After running websites for over 15 years, I can‘t emphasize enough the importance of adding SSL certificates. An SSL certificate enables HTTPS and encrypts data between your WordPress site and visitors.
With free certificates available from Let’s Encrypt, there is no reason not to add SSL to your WordPress site. This complete guide will show you how.
Contents
Why You Absolutely Need SSL on Your WordPress Site
I have helped thousands of users secure their WordPress sites with free SSL certificates over the years.
Here are some compelling stats that highlight why SSL should be a priority:
-
Google favors HTTPS – Sites with SSL certificates get a ranking boost in Google and are more trusted. Google Chrome now labels HTTP sites as "not secure".
-
Visitors prefer HTTPS – A recent survey found that 81% of people avoid sites without SSL and almost 50% would abandon a purchase.
-
SSL increases conversions – Companies like Stripe have reported upto 35% higher conversion rates after moving to HTTPS.
-
SSL protects data – Your site likely collects personal user data like names, addresses, credit card numbers etc. SSL encrypts this to prevent hackers from stealing it.
-
PCI compliance requires SSL – If you collect credit card payments on your site, then PCI standards mandate using SSL certificates.
Let‘s take a look at how you can easily add free SSL certificates from Let‘s Encrypt to your WordPress site.
What is Let‘s Encrypt and How it Makes SSL Certificates Free
Launched in 2014, Let‘s Encrypt is a free, automated, and open certificate authority (CA) operated by the Internet Security Research Group (ISRG).
It provides free X.509 SSL certificates for enabling HTTPS on websites using the ACME protocol. The entire process is automated for maximum ease of use.
Here are some key points about how Let‘s Encrypt works:
-
Free SSL Certificates – Anyone can obtain free basic SSL certificates valid for 90 days after a simple validation process.
-
Automated Issuance – The validation process is fully automated. You don‘t need to provide any documents or go through manual verification.
-
Trusted Certificates – Let‘s Encrypt certificates are trusted by all major browsers like Chrome, Firefox, Safari, etc.
-
Easy Renewal – The short validity encourages users to automate renewal. Certificates are issued almost instantly.
-
Simple Integration – Let‘s Encrypt provides plugins and clients to easily integrate with various web servers like Apache, Nginx, etc.
-
Non-profit model – Let‘s Encrypt is a service provided by the non-profit ISRG and funded by sponsors like Mozilla, Akamai, Cisco, Facebook, Google, and others.
How Does Let‘s Encrypt Issue Free SSL Certificates?
When you request a certificate from Let‘s Encrypt for your domain, here is what happens:
-
The Let‘s Encrypt client proves it has control over the domain. This is done by placing a specific token file on your web server which LE can access.
-
Let‘s Encrypt verifies the token and the domain ownership.
-
The certificate is issued after validation and the token deleted.
This allows domain owners to automate obtaining SSL certificates without any paperwork or complex verification steps. The short 90 day validity encourages updating encryption keys frequently.
Now let‘s see how you can leverage Let‘s Encrypt to add free SSL to your WordPress site.
Getting a Free SSL Certificate for Your WordPress Site
There are two ways you can use Let‘s Encrypt to enable HTTPS and SSL on your WordPress site:
1. Using a Web Host With Let‘s Encrypt Integration
The easiest method is to use a managed WordPress hosting provider that offers built-in integration with Let‘s Encrypt.
Many hosts now provide simple options in the dashboard to activate free SSL certificates with just a few clicks:
Some popular WordPress hosts with Let‘s Encrypt integration:
-
Bluehost – Recommended by WordPress themselves, Bluehost offers one-click free SSL installation.
-
SiteGround – SiteGround users can enable free SSL certificates directly from their account dashboard.
-
Cloudways – Managed cloud hosting platform Cloudways provides free SSL installation with one click.
-
DreamHost – DreamHost offers both shared and dedicated IP SSL options using Let‘s Encrypt integration.
-
WP Engine – WP Engine makes it easy to add free SSL certificates to your sites with their automated Platform SSL tool.
The major benefit of using a web host to issue your SSL certificate is simplicity. The host takes care of obtaining, installing, and renewing the certificates automatically.
2. Manually Using the Let‘s Encrypt Client
If your current web host doesn‘t have integrated Let‘s Encrypt support, you can still generate SSL certificates for free manually using the Certbot ACME client.
The steps are:
-
Install the Certbot client on your server. Make sure to pick the right installation method for your environment.
-
Run the
certbotcommand with your domain name to generate the SSL certificate. Follow the prompts and agree to the terms of service. -
Certbot will modify your web server configuration to enable HTTPS automatically. However, you still need to update WordPress URLs.
-
Change WordPress and Site address in Settings > General to use HTTPS. Better to install the Really Simple SSL plugin to handle this.
-
Scan your database and replace all HTTP references with HTTPS across your content. Look for plugins like Search Regex to do this globally.
Manually setting up SSL certificates requires some technical knowledge. But the benefit is it works on any host. I would still recommend going with a managed WordPress host whenever possible for the added convenience.
Next, let‘s go over the steps to transition an existing HTTP website to work over HTTPS by adding an SSL certificate.
Moving an Existing WordPress Site to HTTPS
Once you have obtained the free SSL certificate for your domain, here is what you need to do to switch your WordPress site from HTTP to HTTPS:
1. Change WordPress Site URLs to HTTPS
Log in to your WordPress dashboard, and go to Settings > General. Update both the WordPress Address and Site Address to use https:// instead of http://.
This ensures WordPress generates secure URLs across your site. Don‘t forget to click "Save Changes" to store the new settings.
2. Update Hardcoded HTTP References
If your WordPress site has been running for a while, there are likely many hardcoded HTTP links in your database. A few places to check and replace:
- Site source code (themes/plugins)
- WordPress post, page and image content
- WordPress custom fields and meta values
- Any custom application code/database queries
You can manually search and replace those HTTP references. But it‘s easier to use a plugin like Better Search and Replace or Search & Replace to handle this site-wide.
3. Force HTTPS for External Links
Some plugins and themes generate external links without a protocol. While these adapt to HTTP vs HTTPS, it‘s best to force them to use HTTPS for optimal security.
To do this globally, you can use a plugin like HTTP to HTTPS Redirect.
For site credit links, you may need to manually update them to specify https:// for hosts that don‘t have universal support.
4. Fix Mixed Content Issues
After moving your WordPress site to HTTPS, browsers will show warnings if you have any resources loaded over insecure HTTP. This is known as mixed content.
The easiest way to fix mixed content is to use the SSL Insecure Content Fixer plugin. It will automatically replace HTTP links with HTTPS across your database and source code.
Alternatively, you can manually replace any HTTP references with HTTPS in your database content, CSS files, JS files, images, and other external assets.
With these steps done, your existing WordPress site is fully migrated to support your SSL certificate and work exclusively over secure HTTPS connections.
SSL Certificate Renewals and Upgrades
Let‘s Encrypt basic SSL certificates need to be renewed every 90 days. This encourages users to automate the process for enhanced security.
If you used a managed WordPress host, they will renew your certificates automatically. So you don‘t need to worry about it.
For manual installations, you need to renew the certificates periodically:
sudo certbot renewThe certbot client will check for certificates about to expire and automatically renew them.
You can automate this by adding the command to a cron job. Some hosts may provide options to schedule automated SSL renewal.
For business sites that need extended validation (EV) or wildcard SSL support, you would need to purchase premium certificates. Some hosts make this easy by allowing you to upgrade with a few clicks.
Troubleshooting Common SSL Issues
When migrating a WordPress site to HTTPS, there are a few common issues that can come up:
-
Mixed content errors – Browsers block HTTP resources loading on HTTPS pages. Use a plugin to fix mixed content site-wide.
-
Site breakage – Outdated plugins/themes may not support HTTPS. Test rigorously and update any incompatible extensions.
-
HTTPS redirection errors – Use a plugin like Remove HTTP to force all requests over HTTPS.
-
SSL certificate issues – An outdated, expired, or invalid SSL certificate can cause browser warnings. Renew Let‘s Encrypt certs promptly.
-
Performance hits – SSL has some overhead that can slow down sites. Optimize images, enable caching, and upgrade hosting if needed.
Following web best practices for HTTPS minimizes the chances of issues. Test your site thoroughly and fix any errors reported by browsers.
Wrapping Up
I hope this comprehensive guide was useful in showing you how to add free SSL certificates from Let‘s Encrypt to your WordPress site.
Migrating to HTTPS protects your user data, satisfies PCI compliance requirements, and enables browser trust indicators like the padlock and green bar.
Leading WordPress hosts make it easy to install SSL certificates with just a few clicks. Even on regular shared hosting, you can manually use Let‘s Encrypt to enable HTTPS for free.
Take the time to move your WP site to HTTPS. Your visitors will appreciate the security, trust, and SEO ranking improvements it provides. Feel free to post any questions below!
