Grabbing a SSL/TLS certificate isn’t the only step to get your WordPress site to work correctly over HTTPS. Today we’ll cover all three steps required to resolve mixed content warnings on your WordPress site and display the green lock icon for visitors.
1. Install your SSL/TLS certificate
Before you begin any of the other steps, you need to make sure you have a valid certificate installed on your host. Without this, you and your visitors will get a red lock icon and perhaps a few frightening security warnings.
FissionBlue hosting integrates with Let’s Encrypt SSL, a free certificate authority backed by Google, Mozilla, Cisco Systems, and several other major players. Installation is rather simple and can be completed in a matter of clicks. Your DNS records must be pointing to your host before Let’s Encrypt will allow you to proceed (Your website you wish to install an SSL certificate on must already be live).
Each host is different, and you should contact your support to find out their process. If you’re a FissionBlue customer and have any questions or trouble, you may email our support for help.
2. Login to WordPress and Navigate to Dashboard > Settings
Now that you’ve already installed your SSL certificate, you must “tell” WordPress to use it. You begin this process by adding the S in the website URLS (http:// to https://). Click “Save” after making your changes.
WordPress will log you out, where you then may log back in using the same username and password. Now onto the next step.
3. Install the Better Search Replace Plugin & Run It
This step is important to fix mixed content warnings for attachments, images, and theme files that are still using the non-secure URL.
From your WordPress Dashboard, select “Add New Plugin” and type “Better Search Replace” into the search box. Click “Install” on the exact result, and then “Activate.” After installing and activating your new plugin, navigate to WordPress Dashboard > Tools, and select “Better Search Replace.”
We want to find and secure any remnants of the non-secure URL lurking behind in your WordPress site. The first field is for the old, non-secure URL. The second field will contain the new, secure URL. The changes are highlighted with the red and green boxes. Note: Take extreme care not to mistype any characters, or you can completely break your site.
Next, select ALL the tables, one by one if need be. The orange checkbox is optional, and is recommended only for staging sites. The red checkbox must be left unchecked to finish this step. Keeping it checked only performs a “dry” test with zero changes.
That’s it, you’re done! you have now secured your WordPress site to be served over SSL/TLS. you will see the green lock in the upper left corner of your website. If you do not, you must clear your browser cache and cookies, and try again.
Note 1: This only secures your own WordPress site and everything inside of it. If you are loading external pictures or content, i.e. using hotlinks or an iframe, they must be secured on their own hosts as well.
Note 2: It’s a smart idea to update your Google Analytics and Google Webmaster Tools properties to the new secure URL (https://). Make sure you also redirect the old non-secure URL to your secure URL as a 301/permanent redirect. This is so visitors and bots who use your non-secure site name seamlessly land on your (now secure) site.
Note 3: “Link juice” may take several weeks to restore itself, though it is worth it in the long term.