Installing SSL on a WordPress site involves a series of steps and interaction with your web hosting service, certificate seller (e.g. NameCheap), certificate authority, and WordPress configuration.
Renewing an expiring certificate is about the same as starting over because it’s really a new certificate and install. If possible, buy more than a one-year term to save time and money.
Briefly, here are the essentials, somewhat skewed by my experience with this site:
- Your site must have a dedicated IP address before you attempt to install an SSL certificate. An SSL certificate applies to a single domain or a single sub-domain.That is, the certificate would secure a site such as donuts.com but NOT crullers.donuts.com. To secure both the main donuts.com domain and all its sub-domains, such as crullers.donuts.com and cupcakes.donuts.com, you would need to purchase a “wildcard” certificate for *.donuts.com.
Don’t confuse a dedicated IP address with a dedicated server. A dedicated IP is assigned to one domain only, but many dedicated IPs may be hosted on a shared server.
- Purchase the type of SSL Certificate you require for your business, commonly a Positive or Instant SSL certificate. A Positive Private SSL Certificate is domain validated and an Instant Private SSL Certificate also validates company information in the Whois record and costs a lot more. Both use 256-bit encryption. Don’t spend more than you need to on an SSL Certificate. For a detailed explanation, see Difference Between Instant and Positive Private SSL.Some web hosts provide SSL Certificates as an add-on service in partnership with a Certificate Authority such as Comodo, VeriSign, DigiCert, Entrust, or GoDaddy. For example, HostGator will provide and install a Positive SSL Certificate from Comodo for about $50/year, but they will also install a NameCheap-obtained, third-party SSL Certificate for $10/year. Unless you have a dedicated server account with root access, HostGator must install the SSL Certificate for you.
- Create a CSR (Certificate Signing Request) from your server. Your web host probably provides a form that generates the CSR. If so, use it! Otherwise, there are CSR Generation Instructions and wizards at the major certificate authorities, such as Comodo or DigiCert. The information you submit MUST MATCH the information in your WHOIS record.Your web host will e-mail the CSR and 2048-bit RSA encryption key to you. Keep a copy of this information in a safe place.
Note that if you have a Reseller account, there is an SSL Panel in WHM for creating a CSR and self-signed Certificate for personal use, such as with e-mail accounts. Businesses should obtain a signed certificate in order to avoid browser warnings that undermine trust.
- Activate the SSL Certificate at your Certificate Authority’s site. Activation is necessary for both a new certificate and for a renewal. You will need to paste the CSR text, including the comment lines above and below it, into a box, answer a few simple questions, and chose the type of server that hosts your site. For HostGator Linux servers, it’s WHM/cPanel or Apache+Mod_SSL.
- Obtain the SSL Certificate and Certificate Authority (CA) file. Your Certificate Authority will send you a zipped file containing the encrypted SSL Certificate for your domain plus a CA-bundle file identifying the Certificate Authority that verifies your certificate. You can unzip the file and view the domain_com.crt file and domain_com.ca-bundle file in a text editor. The CA will also give you a link to a site seal that you may optionally display on your secure pages or all pages.
- At your web host, initiate a request to install the SSL Certificate. You will have to paste the contents of your RSA file, domain_com.crt file, and domain_com.ca-bundle file into separate boxes. Include the comment lines above and below the encrypted content. After submitting the form, you will get a confirmation e-mail from your web host server administrator.
- Test and tweak your installation. Now that you’ve installed your certificate, you should be able to go to https://yourdomain.com/, but there may be SSL errors on some pages, or you want to make only a few pages secure, not the whole site.Install the WordPress HTTPS pluginto use SSL only on pages that need to be encrypted and to generally make WordPress work better with SSL.If you want your home page to be secure, check the plugin option to Secure Front Page. To enable SSL on your entire site, use https://domain.com as the site URL in WP Settings.More often, the home page does not need to be secure and you can use http://domain.com as the site URL in WP Settings and links that start with https://domain.com to specific pages with forms.
The WordPress HTTPS plugin adds a WordPress Meta Box to the Page/Post editor with options to Secure post and to Secure child posts. With “Secure post” checked, the plugin forces image src values and other links to https. The plugin cannot fix “partially encrypted” errors caused by scripts. If you do get such errors, take time to find and fix the offending image links or URLs.
To find insecure links on a page in Chrome, use the Developer Tools (F12) and select Console to see a list.
The WordPress HTTPS plugin enables selected pages on this site to be served via SSL using the following configuration:
- The site URL is set as http:// in WP Settings, not https:// because only a few pages need SSL.
- In WP HTTPS settings, the options to Force Admin SSL and to Force SSL Exclusively are selected.
- In WP HTTPS settings, the options to Remove Unsecure Elements and Debug Mode are unchecked. Use these settings only when necessary.
- Specific pages that require SSL are flagged by checking the “Secure post” option in the post editor.
On this site, when I switched to my current theme, the layout of SSL pages was suddenly destroyed if CSS and scripts were cached by the BWP Minify plugin. BWP Minify is a great tool, so it’s worth a try, but don’t forget to look at all the SSL pages in your browser.
Screenshot of WP HTTPS Settings
All things considered, I think the extra work to add SSL to a professional or business site is worth doing even if you’re not collecting sensitive information. Many people are concerned about their e-mail addresses, phone numbers, and company plans. Using SSL gives them peace of mind when they use your forms.