a malicious script is injected into your website, you need to be careful whether it’s transferring your data securely or not is irrelevant. So always use strong passwords, keeping WordPress powered website and installed plugins up to date (delete unused Plugins and themes), scanning for malware and locking out botnet attacks are important steps in securing your site as well. You can use security-related WordPress plugins like WordFence Security, iThemes Security or the best website security provider service such as Sucuri Security: complete website security.
If you need any help regarding setting up HTTPS / SSL certificate, request on WParena’s Facebook or ask in the comments section below.
Muhammad Abdullah
Editorial Staff
