This guide on HTTPS (Secure Hypertext Transfer Protocol) is written as a basic guide for the user :
- Who has a basic idea of implementing HTTPS instead of normal HTTP URI for their self hosted WordPress, either for all URLs or restricted to few sensitive webpages.
- Who wants to use WordPress as Business website with the wish to have the payment transactions on own website with a third party payment gateway from middle-ware service providers like Authorize.Net.
- Developers who wants to test HTTPS on localhost (own computer).
- WordPress installation with limited group access with sensitive content (For Educational, Governmental etc. web sites).
Points which has been taken to give example on this guide :
- It taken that the web server software is Apache2 with normal Linux-Apache-PHP-MySQL (LAMP) server configuration. Windows Server Editions with IIS web server, Nginx web server or any others are not mentioned to avoid complexity.
- Has own colocated server or on premise physical server or dedicated server on rent or virtual dedicated server on rent or has some mechanism provided by the hosting provider to manage the certificates.
- Has advanced knowledge on networking or has team to solve the technical issues that might arise out of implementation of HTTPS.
Introduction to HTTPS for WordPress #
To have HTTPS, SSL Certificate is needed to be installed on the server. Open SSL provides an option to get free HTTPS but beyond private usage it is not used as usually it throws security error to the end user. The WordPress user needs to purchase SSL certificate with proper documents, Payments etc. either from the web hosting companies. User might refer to WikiPedia for more details on SSL (Secure Sockets Layer) and TLS (Transport Layer Security) types and providers.
Usually for HTTP URLs, Port 80 of the web server is used, which Apache2 and all web server software opens normally after the installation. HTTPS requires extra Apache Modules (mod_ssl) to be enabled, port 443 to be opened, properly configured, other settings including VirtualHost configuration to be properly configured. There is no extra or special settings needed specifically for WordPress at web server level for HTTPS. WordPress by default is ready to use HTTPS URLs if the web server is properly configured.
Implementing HTTPS for WordPress #
Normally install WordPress (HTTP URL or HTTPS both will work, better to use HTTP for installation) on your domain or subdomain (needs wild card SSL certificate). Go to Settings > General and make sure that the WordPress Address (URL) and Site Address (URL) is https. If not, add S after http to make https and save it :
This is ensure that your all content of a webpage is served from HTTPS URL when you will use HTTPS url. The HTTP URL, will however work normally in parallel as both ports are different.
Tweaking HTTPS for WordPress #
HTTPS increases security with the cost of Server’s computing power. There is absolutely no need to serve a HTTPS webpage, when there is no question of any privacy. For example this webpage. Moreover it takes more time to get a HTTPS webpage rendered on Browser when compared to a HTTP webpage. This is due to the required negotiation time of the server to authenticate the GET request. You can use WP Super Cache for caching, any CDN which has valid SSL certificate (otherwise there will be mixed content error on HTTPS), HyperDB for a scalable Database to optimize the page speed.
As there is no need to serve the whole website with both HTTPS URLs and HTTP URLs (that is harmful for SEO just like www and non www – Google will mark as duplicate contents), you have to redirect with .htaccess rules to 301 redirect HTTPS to HTTP or vice versa.
More Advanced Tweaks #
In case you need only few webpages of WordPress to enable HTTPS, you can use CNAME to redirect to virtually subdomain looking urls. Example :
Your WordPress is installed at :
In this case your login URL will be at :
But you love to have a funky HTTPS Login URL at :
In this case, you will need wild card SSL certificate (CNAME is not a Protocol) for the whole server and sub domains or only sub domains. Obviously redirect the http and https real login webpage with .htaccess too, otherwise the normal redirection to wp-admin will not work.
Good Practices for HTTPS for WordPress #
- Using a reputed web host with white labeled IP
- Using SSL Certificate from Standard Reseller
- Serving Static Contents from a SSL enabled CDN
- Proper .htaccess redirects
- Open discussion with third party services which you will want to use – like Payment Gateways
- Using managed service for the Web Server from Industry’s standard web hosts for your business. This is important to monitor server errors, fixing Server related issues .
Bad Practices for HTTPS for WordPress #
- Making the whole website to be served from both HTTPS and HTTP urls
- Using a sub standard Web Host or using a doubtful certifying authority