Overview
This article walks you through all the steps necessary to add an SSL certificate to a WordPress website.
Background
Adding an SSL certificate to your WordPress site is an excellent first step toward securing your data. However, there are a few other steps you must take to fully ensure all links within your site point to the secure (HTTPS version) of your domain name.
DreamPress sites
Please note that these instructions do not apply to DreamPress sites. If your WordPress site is hosted on DreamPress, follow these instructions instead.
Adding an SSL certificate to a WordPress site
These instructions walk you through adding an SSL certificate, updating all URLs in your database, and ensuring all links automatically redirect to the secure URL.
Add an SSL certificate
Follow the instructions in the Adding an SSL certificate overview article to add the certificate to your domain.
Make sure your SSL certificate is active before continuing by visiting the https://example.com version of the URL.
Update database URLs
Old sites
This step is only necessary if your site was previously built without using an SSL certificate. If so, there are old HTTP URLs that need to be updated to HTTPS.
New sites
If this is a brand-new site without any data, you can skip this step. All new pages/posts you create will use the new HTTPS URL automatically.
Your WordPress database has several hard-coded URLs that point to the http version of your domain. Before continuing, you must update all of these URLs to the HTTPS version so your site uses the new certificate. See this article for two options to update all database URLs.
Verify the Home and Site URL are updated
Log in to WordPress using the new secure HTTPS URL.
- https://example.com/wp-login.php
Navigate to the Settings -> General page, and you should see your Home and Site URL now using https.
Clearing your plugin's cache
At this point, you should also delete your cache if using WP Super Cache.
Test your site again, and all URLs will now use the new secure URL.
Update your wp-config.php file
This step forces all pages in the WordPress dashboard to use the secure URL.
- Log into your webserver via SSH or SFTP.
- Find the file named wp-config.php in your WordPress site directory, and then open it in a text editor.
- Add the following two lines above the line that says /* That's all, stop editing! Happy blogging. */:
define('FORCE_SSL', true); define('FORCE_SSL_ADMIN',true);
Force the URL to redirect to HTTPS (custom configurations only)
After you have added an SSL certificate to your domain, DreamHost automatically redirects the URL visitors use to view your site from HTTP to HTTPS. The S ensures that your connection is encrypted. For example:
- https://example.com
There's nothing on your end you must do in order to force your site to use the secure URL. However, in some special cases, you may need to create your own custom configuration file to force the redirect from HTTP to HTTPS.
Adding custom code is only necessary if your website requires specific code to force the redirect. If so, you will need to first disable the automatic redirect in your panel.
Once disabled, you can then proceed with adding your custom redirect file.
Most WordPress sites do NOT require you to add code to the .htaccess file to redirect it. However, if your specific WordPress site requires custom code for some reason, you could force your site to redirect from HTTP to HTTPS using the following article code.
Prevent mixed-content warnings using an .htaccess file
It's recommended that you add a line of code to your .htaccess file to avoid any possible mixed-content warnings. See this article for further details.
Configure Cloudflare with your SSL certificate
This step is only necessary if you have also added Cloudflare to your domain. If so, see this article for information on how to configure it properly.