How to secure your WordPress website with SSL at Host Pond Web Hosting

As of January 2017, nearly all Host Pond customers have SSL certificates available and ready for use on their websites.  You can test this out by entering httpS:// followed by your website in your browsers address bar.  It should load without a certificate error if it is properly available. Though in most cases, if you have a WordPress website, it will redirect back to the insecure HTTP:// connection as that’s how WordPress behaves out of the box.

Before continuing, I highly recommend that you follow these instructions to backup your WordPress website. Some of these instructions, in some situations can cause your website to break. Having a current backup is absolutely critical. If at any time during these steps, your website breaks, please follow the restore instructions to restore your website from the backup you just created.

If you have a WordPress website, and you want to secure your website with SSL (encryption), the first step is to login to your WordPress control panel.  Typically, it is the URL/Address with a “/wp-admin” appended at the end, without the quotes.  So, if your website was http://pdxwebsite.com, then the WordPress login for that website would be http://pdxwebsite.com/wp-admin. Please note that in many cases, Host Pond customers have a plugin that changes the “/wp-admin” to some other hidden address. This is to keep hackers from trying to break in. If you have any trouble at all getting logged in or locating the login address, please send us an email to details@hostpond.com for assistance.

Once logged in, go to the “Settings -> General” area of the control panel.

WordPress Settings General SSL

Ensure that both the WordPress Address (URL) and the Site Address (URL) begin with https as is shown in the following screenshot.

https for site address

Then click the Save Changes button.

save changes

This simple change will essentially force redirection to the secure/encrypted connection for your website. In a perfect world, this would be all you would need to do. And in fact, there may be some of you where this works like a charm, and nothing more is needed. You can test this out by going to your website with Google Chrome to see if you notice the green “Secure” to the left of the address bar, indicating that everything is working.

However, it is important to note that WordPress is extremely resource intensive to load. So, if visitors are coming to your site, initially without the httpS in the address bar, they are having to load WordPress twice, in which case they are probably having to wait a really long time for the first page to load. Because of this, even if the above gets things working properly for you, I highly recommend modifying your .htaccess file to force a secure redirection, which will make for a more pleasant and speedy response time for visitors coming to your website.

In some cases, you may see something like the following in your address bar after forcing redirection.

SSL not secure

Unfortunately there are many reasons why this could happen. When you encounter this error, there are typically options for getting further details about why this is occurring. At this point, if you’re not adept in sifting through and understanding the error message, you may need to reach out for assistance to make the secure connection work properly.

The most common reason for seeing this kind of message is because of mixed content. Meaning, some of the images or resources are being loaded insecurely. This typically happens when you’ve got hardcoded “http://” references somewhere in your WordPress website. One way to verify this is to view the page source of the broken page and search for these http:// references to see if they exist. If they do, you may be able to manually correct these by modifying your WordPress template, or by modifying the links within your pages.

There is one option available for quickly replacing these insecure links across your entire website, but the method for doing so is rather technical. It involves uploading a search and replace script to the server, and running it to change all http://yoursite.com references in your website database with https://yoursite.com. The instructions for successfully doing this are beyond the scope of this document. However, for your reference, here is the script that we use at Host Pond to perform the search and replace on WordPress websites. WARNING : USE THIS SCRIPT AT YOUR OWN RISK IF YOU CHOSE TO.

https://interconnectit.com/products/search-and-replace-for-wordpress-databases/