Are you looking to move from HTTP to HTTPS and install an SSL certificate on your WordPress site? Then read on to learn how to add SSL to WordPress free.
Every internet user shares lots of personal information every day. We all do. When shopping online, creating accounts, signing into different websites, etc.
If not properly encrypted, then this information can be obtained by someone. This is where SSL comes to the rescue. It provides the encryption technology to secure the connection between a user’s browser and the web server.
Each site is issued a unique SSL certificate for identification purposes. If a server is pretending to be on HTTPS, and it’s certificate don’t match, then most modern browsers will warn the user when connecting to the site.
Previously, the only way to secure sites with SSL was by using a paid SSL certificate. Until Let’s Encrypt became available publicly.
Let’s Encrypt is a free open certificate authority that provides SSL certificate for general public. It is a project of Internet Security Research Group (ISRG). Let’s Encrypt is sponsored by many companies including Google, Facebook, Sucuri, Mozilla, Cisco, etc.
There is no better time to install SSL certificate on your WordPress websites. Especially when Google Chrome Security team announced their browser will begin labeling HTTP connections as insecure starting in January 2017:
Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure,” said Chrome Security Team member Emily Schechter. The first step in the plan is to display a “Not secure” label in the address bar.
Site owners who want to avoid having their HTTP sites labeled as not secure don’t have much time to secure their sites.
Another benefit of having SSL on your site is ability to utilize HTTP/2 which is essentially an evolution of the HTTP protocol. Websites with HTTP/2 are faster as it allows multiple files to be transfer simultaneously.
I intended to implement SSL to all of my sites for quite some time. The problem was I didn’t know how to implement Let’s Encrypt free SSL.
I read many tutorials on how to add Let’s Encrypt SSL to WordPress. But they all seem complicated to me. Finally, after much reading, I found an easy way to install Let’s Encrypt SSL.
My method can be found below. There are other ways too. This guide is meant to be beginner friendly and is based on my experience to install SSL to some of my WordPress sites for free using Let’s Encrypt.
Without the need for SSH, root access, running commands and other processes average user doesn’t understand (including me) and which most guides about WordPress SSL implementation mention.
This post is quite long with lots info but if you are interested, before jumping to section on how to easily implement Let’s Encrypt to your WP site/s, check explanations on some of terms below.
What are HTTPS and SSL?
Every day we share our personal information with different websites. Whether it’s making a purchase or just logging in.
To protect the data transfer, a secure connection needs to be created. That’s when SSL and HTTPS come in.
You may have noticed that whenever you are interacting with a secure site (such as your online banking portal), the address in your browser bar has https:// in front of instead of the usual httpH://.
In addition to that, most modern browsers will display a little padlock in the browser bar when you are connected to such a site.
HTTPS or Secure HTTP is an encryption method. It secures the connection between users’ browser and your server. This makes it harder for hackers to eavesdrop on the connection.
Why would you move from HTTP to HTTPS and install an SSL certificate? The protocol sets up the connection between the two, where once the relationship is successfully established, only encrypted info will be transferred.
That means all plain text information that could be read by any schmuck out there will be exchanged with random letters and number strings that are not readable by humans.
Should any hacker manage to interfere with the exchange of information, the encryption makes it much harder to make any sense of it.
SSL and HTTPS come with different encryption standards. The oldest one is called SHA, and it is no longer in use. Its successor SHA1, while still in circulation, is currently being deprecated.
Google Chrome, for example, started issuing warnings for sites running on this standard at the beginning of 2016.
The current encryption standard for SSL protocols is SHA2. However, at some point, it will give way to SHA3 which is currently in development.
NOTE: SSL is actually not the correct name for the certificate anymore. The technology was improved in the late 90s, and its name changed to TLS (Transport Layer Security). However, the acronym SSL stuck and is evidently being used to this day. So, I will also use it mostly in this post.
Why do you need HTTPS and SSL?
If you are running an eCommerce website, then you definitely need an SSL (Secure Sockets Layer) certificate. Especially if you are collecting payment information.
Most payment providers like Stripe, PayPal Pro, Authorize.net, etc. will require you to have a secure connection using SSL.
Google stated that they are using HTTPS and SSL as a ranking signal in their search results. This means that using SSL will help improve your site’s SEO.
Also, implementing SSL you can utilize HHTP/2 which, as I already mentioned, allows multiple files to be transferred simultaneously thus improving your site load time.
Using SSL, you can not only protect sensitive data such as email addresses, credit card information, passwords etc., from possible attacks by hackers by also improve your site rankings and speed.
Before SSL certificates were expensive. From $10 a year to $200. But thanks to the Let’s Encrypt project, it is now possible to activate an unlimited number of certificates for free.
Why Let’s Encrypt?
Let’s Encrypt is a free, automated, without the need for a dedicated IP, and open certificate authority and many companies are supporting it.
Also, many hosting companies, CDN providers, and others have implemented Let’s Encrypt, so it is even easier to apply it to your site.
The main features of Let’s Encrypt are:
The only downside of Let’s Encrypt is that needs to be renewed every 90 days. But this process can be automatized without your manual intervention.
As Let’s Encrypt is becoming popular, many WordPress hosting companies have already started offering built-in easy Let’s Encrypt SSL set up.
The easiest way to add Let’s Encrypt free SSL to WordPress is by signing up with a hosting company that offers a built-in integration.
Unfortunately, not all hosting companies support Let’s Encrypt. Here is the full list of hosting businesses that support Let’s Encrypt.
#1 METHOD – Your Hosting Offers Let’s Encrypt Integration (EASIEST)
It is easy to set up Let’s Encrypt for your site if your hosting company offers integration. It doesn’t even need to be hosting provider.
Most CDN services offer Let’s Encrypt integration for free with their service. An example of those CDN providers is KeyCDN, MaxCDN, CDNSun or Incapsula which offers SSL certificate for free with paid plans.
In this cases, you also don’t need to worry about certificate renewal as it will be automatically done for you.
I will explain on Siteground example. Setting up free SSL with Let’s Encrypt on SiteGround:
Login to your cPanel dashboard and scroll down to the security section. There you will need to click on the Let’s Encrypt icon.
This will bring you to the Let’s Encrypt install page. You will need to select the domain name where you want to use SSL.
You can now click on the install button. Let’s encrypt will issue a unique SSL certificate for your website. Once it’s finished, you will see a success message.
That’s all. You have successfully integrated Let’s Encrypt free SSL to your WordPress site. Here you don’t have to do anything else.
However, your WordPress site is still not yet ready to use. First you will need to update your WordPress URLs and then fix insecure content issue if any. You can find all about it below.
#2 METHOD – Adding Free Let’s Encrypt SSL If Your Hosting Doesn’t Offer Integration
If your web host does not provide integration like SiteGround, DreamHost, and other hosting companies which offer Let’s Encrypt, then you will need to go through a somewhat lengthy procedure.
But no need to start panicking. I will show you an easy way to still add SSL to WordPress website if your hosting or CDN don’t offer integration.
This method differs from one web host to another. Most hosting companies have a support document explaining the process. You can also contact their support staff for detailed instructions or ask them to do it for you.
Some hosting companies will install SSL certificate for you. You just need to provide them with private key, certificate and CA. That is what I have done with Half Dollar Hosting.
I have just contacted them and they have done it for me as they don’t allow that you set it up by yourself.
You need to provide them a certificate for each domain. And in the case of Let’s Encrypt you need to contact them again every 90 days to renew the certificate for each site.
#Installing an SSL certificate on your server manually using cPanel:
First go to SSL For Free. Don’t worry, it is safe to use and they issue certificates in cooperation with Let’s Encrypt.
Enter your domain name with www or without. SSL For Free will also add other version to certificate so it doesn’t matter. I by default use www with all my sites so I always put it as primary.
Then click Create Free SSL Certificate button. You will then be asked to verify that you own domain to which you want to add the certificate.
You can choose between Automatic FTP Verification and Manual Verification.
If you select Automatic FTP Verification you will need to enter your FTP information for the domain’s server account like user, password… and verification will be done for you automatically. I prefer to go with Manual Verification so I will show steps for manual.
Steps needed to be done in this case are explained on the site so you can’t go wrong. You download files, login to your cPanel, go to your domain folder and create new folders following steps on the page. You then upload the downloaded files to the “acme-challenge” folder.
After verifying that all have been done correctly click Download SSL Certificate button. I never tick I Have My Own CSR. In that case, you will be provided with one.
Now you will get private key, certificate and CA. Click to download them and you will get .zip file. This file you provide to your hosting if they will install for you, or extract it if you are going to install certificate by yourself.
You are also able to enable the option to be notified when your certificate is about to expire. In case you forgot Let’s Encrypt certificate is valid for 90 days. After that, you need to renew it following same steps.
Now after you acquired a certificate. It is time to install it on the server. Follow the steps below to install the SSL for your site:
1. Log in to your cPanel account
2. Locate and click on SSL/TLS Manager in the Security section
3. Click on ‘Manage SSL Sites’ under Install and Manage SSL for your website (HTTPS) menu. If you don’t have Manage SSL sites option, try contacting your hosting provider and asking if they could install the certificate for you.
4. Copy the certificate code you received including —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into the ‘Certificate: (CRT)’ field.
You can click on the Autofill by Certificate button, which appears next to the certificate entered. The system will attempt to fetch the domain name and the private key.
You may also choose the domain from the drop-down list and manually enter the certificate and private key into the corresponding boxes. Remember to include Begin/End headers and footers for the certificate and the key.
NOTE: Below images are just and example. You will not have the same info, issuer, certificate, etc.
Copy and paste the CA Bundle into the box under Certificate Authority Bundle (CABUNDLE). If you want to use this certificate for Mail Services, tick the checkbox ‘Enable SNI for Mail Services’.
In this case, you will be able to use your domain, on which SSL certificate has been installed, as a hostname of the mail server configuring your mail clients to work via secured ports.
This option is available only starting from cPanel 11.48. If you have an older version of cPanel, you cannot use your certificate for mail.
5. Click on the ‘Install Certificate‘ button
Congratulations! The certificate is now installed on the server for your site. The site should now be accessible via https://.
Test your certificate and check your site using https in the browser to see if it will show correctly.
After setting up the free SSL certificate with Let’s Encrypt, the next step is to move your WordPress URL from using HTTP to HTTPS.
A standard site without SSL certificate uses HTTP protocol. This is usually highlighted with http prefix in web addresses, like this: http://www.example.com
Secure websites with SSL certificates use HTTPS protocol. This means that their addresses look like this: https://www.example.com
Without changing the URLs on your WordPress site, you will not be using SSL and your site will not be secure for collecting sensitive data.
#Updating WordPress URLs to HTTPS for Brand New WordPress Website
If you are working on a brand new website, then you can just go to your WordPress admin area and click on settings.
There you will need to update the WordPress URL and site URL fields to use https.
Don’t forget to save your changes.
#Updating WordPress URLs to HTTPS for Existing WordPress Site
If your site has been live for a while, then the chances are that it is indexed by search engines. Other people may have linked to it using HTTP in the URL.
You need to make sure that all traffic is redirected to the https URL.
You need to do is install and activate the Really Simple SSL plugin. This plugin will automatically detect your SSL certificate and set up your website to use it.
In most cases, you will not have to make any more changes. The plugin will also fix insecure content issue.
#Updating WordPress URLs After Adding SSL to Existing WordPress Website Without Plugin
If you want to force your entire website to go through https, but without use of plugin, you can add these rules to your .htaccess file:
If your site is in a subfolder, use this code:
Simply replace yourdomain.com with your actual domain name.
When you install an SSL certificate on a new domain, all the pages and all the resources such as images, are served automatically with the HTTPS protocol.
But if the certificate is enabled on a domain already in use, you may have some problems with mixing content. That means you have content that is served with HTTPS and content which is served with HTTP.
Mixed content happens when parts of your content continue to be delivered via HTTP while the rest of your site has moved on to the more secure HTTPS.
In this case, modern browsers will display a warning, causing your users to view your site as insecure.
Use the free tool SSL Check to scan your entire site for unsafe images, scripts, CSS files and others. With this information, you can then take corrective action. An alternative to checking singular pages is Why No Padlock?.
You can also look out for the padlock symbol in your browser bar while surfing your site. It will show a warning when you are visiting a part that has mixed content on it.
If you encounter such a page, you can find out the culprit by having a look at the console in the Chrome or Firefox developer tools.
This article lists the various methods to solve Mixing Content problem.
If your site is on CloudFlare, you can utilize CloudFlare Automatic HTTPS Rewrites.
Automatic HTTPS Rewrites is a feature that rewrites links to unencrypted resources from HTTP to HTTPS. Before the rewrite is applied and served in the HTML sent to your web visitors, a rule set is checked to ensure the references are accessible via HTTPS.
If you connect to your site over HTTPS and the lock icon is not present, or has a yellow warning triangle on it, your site may contain references to HTTP assets (“mixed content”).
Mixed content is often due to factors which are not under your control. That can be embedded third-party content or complex content management systems.
By rewriting URLs from “http” to “https”, Automatic HTTPS Rewrites simplifies the task of making your entire website available over HTTPS, helping to eliminate mixed content errors and ensuring that all data loaded by your website is protected.
Install the SSL Insecure Content Fixer plugin. It will handle all the included elements and fix non-https resources in case such exist. Make sure to check the plugins settings if it doesn’t work out-of-the-box.
When your certificate expires, visitors get a warning about it and are advised against entering your site. You should not let this happen. Always make sure your certificate is renewed in time.
The same warning can also be given for self-signed certificates that have not been validated by an outside authority.
If you have Google Analytics installed on your WordPress site, then you need to update its settings and add your new URL with https.
Login to your Google Analytics dashboard and click on ‘Admin’ in the top menu. Next, you need to click on property settings under your website.
There you will see the default URL option. Click on HTTP and then select https.
Don’t forget to click on the save button to store your settings. Also, add https://www and without www to your Google webmaster tools for your site.
If for some reason, you only want to add SSL to specific pages of your site, then you would need the plugin called WordPress HTTPS (SSL).
Despite the fact that this plugin hasn’t been updated for a while, it still works fine. Upon activation, the plugin will add a new menu item labeled HTTPS in your WordPress admin.
You can click it to visit the plugin’s settings page.
The first option of the setup page asks you to enter your SSL host. Mostly it is your domain name. However, if you are configuring the site on a subdomain and the SSL certificate you got is for your primary domain name, then you will enter the root domain.
If you are using a shared SSL certificate provided by your web host, then you will need to enter the host information they provided instead of your domain name.
Force SSL Administration setting forces WordPress to use HTTPs on all admin area pages. You need to check this box to make sure that all traffic to your WordPress admin area is secure.
The next option is to use Force SSL Exclusively. Checking this box will only use SSL on pages where you have checked the Force SSL option. All other traffic will go to the standard HTTP URL.
This works if you only want to use SSL on specific pages like a shopping cart, checkout, user account pages, etc. Click on the save changes button to store your plugin settings.
If you want to use HTTPS just for specific pages, then you need to edit those pages and check the Force SSL checkbox.
Once done, visit your page to ensure that you have a green padlock in Chrome and other browsers.
If you are using CloudFlare with your site, you are probably aware of CloudFlare Flexible SSL or as they call it Universal SSL. Universal SSL is simply the name for CloudFlare free SSL service.
Back in 2014 CloudFlare announced free universal SSL for all their users. This sounds pretty awesome, especially knowing you can use it in their free package.
But many don’t understand how exactly CloudFlare Flexible SSL works. Flexible SSL option only provides secure traffic between the user and CloudFlares network.
Not between CloudFlare and your website. Which means the user’s traffic is exposed over the internet as normal HTTP traffic.
Flexible SSL is not recommended if you have any sensitive information on your website. This option should only be used as a last resort if you are not able to setup SSL on your own web server. This option is far less secure than the Full SSL option indicated below. – CloudFlare
So what’s the problem with this? Well, the website owner may know or not know about this. They can accept this and choose to use the flexible SSL. That’s them choosing to take the risk.
But what about the website users? The website users won’t know the difference. They’ll see HTTPS.
Think it’s a valid certificate and happily use the website, provide personal information, bank details, etc. without knowing that they are actually going over insecure HTTP.
So if using Flexible SSL from CloudFlare don’t change your site to HTTPS URLs. Just leave it as it as by default or change to Full Strict after installing Let’s Encrypt.
CloudFlare’s Flexible SSL mode is the default for CloudFlare sites on the Free plan. To take advantage of our Full and Strict SSL mode, which encrypts the connection between CloudFlare and the origin server, it’s necessary to install a certificate on the origin server.
When you install Let’s Encrypt SSL certificate on your site, go to CloudFlare Crypto settings for your site on which you installed the certificate, and change SSL setting to Full (strict).
Now you have the added benefit of an authenticated and encrypted connection to your origin server.
You could also instead of Let’s Encrypt install CloudFlare Origin Certificate. Cloudflare Origin Certificates are free TLS certificates issued by Cloudflare that can be installed on your origin server to facilitate end-to-end encryption for your visitors using HTTPS.
You can find that option in CloudFlare under Crypto tab. By default, newly generated certificates are valid for 15 years. You can also make it shorter.
Now you can change the SSL setting for your site to use “Full (strict)” mode.
CloudFlare Origin Certificate isn’t yet trusted by browsers. But will be trusted by CloudFlare, allowing the back end connection to be both encrypted and authenticated.
This also protects your site if one of the publicly trusted certificate authorities is compromised by attackers and used to issue illegitimate certificates.
NOTE: When pausing CloudFlare or gray-clouding individual zones, be aware that you and your visitors may receive errors in their browsers for your site with CloudFlare Origin certificate until you orange-cloud (reverse proxy) them again.
Chrome and other browsers will not trust the CloudFlare Origin Certificates. These are intended only to be used by origin servers that sit behind CloudFlare’s service.
But Root certificates are also available. Check more here: https://support.cloudflare.com…. Adding them to your local TLS trust store(s) will allow you to validate directly, without passing through CloudFlare.
# CloudFlare Flexible SSL vs Full SSL vs Full SSL Strict
Only choose “Flexible” if your origin web server cannot accept secure (HTTPS) connections. Select “Full” if you have a self-signed SSL certificate, and choose “Full (strict)” if you have a valid SSL certificate.
Off: No secure connection between your visitor and CloudFlare, and no secure connection between CloudFlare and your web server either.
This means that visitors can only view your website over HTTP, and any visitor attempting to connect via HTTPS will be returned a HTTP 301 Redirect to the plain HTTP version of your site.
Flexible SSL: Secure connection between your visitor and CloudFlare, but no secure connection between CloudFlare and your web server.
You don’t need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.
This option is not recommended if you have any sensitive information on your website. It should only be used as a last resort if you are not able to setup SSL on your own web server.
It is less secure than any other option (even “Off”), and could even cause you trouble when you decide to switch away from it.
Full SSL: Secure connection between your visitor and CloudFlare, and safe connection (but not authenticated) between CloudFlare and your web server.
You will need to have your server configured to answer HTTPS connections, with a self-signed certificate at least.
Full SSL (Strict): Secure connection between the visitor and CloudFlare, and secure and authenticated connection between CloudFlare and your web server.
You will need to have your server configured to answer HTTPS connections, with a valid SSL certificate.
This certificate must be signed by a certificate authority, have an expiration date in the future, and respond to the request domain name (hostname).
When you use CloudFlare, they decrypt the data on their edge to cache and filter any bad traffic. Depending on the SSL settings, they may re-encrypt or send it as plain text.
Since each certificate needs a dedicated IP address, they add your domain name and wildcard (*.domain.com) domain in the SAN (Subject Alt Name) to the certificate.
If you use CloudFlare free plan and have third party certificate installed (like Let’s Encrypt), when checking your site certificate it will always show CloudFlare certificate.
If you don’t want that CloudFlare’s name is displayed when a visitor checks the certificate, you need CloudFlare Business/Enterprise plan. In other words, you need to pay.
Customers on these plans can upload their own SSL key and certificate, and CloudFlare’s name will not be shown.
Are you moving to a new server but still have time left on your old certificate? You may be able to move your certificate to the new server.
When moving an SSL, the certificate needs to be for the same domain name on the new server.
You will need three things from your old server: the certificate, the private key, and the server types must match. For example: if your previous server was an Apache server, you must have an Apache version of your certificate available.
If not, you may need to either download a different version of the certificate (if your signing authority provided you with one) or get a new certificate.
The process of installing a pre-existing certificate on your server is identical to that of installing a new third-party SSL certificate. Except that, you don’t have to generate the CSR.
These days HTTPS is a necessity. It increases the privacy of your users, allows you to use new browser features, and lets you retain access to existing features.
As you saw, with Let’s Encrypt, obtaining an SSL certificate is easy and can be free. We are only at the beginning of a small but significant revolution in the Internet network security.
If you are running a WordPress website that deals with sensitive data, SSL is must have. Without traffic encryption, the risk of your client’s information being intercepted is just too high.
Besides being a responsible service provider, the added layer of security is also a positive signal for search engines. So if you don’t do it for your clients, at least do it for the rankings.
I have already started installing SSL certificate on my WordPress websites. Soon you will also see HTTPS on kasareviews.com. I recommend you taking the same step.
Remember, an ounce of prevention is worth a pound of cure. Take WordPress security seriously. Your visitors and customers will thank you.
Now over to you my dear reader. Did you find this tutorial helpful? Do you have questions concerning this topic? Let me know in the comments.
Hello, my name is Matija but everybody calls me Kasa. I started this site to earn lots of money so that I never have to work again. Just lay down on a beach, drinking cocktails day after day while hot, beautiful chicks fight for my attention.Ok, now seriously. I love making websites, especially in WordPress. Hope reading content on this site you will find helpful tips, tutorials, comparisons, and product reviews for your business.
I would be using Let’s Encrypt, but with a hosted partner website that offers a free Cloudflare plan, the encryption only takes place from the the hosted server to Cloudflare, and not from Cloudflare to the users browser (I was able to verify this after I issued a support ticket with Cloudflare). So kind of a waste of time. Even more so, I am certainly not going to disable Cloudflare and its huge speed improvements just to have Let’s Encrypt work properly, so hopefully a better solution comes around in the future.
I dont think you understood. Please check again part about CloudFlare and Let’s Encrypt. I use Let’s Encrypt and CloudFlare on all my sites without problems.
Let’s Encrypt is needed if you want to encryption take place from the the hosted server to Cloudflare, and from Cloudflare to the users browser too.
If I go to Cloudflare > Crypto > SSL, it states ineligible for SSL. So I can’t set it ti anything (Strict, Flexible, etc.) because those options are not there. Like I stated, I have free Cloudflare through a shared hosting partner. I did not sign up for free Cloudflare directly from Cloudflare. These are two different plans with different capabilities. Maybe I am wrong, but I believe that is the problem. If you have a way around that I would like to know what it is so I can get it to work.
You may be right. I have never connect my site to CloudFlare via hosting partner. Why don’t you try removing CloudFlare for that site and add it directly through Cloudflare to see if that is the problem.
It is easy and will take you at most 5-10 min. If you decide to do it, please let me know what happened.
Current ye@r *
Leave this field empty
Add me to your weekly newsletter!
Send this to friend