SSL is becoming more of a consideration for WordPress developers. Not only will you need it if you’re developing a transactional website, but now it could affect your SEO too. In this quick tip I’ll show you how easy it is to make your WordPress site more secure.
What is SSL and Why Use It?
SSL stands for Secure Sockets Layer. If your site uses it, the http at the beginning of your urls will be replaced by https. It effectively adds a layer of security to your site by encrypting urls so they aren’t sent openly between the client and the server. This means that any urls containing sensitive information such as passwords and/or transaction details are invisible to the bad people who want to hack into your WordPress installation.
You may not think that your site is using urls with sensitive information but it may well be without you realizing. WordPress automatically generates all sorts of potentially insecure urls when users are logging in to your site or completing transactions.
Another good reason to use SSL is that Google has now announced that it’s adding it to its algorithms, meaning that sites with SSL may well be ranked more favorably.
To set up SSL in WordPress you’ll need to carry out two steps:
- Buy an SSL certificate for your domain
- Add SSL to your WordPress installation either via a plugin or by editing your
Buying an SSL Certificate
Most hosting providers or domain registrars will sell you an SSL certificate, which is normally the simplest way to go about it as they will complete the configuration with your domain name. Alternatiavley if you want to do this yourself, you can buy one direct form an SSL certificate provider.
When you’re buying your certificate, you’ll have a few options to choose from:
- Standard SSL Certificate – sufficient for standard WordPress installations
- Extended Validation (EV) SSL Certificates provide greater reassurance for website visitors as they turn the URL bar green and display the name of the organisation providing the certificate. They will cost a bit more and you may have to provide more infomation about your company to the provider.
- Wildcard SSL Certificates – if you’re running a Multisite installation using subdomains (not subdirectories) you’ll need one of these. These come either as standard or EV.
Adding SSL to WordPress
Once you’ve bought your SSL certificate and have it working with your domain, configuring WordPress to use SSL is very simple.
This time you have two options:
- Configure SSL for the whole site. This is essential if your site is a transactional one, for example a shop or app, or if you want to install SSL for SEO purposes.
- Configure SSL for the admin area. This won’t change your front-end site but will make your admin area more secure.
Configuring SSL for Your Whole Site
You can do this very simply in the WordPress dashboard. Go to Settings -> General and change the WordPress Address and the Site address from http to https:
Configuring SSL for the Admin and /or Login
To do this, open your
wp-config.php file and find the line that reads:
/* That's all, stop editing! Happy blogging. */
Immediately above it, add this line:
This forces the whole admin area to use SSL. If you just want the login screen to use SSL you add this line instead:
You don’t need to use both.
config-php file and test what you’ve done by logging into your site.
Alternative – Using a Plugin
If you don’t feel comfortable editing your
wp-config.php file and want to set up SSL for the admin area, you can use a plugin to do this. The WordPress SSL plugin lets you configure SSL via the Dashboard.
For more on WordPress SSL, see the following: