This guide on HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. (Secure Hypertext Transfer Protocol) is written as a basic guide for the user :

  • Who has a basic idea of implementing HTTPS instead of normal HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. URI for their self hosted WordPress, either for all URLs or restricted to few sensitive webpages.
  • Who wants to use WordPress as Business website with the wish to have the payment transactions on own website with a third party payment gateway from middle-ware service providers like Authorize.Net.
  • Developers who wants to test HTTPS on localhost (own computer).
  • WordPress installation with limited group access with sensitive content (For Educational, Governmental etc. web sites).

Points which has been taken to give example on this guide :

  • It taken that the web server software is Apache2 with normal Linux-ApacheApache Apache is the most widely used web server software. Developed and maintained by Apache Software Foundation. Apache is an Open Source software available for free.-PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php.-MySQLMySQL MySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. https://www.mysql.com/. (LAMPLAMP LAMP is an acronym for Linux, Apache, MySql, PHP. It is the underpinnings of WordPress.) server configuration. Windows Server Editions with IIS web server, NginxNGINX NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability. In addition to its HTTP server capabilities, NGINX can also function as a proxy server for email (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers. https://www.nginx.com/. web server or any others are not mentioned to avoid complexity.
  • Has own colocated server or on premise physical server or  dedicated server on rent or virtual dedicated server on rent or has some mechanism provided by the hosting provider to manage the certificates.
  • Has advanced knowledge on networking or has team to solve the technical issues that might arise out of implementation of HTTPS.

Introduction to HTTPS for WordPress Introduction to HTTPS for WordPress

HTTPS for WordPressTo have HTTPS, SSLSSL Secure Socket Layer - Encryption from the server to the browser and back. Prevents prying eyes from seeing what you are sending between your browser and the server. Certificate is needed to be installed on the server. Open SSL provides an option to get free HTTPS but beyond private usage it is not used as usually it throws security error to the end user. The WordPress user needs to purchase SSL certificate with proper documents, Payments etc. either from the web hosting companies. User might refer to WikiPedia for more details on SSL (Secure Sockets Layer) and TLS (Transport Layer Security) types and providers.

Usually for HTTP URLs, Port 80 of the web server is used, which Apache2 and all web server software opens normally after the installation. HTTPS requires extra Apache Modules (mod_ssl) to be enabled, port 443 to be opened, properly configured, other settings including VirtualHost configuration to be properly configured. There is no extra or special settings needed specifically for WordPress at web server level for HTTPS. WordPress by default is ready to use HTTPS URLs if the web server is properly configured.

Implementing HTTPS for WordPress Implementing HTTPS for WordPress

Normally install WordPress (HTTP URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org or HTTPS both will work, better to use HTTP for installation) on your domain or subdomain (needs wild card SSL certificate). Go to Settings > General and make sure that the WordPress Address (URL) and Site Address (URL) is https. If not, add S after http to make https and save it :

HTTPS

This is ensure that your all content of a webpage is served from HTTPS URL when you will use HTTPS url. The HTTP URL, will however work normally in parallel as both ports are different.

Top ↑

Tweaking HTTPS for WordPress Tweaking HTTPS for WordPress

HTTPS increases security with the cost of Server’s computing power. There is absolutely no need to serve a HTTPS webpage, when there is no question of any privacy. For example this webpage. Moreover it takes more time to get a HTTPS webpage rendered on Browser when compared to a HTTP webpage. This is due to the required negotiation time of the server to authenticate the GET request. You can use WP Super Cache for caching, any CDN which has valid SSL certificate (otherwise there will be mixed content error on HTTPS), HyperDB for a scalable Database to optimize the page speed.

As there is no need to serve the whole website with both HTTPS URLs and HTTP URLs, you have to redirect with .htaccess rules to 301 redirect HTTPS to HTTP or vice versa.

Top ↑

More Advanced Tweaks More Advanced Tweaks

In case you need only few webpages of WordPress to enable HTTPS, you can use CNAME to redirect to virtually subdomain looking urls. Example :

Your WordPress is installed at :

http ://example-wordpress.com/

In this case your login URL will be at :

http ://example-wordpress.com/wp-login.php

But you love to have a funky HTTPS Login URL at :

https ://login.example-wordpress.com

In this case, you will need wild card SSL certificate (CNAME is not a Protocol) for the whole server and sub domains or only sub domains. Obviously redirect the http and https real login webpage with .htaccess too, otherwise the normal redirection to wp-admin will not work.

Top ↑

Good Practices for HTTPS for WordPress Good Practices for HTTPS for WordPress

  • Using a reputed web host with white labeled IP
  • Using SSL Certificate from Standard Reseller
  • Serving Static Contents from a SSL enabled CDN
  • Other normal tricks like combining and minifying CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. and JavaScripts.
  • Proper .htaccess redirects
  • Open discussion with third party services which you will want to use – like Payment Gateways
  • Using managed service for the Web Server from Industry’s standard web hosts for your business. This is important to monitor server errors, fixing Server related issues .

Top ↑

Bad Practices for HTTPS for WordPress Bad Practices for HTTPS for WordPress

  • Making the whole website to be served from both HTTPS and HTTP urls
  • Using a sub standard Web Host or using a doubtful certifying authority

Top ↑

  1. Certificate authority – Wikipedia
  2. Third Party Certificate Authorities – DMOZ
  3. Apache Module mod_ssl – Official Apache Module Documentation
  4. Installing Free SSL Certificate – Temporary link is for developers/ contributers only for testing purpose (CLICLI Command Line Interface. Terminal (Bash) in Mac, Command Prompt in Windows, or WP-CLI for WordPress.)