Grabbing a SSL/TLS certificate isn’t the only step to get your WordPress site to work correctly over HTTPS. Today we’ll cover all three steps required to resolve mixed content warnings on your WordPress site and display the green lock icon for visitors.
1. Install your SSL/TLS certificate
Before you begin any of the other steps, you need to make sure you have a valid certificate installed on your host. Without this, you and your visitors will get a red lock icon and perhaps a few frightening security warnings.
FissionBlue hosting integrates with Let’s Encrypt SSL, a free certificate authority backed by Google, Mozilla, Cisco Systems, and several other major players. Installation is rather simple and can be completed in a matter of clicks. Your DNS records must be pointing to your host before Let’s Encrypt will allow you to proceed (Your domain’s hosting plan must already be live).
Each host is different, and you should contact your support to find out their process. If you are a FissionBlue customer and have questions or trouble, you may contact support for help.
2. Go to WP Admin Dashboard > Settings > General
Now that you’ve already installed your SSL certificate, you must “tell” WordPress to use it. You begin this process by adding the “s” in the website URL (http:// to https://). Click “Save” after making your changes.
WordPress will log you out automatically. Simply log back in again with your admin account. Now onto the next step.
3. Install Better Search Replace Plugin & Run It
This step is important to fix mixed content warnings for attachments, images, and theme files that are still using the non-secure URL.
From your WordPress Dashboard, select “Add New Plugin” and type “Better Search Replace” into the search box. Click “Install” on the exact result, and then “Activate.” Next, navigate to the WP Admin Dashboard > Tools and select “Better Search Replace.”
We want to find and secure any remnants of the non-secure URL lurking behind in your WordPress site. The first field is for the old, non-secure URL. The second field will contain the new, secure URL. The changes are highlighted with the purple and green lines. Note: take extreme care not to mistype any characters, or you can completely break your site.
Next, select ALL the tables (Shift + left click on PC), or one by one if need be (CTRL + left click). Tick the green checkbox if your site is very new or a staging/testing site. The red checkbox must be unchecked to complete this step. Otherwise it only does a “dry” test with zero changes. Click RUN at the bottom and let it do its thing.
That’s it, you’ve successfully completed your database search & replace! You have now secured your WordPress site over SSL/TLS. Your visitors will see the green lock in the upper left corner of their browser. Take a look for yourself! If you don’t see the lock, try clearing your browser cache and cookies, then try again.
Note 1: This only secures your own WordPress site and everything inside of it. If you are loading external pictures or content, i.e. using hotlinks or an iframe, those resources must be secured on their own hosts as well.
Note 2: It’s a smart idea to update your Google Analytics and Google Webmaster Tools properties to the new secure URL (https://). Make sure you also redirect the old non-secure URL to your secure URL as a 301/permanent redirect. This is so visitors and bots who type in your old non-secure address arrive seamlessly on your (now secure) site.
Note 3: SEO “Link juice” may take several weeks to restore itself, though it is worth it in the long term. Google Chrome will also flag regular HTTP sites with a big “Not Secure” warning for your visitors.