Definitive Guide to WordPress SSL

Last updated on December 05th, 2014 by Robert Abela. Filed under WordPress Security

WordPress SSL Setup and Tricks

WordPress SSL is required to encrypt the data (traffic) exchanged between your WordPress blog or website and its visitors, which could also be you logging in to your WordPress admin pages.

Therefore if you are thinking of running a shopping cart or some sort of online shop, or your visitors submit sensitive information via an online form, you should implement WordPress SSL to encrypt the communication between your customers and your WordPress.

We also recommend every WordPress administrators to implement WordPress SSL to encrypt the WordPress login session and avoid having WordPress usernames and passwords captured by malicious hackers, as seen in the Hacking the WordPress Login security tutorial.

WP White Security Tip: HTTPS (HTTP over SSL) consumes a lot of server resources. Only force SSL for the WordPress login, dashboard  pages (wp-admin) and other pages from where you request sensitive information from your visitors.

Setting Up WordPress SSL

In this WordPress SSL security tutorial we will explain how to manually:

If you would like to configure WordPress SSL automatically via a plugin, refer to the article WordPress SSL Setup with WordPress HTTPS (SSL) plugin.

Get an SSL Certificate for your Web Server (Step 1)

Before you can enable WordPress SSL you need to get an SSL web server certificate that is used to encrypt the web traffic.

WP White Security Tip: HTTPS is HTTP traffic over a Secure socket layer (SSL), in other words it is encrypted HTTP traffic.

If you have a VPS or you are using a shared hosting service, this procedure might vary from one hosting provider to the other. Therefore we recommend you to open a support ticket with your hosting provider to help you with the process.

If you have your own dedicated server you can follow steps 1 and 2 of the post Generate a Self Signed SSL Certificate for HTTPS on Apache to create a signing certificate request (CSR file).

Once the CSR file is generated, contact a certificate authority where you can submit your request so they can issue the certificate. Once your SSL certificate is issued, follow the procedure explained in section Configuring Apache Web Server to Run SSL (HTTPS).

SSL for WordPress Login and Dashboard

Force WordPress SSL for Login Only

To ensure that your WordPress usernames and passwords are encrypted when logging in to the WordPress admin pages, enable WordPress SSL for the login page by adding the following line to your wp-config.php file:

define('FORCE_SSL_LOGIN', true);

Note: When using this option only the WordPress login process will be encrypted.

Force WordPress SSL for Login and Dashboard (Admin Area)

To encrypt both the WordPress login process and the logged in session (i.e. both credentials and cookies are encrypted) enable WordPress SSL for both the login page and the dashboard browsing by adding the following line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

Which Option Should I Use?

The most secure option is to force WordPress SSL for the WordPress login page and the WordPress dashboard / admin pages. Though if the connection is very slow when accessing the WordPress dashboard over an HTTPS connection, or you have low resources available on your server, you can opt to force SSL for the WordPress login only, which is the second best option.

WP White Security Tip: As an additional security measure you should bookmark the URL of your WordPress dashboard with the HTTPS protocol, e.g. rather than being redirected automatically from HTTP to HTTPS by the web server.

Forcing SSL for a Specific WordPress Page or Post

Once SSL is configured on your web server, by default all of your WordPress pages are accessible over both an HTTP and HTTPS connection, for example and

But by default, all visitors users will keep on accessing your website over a normal HTTP connection unless you redirect them. Therefore if you would like to automatically redirect users accessing a particular page, such as a payment form, to an HTTPS connection (encrypted HTTP connection), find the WordPress page ID and add the below script to your theme’s functions.php file after replacing the page ID (in the below script we used a page ID of 149):

function force_ssl()
    // Specify ID of page to be viewed on SSL connection
    if (is_page(149) && !is_ssl () )
      header('HTTP/1.1 301 Moved Permanently');
      header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
    // All other pages must not be https
    else if (!is_page(149) && is_ssl() )
        header('Location: http://' . $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
add_action('template_redirect', 'force_ssl');

Note: The above script will automatically redirect requests to other pages to an HTTP connection (non SSL) using the else if condition.

If this condition is not used and visitors access another page over an HTTPS connection that has objects from a non secure link (i.e. objects over an HTTP connection), a browser security warning will pop up as seen in the below screenshot. Such security alerts might drive visitors away from your WordPress blog or website.

Browser Warning Alerting Visitors of Nonsecure Objects

Fixing Broken SSL Links in Theme Files

If a page is accessed over an HTTPS (WordPress SSL) connection and contains content from a non SSL connection (i.e. via a normal HTTP connection), the browser will issue a security warning stating that some of the content is insecure, as seen in the above screenshot.

Even though WordPress will automatically update most of these links for you, those which are hardcoded won’t be updated. To fix such this issue always use Protocol Relative Link in your files and content as shown in the below example:

Hardcoded link:

Protocol Relative Link: //

By not specifying the protocol in a relative link, the browser will automatically use the protocol requested by the user to retrieve such content.

Alternatively you can also use a WordPress plugin called SSL Insecure Content Fixer that will automatically fix all the broken SSL links on your WordPress.

Enable WordPress SSL & Improve Your WordPress Security

With this WordPress SSL security tutorial there is no reason why every WordPress administrator should not implement WordPress SSL within minutes.

So why risk having your WordPress credentials stolen and your WordPress hacked when there is such an easy solution? Enable WordPress SSL today on your blog or website to improve the security of your WordPress.

WordPress Hosting, Firewall and Backup

This Website is:


Oniku 07/03/2014

Finally, I found your article.
I already use SSL for my blog but the problem is iamge url always give error m essage on browser. So it is because the relative lurl for image.
Great, I’ll fix it. 🙂

Chris 23/04/2014

Could you expand your article or comment about using a Wildcard SSL Cert if one is hosting a WPMU for multi-user? Is there anyway to just have a single domain SSL Cert and force all users into a single domain for administration or does it have to be a Wildcard SSL Cert?


Robert Abela 24/04/2014

Hi Chris,

Good question. In case of multisite you need to have a Wildcard SSL certificate, since even if you force users to login through a central location, they would still be redirected to the actual domain to preview articles etc, hence the only way of doing it and ensure that all logged in sessions are encrypted is to use Wildcard SSL.

While I trust the above answers your question, do not hesitate to get in touch should you have any further queries.

Charles 16/06/2014

Suppose I want ‘all’ my pages of my WordPress site to go through SSL. What sort of configuration would that require?

Robert Abela 18/06/2014

Good question Charles. It is possible to do it manually but there are a lot of bits and pieces that need to be done manually and you have to update the htaccess, wp-config files etc. In this case it would be easier to use the WordPress SSL plugin. If you are interested in doing it manually, drop me a mail and I’ll send you the information required.

Fawad 19/08/2014

Hi, i used this define(‘FORCE_SSL_ADMIN’, true); on wp-confug.php file, it works fine, but the login page doesnt appear as green bar. On all my other pages it comes https with green bar, but not on login page… it just comes as https without green bar..

and one another thing;
if i want to visit, at first time, its not forcing https, it just comes like, but when i click on a link on my site, it comes both green bar and https.

can you please help me, how i do so that it foces to https at first time when i visit my site.

thank you very much.

Robert Abela 24/08/2014

Hi Fawad,

To redirect all HTTP to HTTPS connections, even those manually typing HTTP in the browser add this to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

As regards the green bar that is a bit different, i.e. that depends a lot on your setup etc. If you would like us to help you with it, please drop us an email on

Looking forward to hearing from you.

Katie 16/09/2014

Thank you for this helpful tutorial. I have added define(‘FORCE_SSL_ADMIN’, true); to my wp-config.php file. However, I don’t think it is working. If I type in it does not re-direct me to https, but allows me to login over http. I have searched high and low to figure out what I am doing wrong, but am stumped. Do you have any suggestions?

Katie 16/09/2014

I just found a solution that worked. Instead of just adding

define(‘FORCE_SSL_ADMIN’, true);

to my wp-config.php file, I added:

if ( $_SERVER[“HTTP_HOST”] == “” || $_SERVER[“HTTP_HOST”] == “” ) {
define(‘FORCE_SSL_ADMIN’, true);

And now it works! (Although I still don’t understand why it didn’t work before!)

Robert Abela 19/09/2014

Hi Katie,

Glad you solved your issue.

Technically speaking your previous solution should work as well, that is what most people use. It could also be something related to the configuration or maybe to a plugin which might affect such redirects. If you’d like to look further into it, drop us a note on and we will help you.

Gábor 17/09/2014


Using then Custom Fields plugin created a selector field for pages called force_ssl and changed the is_page(149) to get_field(‘force_ssl’) == true in the code so I can set on the admin panel if page should be https or not.

Robert Abela 19/09/2014

Hi Gabor,

Very interesting solution, never seen it in action. Thanks for recommending.

Ryan Oelke 20/09/2014

Hi, thanks for this post! Your code is great, but I keep getting a redirect loop for any page I try to force ssl on individually, regardless of the method. I prefer your code over other solutions I’ve seen, but the all end up in a redirect loop. I don’t have this problem with the force ssl option in Woo Commerce for the checkout page, but I’m really lost. Any idea what might be happening?


Robert Abela 21/09/2014

Hi Ryan,

Such problem could be really specific to your scenario. Have you checked your web server and php logs to see if you can find something related to why such problem is occurring?

Pratik 23/09/2014

what to do if I what to add more pages like id 149 and id 122 and id 10

can you please tell me is this right

function force_ssl()
// Specify ID of page to be viewed on SSL connection
if (is_page(36) && is_page(2) && !is_ssl () )
header(‘HTTP/1.1 301 Moved Permanently’);
header(“Location: https://” . $_SERVER[“SERVER_NAME”] . $_SERVER[“REQUEST_URI”]);
// All other pages must not be https
else if (!is_page(36) && !is_page(2) && is_ssl() )
header(‘Location: http://‘ . $_SERVER[‘SERVER_NAME’].$_SERVER[‘REQUEST_URI’]);
add_action(‘template_redirect’, ‘force_ssl’);

Robert Abela 27/09/2014

Hi Pratik,

In that case you have to use the OR operand rather than the AND. Therefore if you would like to pages with the ID 149, 122 and 10 you have to write the following:

if (is_page(149) || is_page(122) || is_page(10) && !is_ssl () )

Trust this helps. Do not hesitate to get in touch should you have any further queries.

Pratik 12/11/2014

yes that’s ture we have to use || for that.I don’t know why I was thinking about && 😉
I use this code & that’s works for me
function force_ssl()
// Specify ID of page to be viewed on SSL connection
if (is_page(36) || is_page(32) && !is_ssl () )

header(‘HTTP/1.1 301 Moved Permanently’);
header(“Location: https://” . $_SERVER[“SERVER_NAME”] . $_SERVER[“REQUEST_URI”]);

no prob if user will use force full SSL for other pages(by adding https )but they should not go these two pages without SSL….. Thanks

Adrian 14/10/2014

Hi, please I need your help. I’ve installed a SSL certificate and also installed WordPress HTTPS plugin. Then, I forced SSL only for certain pages. It works well in Firefox. But in Chrome I’m getting a security warning. I checked the warning in Chrome console and it says this:

The page at ‘’ was loaded over HTTPS, but is submitting data to an insecure location at ‘’: this content should also be submitted over HTTPS.

So, the problem is that my homepage is unsecured (in fact, I don’t want SSL for my homepage)

If I force SSL in my homepage (then, the security warning dissapears).

How can I fix that? please help me 😛


Robert Abela 15/10/2014

Hi Adrian,

The problem is that you are viewing a page over SSL but you are submitting content to a non secure page (as the error explains as such). You have two solutions at this stage:

1. Switch the homepage to SSL
2. Create a page which works on SSL and submit the content to it rather than to the homepage

While I trust the above gives you an indication of what you should do to fix this issue, do not hesitate to get in touch with us over email should you have any further queries.

Nick 05/11/2014

In fixing the broken links in the theme files for SSL on specific pages, do I have to change all the css, java, etc links in the header section for specific pages to protocol relative links?

Robert Abela 06/11/2014

Yes of course, every link should be relative, else your visitors will get alerts that some content is coming from not secure sources.

Nick 16/11/2014

Is there an easy fix to force relative protocol links to a wordpress header file? The problem Im envisioning is that some wordpress plugins write javascript or css into the header file.

Nick 16/11/2014

1. I only have one page in wordpress that is a payment page and ssl. Do I have to change the theme’s header.php to relative protocol links? Or, is there a work around for only that specific payment page

2. That functions file you wrote in this post, is the only thing I have to change is the page id? Will that file also take care of links in the header.php file?

Robert Abela 17/11/2014

Hi Nick,

If you have relative links, then if a page is visited over SSL then automatically all links will be on SSL so no need to worry about that. As regards my script, yes all you have to do is change the page ID.

I trust the above answers your questions. Do not hesitate to get in touch should you have any further queries.

John A 04/01/2015

I am trying to secure my WP installation and access based on your article, but it is not working. I have a private SSL Certificate installed by my webhost on its server. They have confirmed that it is properly installed. I have converted all links to files/resources in my site to relative links. I have added the PHP code define(‘FORCE_SSL_ADMIN’, true); into the wp_config.php file via the FileManager in cPanel. Unfortunately, when I try to login, I receive an error page in Chrome that states “Your connection is not private.” with “NET::ERR_CERT_COMMON_NAME_INVALID” at the bottom. What am I missing?


Robert Abela 07/01/2015

HI John,

The issue you are encountering is because the FQDN (domain name) on the SSL certificate and your website’s domain are not the same. As such your problem is not related to WordPress. Get in touch with me via email on and will help you sort it out with the hosting provider.

John A 04/01/2015

Problem solved. It turns out my web security provider had not properly updated my firewall to allow ssl. The ‘FORCE_SSL_ADMIN’ works perfectly. Interestingly, the code (above) for redirecting specific pages to https appears to be unnecessary for my site. I have several pages that are restricted to logged-in users. The “parent” page is accessed by a link from an unrestricted page that specifies https, rather than leaving it relative. That link forces a login over ssl. Once logged-in and landed on the “parent” page, all of the child pages also access via https without further php coding. In fact, when I tried to use that code for page-specific forcing of ssl, I am informed by my browser that there are too many redirects to resolve.

Robert Abela 07/01/2015

Glad it was solved. Do not hesitate to get in touch should you have any queries.

Dave 10/01/2015

Hi Robert,
Super article, very instructive! I’ve been doing some testing, and this will help.

Along with the measures above, I was wondering if you could share your thoughts on whether or not to set WP to use secure URL’s in the “WordPress address” and “Site address” in the admin?

Thanks! Dave

Robert Abela 17/01/2015

Hi Dave,

Yes you can change them as well though those settings are mostly related to the domain and not the protocol.

Adam T. 13/01/2015

Hi Robert. Thank you for continuing to answer questions.

Being new to the use of SSL and building with the platform in general, I’m a touch confused. While this post helped a lot I want to ask a couple questions I may be missing the answer to or over-concerned with.

1) My WP install was fresh using https. After install, I hard-coded he site and WP url using ‘https://’ in wp-config. I do not have ‘force ssl admin’ set as the one time I added the option, it broke the site. Is that normal behavior for a site that is fully https? I appear to always log in via ssl.

2) When navigating, ssl seemsfunctional. If landing on – or even but I redirected from the non-www as a preference – unless typing in ‘https://’, it appears insecure. Is this a case for a re-direct? – I can easily find the code but various sites offering it indicate the re-write mods are not fully secure and could allow intrusion via cookies or hurt performance with multiple re-directs/queries.

Can you speak to any truth in that? Perhaps you know a best-practice for redirecting an http request to the https upon landing?

I searched your site but wasn’t able to find the specific information. Sorry if I’m missing the obvious.

Thank you for the help! 🙂

Robert Abela 17/01/2015

HI Adam,

You are welcome. Below are my answers to your comment:

1. force ssl admin should not break the website. If it does it means you have something which is not correct. It is difficult to say what is wrong unless you tell me what was the error or what exactly was happening.

2. As regards redirects, yes some redirects can be vulnerable but it all depends on how to set it up. In this article there is a section that explains how to redirect http to https requests.

If you need more detailed information or need assistance I recommend you to drop me a mail on It is very difficult to troubleshoot issues over blog post comments.

Looking forward to hearing from you.

Eric 18/03/2015

How do I SSL the wp-content folder? Because all of my images are are in that folder, it causes my entire site to give errors. All of the images are being pulled from instead of https:.

I’ve forced SSL on every page, inastalled “SSL Insecure Content Fixer” plugin and activated it and the only pages that don’t give errors are the ones in the WP back office.

WP White Security 24/03/2015

HI Eric,

If you’ve setup SSL on your web server correctly there is no need to force SSL on the wp-content directory. Instead you should make sure you call content from the wp-content directory using HTTPS rather than HTTP, hence why it is important to use relative links in websites. Question, if you try to access an image directly from the wp-content directory over HTTPS does it show up?

Jason G. 25/03/2015

Thanks for the information. I am activating SSL for a client’s login and dashboard today. Appreciate the help!

Kit Johnson 22/05/2015

What a great tutorial. I’ve never implemented SSL before but feel like I can now. Thank you!

Steffen Schmidt 14/10/2015

Excellent article, great tutorial!

After several hours of fiddling around with .htaccess and WordPress https-plugin conflicts on a client’s site your provided functions.php code was the only solution that worked to get https in place just for one specific page and to redirect all other pages back to http.

Thank you so much for this!

Robert Abela 15/10/2015

That is a bit of an overkill having all those redirects. What were the issues you encountered then when trying to do it the other way round?

Steffen Schmidt 22/10/2015

I know it might seem to be an overkill, but my issues were to get the following components play together:

– delivering the whole website via http except one https page by using a WordPress https-plugin (
– WPML Plugin for multilingual website

As it turned out, the https plugin broke the WPML “secondary“ language pages’ CSS and images.

Since I didn’t manage to get any .htaccess redirections work properly, in my case the only way to solve these conflicts (and to deliver multilingual content showing the site-wide CSS for “secondary“ language pages) was to completely remove the https plugin and to apply your provided “functions.php” solution.

Robert Abela 22/10/2015

Thanks for sharing your solution Steffen.

Kenan Bakici 17/10/2015


I want to ask you a question. My developer set up SSL just for the necessary wocommerce pages and login page but no for the rest of the web site.

Everything is nice and smooth but there is a problem. I login my web site and I see the admin bar at the top of the page. I am examining pages and when I click the edit button on any site, the system want me to login again. Even if I am in the admin area ( I mean I see the bar above) when I click another pages it ask me the password again.

So I have to login every pages I want to edit. What can I do to avoid that? This is a nightmare.

Awaiting Your Reply
Best Regards

Robert Abela 22/10/2015

Hello Kenan,

There are several different issues that might be causing this problem and it might not be the fact that not all pages are on SSL. Did this start to happen just when you implemented SSL or it happened before? Try to look back and see which were the last changes applied to the website before this started happening to find out. Maybe it is time to keep a WordPress audit trial 🙂

Graham Smith 16/11/2015

Hello Robert
This is probably the most useful and understandable post on HTTPS and WordPress I’ve come across in the last few days. So thank you for that. I have just a couple of areas I would clarification on if possible please.

My query may be out of your area of knowledge, so if it is, I understand and thank you anyway 🙂

My aim is to have my WordPress site: (its a blog and portfolio, and has been around for about 10 years) working partially on HTTPS.

By that I mean I would like my WordPress Admin and login to be secure, and just for now, my Client Design Brief page:

I have a valid certificate which has been set-up via my host, and have been able to verify it works.

One thing I am unsure of it that due to using Cloudflare, there are several options in order to active SSL, from flexible to Strict.

My concerns are that if I activate SSL through Cloudflare, then I’ll end up with Google indexing 10 years of content as HTTPS (duplicate content issue).

Not sure if you are familiar with activating SSL/HTTPS via Cloudfiare, and if you are, any suggestions on how I can enable SSL just for a few areas, whilst ensuring the other 99% of my site isn’t indexed.

Thanks again for a very well explained post,

Robert Abela 17/11/2015

Hello Graham,

HTTP / HTTPS is the protocol so from Google point of view, there are no risks of having “duplicate” content.

Zhenya 26/12/2015

Great article but unfortunately in my case half of it works.
I have made the necessary adjustments in wp-config file and now https works great in wp dashboard.

In my htaccess I have this:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^mysite\.com [OR]
RewriteCond %{HTTP_HOST} ^www\.mysite\.com
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L]

but when entering the site as a visitor the site is still http and if you type the address with https it will load without problem. However, I want to make https the default.
I’ve tried using the solution you’ve provided to another reader:

“RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]”

and although in the address bar the site loads as https, the page gives me the error: “ERR_TOO_MANY_REDIRECTS”

P.S. 1. it is a multisite, 2. it has woocommerce installed, 3. in the above code wherever “mysite” appears is substituted with the real address of the site in my files.

I would really appreciate any help, cause I’m trying to figure it out for days now..

Thank you in advance,

Robert Abela 07/01/2016

Hello Zhenya,

The solution should work without any problems for a single site, though yours is a multisite. Offhand I cannot tell you exactly what might be wrong hence it is easier to simply get in touch via email on and we troubleshoot this issue.

Arsie Organo 07/06/2018

Hi Robert,

I thought my site config is already complete until I saw your post where I have to add extra parameters in my wp-config. Thanks for this and I have now added the 2 config to force SSL for logins and admin dashboard.

Leave a Reply

Your email address will not be published. Required fields are marked *