As we have seen in our previous security post Hacking WordPress Login, your WordPress usernames and passwords can easily be stolen by malicious hackers, hence why should always access your WordPress login page, the WordPress dashboard and admin pages (wp-admin section) over an HTTPS connection (HTTP over SSL).
If you host an online shop on your WordPress, where you ask your customers to submit their credit card details and other sensitive details, you should also run those pages over an HTTPS connection.
In this WordPress security guide we will explain how to setup and run WordPress on SSL (HTTPS connection) using the WordPress HTTPS (SSL) plugin. If you would like to manually setup WordPress SSL, follow our Definitive Guide to WordPress SSL.
Get an SSL Certificate for your Web Server
The first task is to get an SSL web server certificate from a certificate authority (Check out What is an SSL Certificate for more information about SSL certificates). If your WordPress is on a shared or preconfigured hosting, this procedure might vary depending on your hosting provider. It is recommend to contact your hosting provider to assist you with getting an SSL certificate.
If you have your own web server and would like to do it yourself, first you have to generate a private key and an SSL web server certificate request as explained in Steps 1 and 2 of the post Generate a Self Signed SSL Certificate for HTTPS on Apache. Once ready send your certificate request to the certificate authority of choice to start the verification process. There are many certificate authorities available on the market to choose from. Our preferred (and most probably the most popular) certificate authorities are Verisign and Thawte.
Once you get your SSL web server certificate from your certificate authority, you can configure the web server to start listening for HTTPS connections, as explained in the section Configuring Apache Web Server to Run SSL (HTTPS).
Install and Configure WordPress SSL (HTTPS) Plugin
Once your web server SSL certificate is installed login to your WordPress dashboard (wp-admin pages), install the plugin WordPress SSL (HTTPS) and click the HTTPS node to access the plugin settings and configure WordPress SSL, as shown in the below screenshot.
By default the SSL Host (domain name) will be populated. Enter the port number in the Port input field if you manually configured the server HTTPS listener to listen on a non-default port (default HTTPS port is TCP 443) – very uncommon.
WordPress Login and Admin Pages over WordPress SSL
Tick the option Force SSL Administration to automatically redirect everyone accessing the WordPress login page and WordPress dashboard (wp-admin section) to an HTTPS connection.
That is it! Now the WordPress login and WordPress administrator pages (wp-admin section) will always accessed over an HTTPS (encrypted HTTP) session. Should users try to access them over an HTTP connection, they will be automatically redirected to an HTTPS connection.
Further WordPress HTTPS (SSL) Configuration Options
The WordPress HTTPS (SSL) plugin has several other features that might come in handy when configuring WordPress SSL for your blog or website, especially if you retrieve content from other websites (such as affiliate adverts) and / or if you host an online shop or ask visitors to submit sensitive information via a form on your WordPress blog or website.
Domain Mapping Rules for WordPress SSL
From the section Domain Mapping shown in the screenshot below you can configure domain mapping rules to map external domains that host their HTTPS content on a different domain.
Domain mapping rules are used to ensure that content retrieved from external domains, such as Gravatar, will always be over an HTTPS encrypted connection. If not, your visitors will get a browser security warning like the below, which although nothing is wrong with it, it might alarm some people and drive them away from your website.
URL Filters to Automatically Redirect Visitors to HTTPS Connection
The plugin also allows you to easily configure URL Filters to automatically redirect visitors accessing a specific section (sub directory) or page on your WordPress blog or website to an HTTPS connection.
For example, when using the configuration from the below screenshot, all visitors trying to access the store, cart or private sub directories on a WordPress site will be redirected to an HTTPS connection automatically, i.e. even when they manually enter HTTP in the browser URL input field.
WordPress SSL (HTTP over SSL – Secure and Encrypted Connection)
Encrypting traffic between your visitors and your WordPress website or blog over an HTTPS connection is fairly easy with WordPress HTTPS (SSL) plugin. The same applies to encrypting the HTTP traffic during a WordPress login session or when accessing the WordPress dashboard.
We do recommend that every WordPress owner should start accessing the WordPress login page and dashboard over an HTTPS connection to avoid having their WordPress credentials stolen. And of course, if you have an online shop, or a form which your visitors use to send you sensitive information such as credit card numbers and login details, make sure they also run on an HTTPS connection.
Download the WordPress HTTPS (SSL) plugin from the WordPress.org Repository.