Grabbing a SSL/TLS certificate isn’t the only step to get your WordPress site to work correctly over HTTPS. Today we’ll cover all three steps required to resolve mixed content warnings on your WordPress site and display the green lock icon for visitors.
1. Install your SSL/TLS certificate
Before you begin any of the other steps, you need to make sure you have a valid certificate installed on your host. Without this, you and your visitors will get a red lock icon and perhaps a few frightening security warnings.
FissionBlue hosting integrates with Let’s Encrypt SSL, a free certificate authority backed by Google, Mozilla, Cisco Systems, and several other major players. Installation is rather simple and can be completed in a matter of clicks. Your DNS records must be pointing to your host before Let’s Encrypt will allow you to proceed (Your website you wish to install an SSL certificate on must already be live).
Each host is different, and you should contact your support to find out their process. If you are a FissionBlue customer and have questions or trouble, you may contact support for help.
2. Login to WordPress and Navigate to Dashboard > Settings
Now that you’ve already installed your SSL certificate, you must “tell” WordPress to use it. You begin this process by adding the S in the website URL (http:// to https://). Click “Save” after making your changes.
WordPress will log you out, where you then login again with your admin account. Now onto the next step.
3. Install Better Search Replace Plugin & Run It
This step is important to fix mixed content warnings for attachments, images, and theme files that are still using the non-secure URL.
From your WordPress Dashboard, select “Add New Plugin” and type “Better Search Replace” into the search box. Click “Install” on the exact result, and then “Activate.” Next, navigate to the WordPress Admin Dashboard > Tools, and select “Better Search Replace.”
We want to find and secure any remnants of the non-secure URL lurking behind in your WordPress site. The first field is for the old, non-secure URL. The second field will contain the new, secure URL. The changes are highlighted with the red and green boxes. Note: Take extreme care not to mistype any characters, or you can completely break your site.
Next, select ALL the tables, one by one if need be (CTRL + left-click). The orange checkbox is only recommended for staging sites. The green checkbox must be left unchecked to proceed. Otherwise it only performs a “dry” test with zero changes. Click RUN and let it do its thing.
That’s it, you’ve successfully completed your database search & replace! You have now secured your WordPress site over SSL/TLS. Your visitors will see the green lock in the upper left corner of their browser. Take a look for yourself! If you don’t see the lock, try clearing your browser cache and cookies, then try again.
Note 1: This only secures your own WordPress site and everything inside of it. If you are loading external pictures or content, i.e. using hotlinks or an iframe, those resources must be secured on their own hosts as well.
Note 2: It’s a smart idea to update your Google Analytics and Google Webmaster Tools properties to the new secure URL (https://). Make sure you also redirect the old non-secure URL to your secure URL as a 301/permanent redirect. This is so visitors and bots who type in your old non-secure address arrive seamlessly on your (now secure) site.
Note 3: SEO “Link juice” may take several weeks to restore itself, though it is worth it in the long term.