WordPress SSL Setup with WordPress HTTPS (SSL) Plugin

Last updated on December 06th, 2014 by Robert Abela. Filed under WordPress Security Plugins

As we have seen in our previous security post Hacking WordPress Login, your WordPress usernames and passwords can easily be stolen by malicious hackers, hence why should always access your WordPress login page, the WordPress dashboard and admin pages (wp-admin section) over an HTTPS connection (HTTP over SSL).

If you host an online shop on your WordPress, where you ask your customers to submit their credit card details and other sensitive details, you should also run those pages over an HTTPS connection.

In this WordPress security guide we will explain how to setup and run WordPress on SSL (HTTPS connection) using the WordPress HTTPS (SSL) plugin. If you would like to manually setup WordPress SSL, follow our Definitive Guide to WordPress SSL.

Get an SSL Certificate for your Web Server

The first task is to get an SSL web server certificate from a certificate authority (Check out What is an SSL Certificate for more information about SSL certificates). If your WordPress is on a shared or preconfigured hosting, this procedure might vary depending on your hosting provider. It is recommend to contact your hosting provider to assist you with getting an SSL certificate.

If you have your own web server and would like to do it yourself, first you have to generate a private key and an SSL web server certificate request as explained in Steps 1 and 2 of the post Generate a Self Signed SSL Certificate for HTTPS on Apache. Once ready send your certificate request to the certificate authority of choice to start the verification process. There are many certificate authorities available on the market to choose from. Our preferred (and most probably the most popular) certificate authorities are Verisign and Thawte.

Once you get your SSL web server certificate from your certificate authority, you can configure the web server to start listening for HTTPS connections, as explained in the section Configuring Apache Web Server to Run SSL (HTTPS).

Install and Configure WordPress SSL (HTTPS) Plugin

Once your web server SSL certificate is installed login to your WordPress dashboard (wp-admin pages), install the plugin WordPress SSL (HTTPS) and click the HTTPS node to access the plugin settings and configure WordPress SSL, as shown in the below screenshot.

WordPress HTTPS plugin general settings

By default the SSL Host (domain name) will be populated. Enter the port number in the Port input field if you manually configured the server HTTPS listener to listen on a non-default port (default HTTPS port is TCP 443) – very uncommon.

WordPress Login and Admin Pages over WordPress SSL

Tick the option Force SSL Administration to automatically redirect everyone accessing the WordPress login page and WordPress dashboard (wp-admin section) to an HTTPS connection.

That is it! Now the WordPress login and WordPress administrator pages (wp-admin section) will always accessed over an HTTPS (encrypted HTTP) session. Should users try to access them over an HTTP connection, they will be automatically redirected to an HTTPS connection.

Further WordPress HTTPS (SSL) Configuration Options

The WordPress HTTPS (SSL) plugin has several other features that might come in handy when configuring WordPress SSL for your blog or website, especially if you retrieve content from other websites (such as affiliate adverts) and / or if you host an online shop or ask visitors to submit sensitive information via a form on your WordPress blog or website.

Domain Mapping Rules for WordPress SSL

From the section Domain Mapping shown in the screenshot below you can configure domain mapping rules to map external domains that host their HTTPS content on a different domain.

Configuring Domain Mappings in WordPress HTTPS (SSL) plugin

Domain mapping rules are used to ensure that content retrieved from external domains, such as Gravatar, will always be over an HTTPS encrypted connection. If not, your visitors will get a browser security warning like the below, which although nothing is wrong with it, it might alarm some people and drive them away from your website.

Browser security warning advising user that not all content on the WordPress site is coming from an HTTPS location

URL Filters to Automatically Redirect Visitors to HTTPS Connection

The plugin also allows you to easily configure URL Filters to automatically redirect visitors accessing a specific section (sub directory) or page on your WordPress blog or website to an HTTPS connection.

For example, when using the configuration from the below screenshot, all visitors trying to access the store, cart or private sub directories on a WordPress site will be redirected to an HTTPS connection automatically, i.e. even when they manually enter HTTP in the browser URL input field.

Configuring URL Filters in WordPress HTTPS (SSL) plugin

WordPress SSL (HTTP over SSL – Secure and Encrypted Connection)

Encrypting traffic between your visitors and your WordPress website or blog over an HTTPS connection is fairly easy with WordPress HTTPS (SSL) plugin. The same applies to encrypting the HTTP traffic during a WordPress login session or when accessing the WordPress dashboard.

We do recommend that every WordPress owner should start accessing the WordPress login page and dashboard over an HTTPS connection to avoid having their WordPress credentials stolen. And of course, if you have an online shop, or a form which your visitors use to send you sensitive information such as credit card numbers and login details, make sure they also run on an HTTPS connection.

Download the WordPress HTTPS (SSL) plugin from the WordPress.org Repository.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

2 comments

jan 12/06/2014

Please come with some more advanced examples like with w3-cache – maxcdn – optimization image compression – etc. etc.

And the use of ssl i ran into a lot of trouble since i added this including load time increase and https does not solve it neither this beginner article.

Robert Abela 15/06/2014

Hi Jan,

Will have definitely write something about SSL and caching. As regards the problems you’re encountering, feel free to drop us an email and we will help you solve it 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *