Running your website over SSL/HTTPS is a must for any website nowadays. The old adage that SSL is only required for sites that work with sensitive data (e.g. transactions, login forms) has changed since Google announced that HTTPS will be a ranking factor for any website. Since 2010, all modern desktop processors have had hardware support for the encryption algorithms used by SSL/HTTPS, so there is no performance impact.
Here are the steps you need to follow to get your WordPress website working over HTTPS:
Install an SSL Certificate
To use HTTPS, you should start by installing an SSL certificate on your website. You can do this with a commercial SSL certificate from us via our website or the "Order" -> "Order SSL Certificate" section of the Account Panel. You can also purchase your commercial SSL certificate from a third party, but you will need to install it on your own. We have a very good tutorial on how to install a third party SSL certificate in our online documentation. Of course, you can install a free Let's Encrypt certificate directly from your hosting Control Panel -> "SSL/HTTPS" section -> "Let's Encrypt certificates" subsection. You can learn more about these certificates in the "What is an SSL Certificate, and Do You Need It?" blog article.
Update the WordPress Site Address (URL)
After you install the SSL certificate on your website, you need to update the Site Address (URL) of your WordPress in its database. We have already explained this process in another post (Moving WordPress - A Comprehensive Guide), so we recommend the same options:
Control Panel -> WordPress Manager
This method is super easy to use and is quite safe. It uses the WP-CLI "search-replace" command, so it will replace all entries of the old domain (Site Address/URL) with the new one in your WordPress database. You will also be able to take advantage of the additional tools and features available in the WordPress Manager for your WordPress.
To enable HTTPS for your WordPress installation, you have to import it to the WordPress Manager. After the import is complete, click on the pencil (edit) icon next to your WordPress installation, and select "Use HTTPS" check box from the "Site URL" subsection. You can find more detailed instructions on how to enable HTTPS for your Site Address/URL in the "Forcing HTTPS for WordPress" article from our online documentation.
We do not recommend this method for people with little experience as WP-CLI works over SSH, and you can quickly break your WordPress with it.
WP-CLI is the command line interface for WordPress, and it is supported on all ICDSoft hosting accounts. You can use it to complete both simple and complex tasks. You can find step-by-step instructions on the most widely used WP-CLI commands by our customers in the "WP-CLI Tutorial" from our online documentation.
To use WP-CLI, you need to make sure that SSH is enabled for your account in the hosting Control Panel -> "SSH Access" section. You can find out how to enable SSH access for your account in the "SSH Access" article from our online documentation. After that, you should connect to your hosting account through SSH; you can find a step-by-step guide in the "SSH" category from our online documentation. Once you connect, you should navigate to your new WordPress directory. If your WordPress is installed on your main domain, go to the www/www directory of your account:
Replace domain.com with the Site Address (URL) of your WordPress website in the command listed below, and execute it:
wp search-replace 'http://domain.com' 'https://domain.com' --skip-columns=guid
This will replace all the HTTP entries of your website with HTTPS in your WordPress database.
Mixed (Insecure) Content Browser Warning
WordPress should store its Site Address (URL) only in its database; however, it may be hard-coded in the files of your WordPress installation. In such cases, opening your website will most likely result in mixed (insecure) browser warnings. This is usually caused by a caching plugin and/or a theme's cache. So, you need to make sure that you purge your WordPress cache.
If you still see mixed (insecure) content browser warnings, missing images, CSS files, or any other discrepancies, you should consider using the "Force HTTPS" section of the hosting Control Panel. It will redirect all HTTP requests to your website to work over HTTPS. You can find more information about how this section works in the "Force HTTPS" article from our online documentation. If the problem is not resolved with the hosting Control Panel's "Force HTTPS" section, you should check the console of your browser for specific errors. The browser console can help you find resources that link to the old domain. You can open the browser console on most browsers with the F12 function key of your keyboard. Of course, we can assist you with this and similar issues if you contact us through a support ticket.