HTTPS For WordPress

For local development, you can create a self-signed certificate using OpenSSL, however this has limited use since any certificate generated will not be trusted by others, so should only be used for private servers.

There is no extra or special settings needed specifically for WordPress at the web server level for HTTPS. WordPress by default is ready to use HTTPS URLs if the web server is properly configured.

The default port for HTTP URLs is port 80, the default port for HTTPS is port 443. These ports not to be opened through any network firewall. Apache includes a mod_ssl module that needs to be enabled and properly configured. If using certbot, it can automatically configure and create the VirtualHost settings needed.

Implementing HTTPS for WordPress

To implement HTTPS support on WordPress, you only need to set the WordPress and Site Address URL to use https://. You can install WordPress either using HTTP or HTTPS to start, both will work, and you can switch over later.

 Go to Settings > General and make sure that the WordPress Address (URL) and Site Address (URL) is https. If not, add ‘S’ after http to make https and save it :

WP HTTPS EXAMPLE SETTINGS

The Site health tools (Tools > Site health) will inform you that your website doesn’t use HTTPS.

WP 57 HTTPS

Since version 5.7, WordPress can also automatically switch to HTTPS if an SSL certificate is already set up on your server.

WP 57 HTTPS

Best Practices for HTTPS for WordPress

It is recommended for all production WordPress sites to use HTTPS.

  • Use a reputable web host, most provide HTTPS service as a standard.
  • Use a SSL Certificate from Let’s Encrypt, they are free and easy to use.
  • Serve Static Content from an SSL enabled CDN

You may need to redirect your HTTP traffic to your HTTPS site. For Apache, you can do so by creating two VirtualHost entries for example:

<VirtualHost *:80>
    ServerName mkaz.blog
    Redirect / https://mkaz.blog/
</VirtualHost>

<VirtualHost *:443>
    ServerName mkaz.blog
    DocumentRoot /home/mkaz/sites/mkaz.blog
    <Directory /home/mkaz/sites/mkaz.blog>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/mkaz.blog/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mkaz.blog/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mkaz.blog/fullchain.pem
    IncludeOptional /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Bad Practices for HTTPS for WordPress

  • Serving site from both HTTPS and HTTP urls, use HTTPS and redirect.
  • Using mixed content, ie. CSS, JS, or images served from HTTP on an HTTPS page

Leave a Reply

Your email address will not be published.

Gdpr compliency website analytics