Adding an SSL certificate to your site’s domain is one of the best ways to secure your WordPress website. Although a secure (and SSL-enabled) site is necessary for many sites, the cost and implementation concerns linked with it have stood in the way of its widespread deployment.
Up until recently, getting started with a functional SSL certificate was no cakewalk. However, the new open source certificate authority, Let’s Encrypt, changed that forever in hopes of creating a more secure and privacy-respecting web.
In this post, we’ll walk you through step by step instructions to install a free SSL certificate to your WordPress site using Let’s Encrypt. However, before we begin, let’s briefly review what an SSL certificate is and why you should install on to your site’s domain.
What an SSL Certificate Is (And Why You Need One)
We exchange information over the web by means of the HTTP protocol. As it so happens, the HTTP protocol is unencrypted by default which means that the data we’re transferring over it can potentially be intercepted and tampered with. This is where SSL (Secure Sockets Layer) comes in.
Simply put, SSL is a collection of protocols that is designed to encrypt the transmission of data. And when we combine the two together, we get HTTPS – a secure way of accessing and interacting with a website.
The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data. – Wikipedia
SSL certificates ensure that the site you’re interacting with is both encrypted and authentic. The certificate authorities (such as Let’s Encrypt, CAcert, and DigiCert) and working behind the scenes validate site ownership to different levels before issuing the most suitable certificate. Once the certificate is installed, it enables data encryption between the site’s server and the user’s browser.
Why You Need an SSL Certificate
If you’re running an online store then you most certainly need to be using HTTPS. Here’s why:
- Accept payments securely. Whether your customers make purchases through payment gateways or by entering their credit card information, it’s important for them to rest assured their sensitive information won’t be compromised while shopping on your site.
- Secure web forms. Often times, online stores require users to enter personal information via web forms. Chances are your customers won’t want even the most basic information about them leaked to hackers.
- Protect user login information. WordPress sites are database-driven sites with password protected back-end access. Keeping user login information secure (and encrypted) is vital. Similarly, if you’re running a membership site then the likelihood of a hacking attempt goes up manifold.
WordPress recently announced that it will only recommend hosting companies offering SSL by default. In short, if you want anything to be secure online, you’ll need to protect it under the safety net of an SSL certificate. However, as we mentioned before, the costs of implementing SSL certificates have been prohibitively pricey for site owners in the past.
Let’s Encrypt introduces a simple solution for ordinary site owners to make their way through the puzzling world of SSL. Let’s take a look at what it’s all about.
Introducing Let’s Encrypt
Let’s Encrypt is a new certificate authority that’s operated by the Internet Security Research Group. Its initiative is centered around making SSL certificates free and automated for everyone. The service currently offers full support for IPv6, IDN, ACME DNS challenge, and ECDSA signing.
The objective of Let’s Encrypt is to make it easy for ordinary users to set up an HTTPS server and have it obtain a browser-trusted certificate – automatically. One of the major reasons why Let’s Encrypt is a great choice for developers is that it’s open source. This essentially means that developers are in a position to fix it, add to it, and even update it (if necessary).
With that out of the way, let’s take a look at how you can get started with using the service.
How to Add a Free SSL Certificate to Your WordPress Site
There are two main ways you can get up and running with an SSL certificate from Let’s Encrypt. The first route is to do it manually by following Let’s Encrypt’s official documentation on getting started. If you’re looking for an even easier, WordPress-specific solution then the best course of action is to find a host that explicitly supports Let’s Encrypt.
In this section, we’ll outline a WordPress-specific approach to adding a free SSL certificate to your site. As always, be sure to create a full backup of your site before you begin.
Step 1: Install Your Free SSL Certificate Using Your Current Host
While you can always install an SSL certificate manually, many popular hosts now include installation options with their admin panels. Though each hosting company will have a slightly different process, these steps, for the most part, will be the same:
- Login to your user portal.
- Head over to your-website-name > SSL > Add Certificates > Get Let’s Encrypt.
- Select the domains for which you want HTTPS.
Step 2: Update Your WordPress URLs
By now you’ve successfully installed an SSL certificate to your WordPress website. From a technical standpoint, this means that your site now uses the HTTPS protocol instead of the HTTP protocol. In order to actually start leveraging all the benefits SSL brings to the table, you’ll need to change the URLs of your WordPress site.
Updating WordPress URLs on New Sites
If you’ve set out to configure an SSL certificate on a brand new WordPress installation then updating URLs is fairly straightforward. Start off by navigating to Settings > General from your WordPress admin panel.
Scroll down to the WordPress Address (URL) and Site Address (URL) sections. It should look something like this:
Now, update both fields to use HTTPS by replacing http with https in the text fields of both sections.
Click the Save Changes button to continue. All of your site’s URLs should now be updated to HTTPS.
Updating WordPress URLs on Existing Sites
If you’ve installed an SSL certificate to an existing WordPress site then chances are that it’s already being indexed by search engines. Since you’ve probably shared links to your site using http in its URL, you’ll need to ensure that all of your traffic is redirected to the new https URL.
To do this, navigate to Plugins > Add New from your WordPress site’s admin panel and search for the Really Simple SSL plugin. Once you install and activate it, the plugin will automatically configure your website (i.e. update all URLs) to run over HTTPS by updating the .htaccess file or running some JavaScript code. In addition to this, it will also fix any insecure content issues.
Step 3: Update Your Google Analytics Settings
Those of you who have Google Analytics installed on your WordPress site will also need to update its settings by adding the new, https URL. To get started, login to your Google Analytics account and navigate to Admin > Property Settings.
From there, update the Default URL from http:// to https:// by clicking on the drop down menu.
Click the Save button at the bottom of the page to update your settings.
Conclusion
Encrypting the connection between your visitors’ browsers and your site allows you to securely transmit personal information, accept payments, and protect user login information without the risk of compromising it. Let’s Encrypt makes it incredibly easy for both ordinary site owners and developers to switch over to the secure HTTPS protocol by installing a free, automated SSL certificate.
Let’s quickly recap the main steps you need to take to install a free SSL certificate from Let’s Encrypt:
- Install a free SSL certificate using your current hosting provider.
- Update your WordPress site’s URLs.
- Update the Google Analytics settings for your WordPress site.
Do you have any questions about installing an SSL certificate on your WordPress website? Let us know in the comments section below!
Image credit: Unsplash.
8 Comments