
05 Apr SSL and WordPress: Implementation and Best Practices
Today, let’s talk about the security. SSL is one way to implement a security layer on a website which will protect the data flow from theft and malware. Using an SSL is not necessary in every case as it’s mostly used wherever sensitive data is in the role.
WordPress being an open-source platform holds tons of vulnerabilities which are regularly fixed with the core team and other third-party developers. This is the prime reason why using a genuine and top-class hosting provider is always recommended.
However, things can still go rogue and one way of keeping that from happening is by using SSL or implementing HTTPS module throughout the website.
Let’s read out the details related to SSL and WordPress and then learn how to make it happen.
What exactly is SSL?
SSL is the abbreviation for Secure Sockets Layer and it basically creates a secure tunnel for the data to transfer without getting leaked or hacked by any unknown or unwanted source.

Build your own website , Get 10% off on all products, use coupon OFF10
Its responsibility is not limited to creating a secure tunnel but extends further to encrypt the data before transmitting and later decrypt the same when received. A secured key is used for encryption and decryption.
In more technical terms, SSL is a name given to the secured HTTP protocol which is also termed as HTTPS. The ’s’ in the name stands for the security.
HTTP is a protocol which acts like a tunnel for data transfer from one server to another. Ideally, HTTP channel is not secured as everyone on the server can have the proper access to the available data. It’s not like the data is available for everyone, but it’s not protected from thefts or any malicious attempt.
Since there is no protection involved, anyone with the right knowledge can hack the data and use it for any purpose. So, to keep a protection layer on sensitive data, HTTPS is used.
In all known browsers, whenever a secured tunnel is used, the web address (URL) in the address bar starts with a green lock icon and green colored ‘https’ protocol. It helps in quickly identifying if the channel is protected or not.
Where to use SSL?
Once you’ve bought an SSL certificate (more on this later), then there you can either use it for the whole website or for specific sections or URLs. For niches like e-commerce, banking, etc., it’s mandatory to use SSL everywhere but the same isn’t that necessary for any normal website.
Recently, a lot of bloggers and internet marketers started using SSL on their blogs and micro-niche sites. This was due to the fact that Google started using security as a ranking signal among its SEO algorithms. So far, I’ve seen very few sites getting a noticeable SEO benefit after implementing SSL. Thus, it’s not that necessary to jump onboard.
The theory which makes sense (to me) is that the login area where sensitive data like user profile and password are involved should be protected with HTTPS, while keeping rest of the pages on the normal protocol.
Like in the case of a WordPress installation, the complete Dashboard area beginning from the login page should be kept with SSL protection, while keeping every other part without any protection. If a person is interested in hacking the site, he/she needs to go into the Dashboard area or try it on the server level, which is usually protected (if not, you shouldn’t be working with them).
Now you know where exactly to use SSL on a WordPress installation. Let’s move onto our next section on how to setup SSL on a WordPress site.
How to Setup SSL on WordPress site
There are two ways to implement SSL on a WordPress site. The first one is, of course, the manual implementation and as we’re talking about WordPress, so the other method is the plugin implementation.
We will look into the both methods so that you can pick the favorite one.
#1 Manual setup (New Installation)
This method should be used in case of a new website setup and also while implying the feature throughout.
Step 1 – Ask the hosting provider to install the SSL certificate on the server.
Step 2 – Once step 1 is done, login to the Dashboard and go to General configuration page under Settings.
Now the WordPress will take care of the redirection on its own and since this configuration is made, users will always have access to the https version of the website. In other words, there will be no HTTP version in existence.
#2 Manual setup, Case 1
This method should be used in case of an existing setup, as if you force users to use the https version, the HTTP version will still be in existing. So, a proper redirection should be active in the background to take care of such requests.
Step 1 – Ask the hosting provider to install the SSL certificate on your website’s installation.
Step 2 – Once the SSL is active, add the following code in .htaccess file (while replacing ‘yoursite’ part):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]
</IfModule>
Step 3 – Save the file and now edit the ‘wp-config.php’ file and paste following code before the existing code end.
define(‘FORCE_SSL_ADMIN’, true);
Step 4 – Save the file. Now, both the website and the Dashboard areas will be working on SSL mode.
#3 Manual Setup, Case 2
This is the third method, again a manual setup but with a different case, i.e., if you wish to implement SSL on specific URLs, not on the complete website.
Step 1 – The SSL certificate should be installed by hosting provider on your website’s installation.
Step 2 – After then, login to Dashboard area and install this WordPress HTTPS (SSL) named plugin.
Best SSL Plugins to Setup HTTPS on WordPress
The plugin I just mentioned is not the only one out there, as we also have few other names to consider. Although, they don’t offer the same functionality.
#1 Really Simple SSL
#2 SSL Insecure Content Fixer
#3 Easy HTTPS Redirection
#4 WP Force SSL
Implementation and Best Practices
#1 SSL adds a security level which will definitely increase the user experience, and since it’s being counted as a ranking signal, it can help your website get on better ranks than usual ones. However, the benefits might not apply in every case.
#2 Technically, HTTPS is slower than HTTP, as encryption and decryption processes are involved. With the advancement of technology, the gap is being lower down, but HTTP will still be a winner. Considering the fact that Google uses the speed of a website as a major ranking signal, you need to re-consider your move here.
#3 If you’re a developer and like learning technical things, then you should learn how to manually install an SSL certificate on the server. Otherwise, look for a hosting provider which takes care of this requirement on its own. Many providers like SiteGround offer free SSL certificates which are one-click away from installing.
#4 While setting up a new website, HTTPS can be implemented on the whole website but in the case of an existing one, you need to think twice about which URLs or sections to cover, if not planning to cover the whole website. The implementation should be done correctly otherwise visitors will start getting silly security related issues while visiting the website.
Conclusion
This was all about SSL and WordPress, how they are related and the best practices to follow. Let me know if you have any doubt in the discussion section, and I’ll come up with a working solution.
*last updated 11/24/2020
No Comments