October 10

7 Reasons Your Site Needs an SSL Certificate

SSL certificates are important, especially if you’re running your own website. It doesn’t matter whether you’ve got a small blog or a full e-commerce site: you need an SSL certificate. Here are some practical reasons why.

1. Protection Against Hackers

why your site needs an ssl certificate

HTTP is the text protocol which sends information between your device and the website you’re visiting. HTTPS is the secure version of this. It encrypts information between the two, so anything sent between the pair is scrambled, rendering it virtually unreadable.


This is essential if you’re inputting sensitive details like your password, or credit card info. But equally, it protects you from man-in-the-middle (MITM) attacks: this is when a third party (i.e. a hacker) is intercepting transmissions between two clients.

You might not consider this a major issue. However, without encryption, a cybercriminal can display a fake webpage. Links on this false site could download something malicious onto your computer, like malware.

Your readers will receive the messages you intend them to read if you install an SSL certificate.

2. You’re More Trustworthy to Users

why your site needs an ssl certificate

It should go without saying that readers trust a secure site more than one which can be harmful to their device. Hopefully, you always check whether a site is safe by checking the URL, particularly ecommerce pages. Some users will even employ a virtual private network (VPN) to make sure a good level of security is maintained.


Some years ago, relatively few people knew about SSL certificates. Now, many more recognize the need for such security. We can probably thank Google for the increase in awareness.

With a certificate, you’re sending out a message to your readers and customers, proving to them that you take them seriously. You take their privacy seriously. And by doing so, you’re instilling confidence.

Without an SSL certificate, you’re waving a red flag to your readers, which may put them off future visits.

3. Chrome Displays Your Site Properly

why your site needs an ssl certificate

While it’s not a fabric flag, it is a warning displayed by Google Chrome. Any readers trying to visit a site which doesn’t have an SSL certificate will instead see a page alerting them that the connection isn’t private.

Bear in mind that Google Chrome is the most popular mainstream browser. People like its interface and love that its largely very secure. For much of its life, Chrome has loaded encrypted pages with a padlock and green “Secure” message displayed.


In 2018, Google switches its stance on the issue. Instead of viewing HTTP as the standard model for sites, Chrome will expect HTTPS as default and only show non-secure sites reluctantly, i.e. after warning users it’s not safe.

We expect other browsers to follow suit.

4. Improved Search Engine Rankings

why your site needs an ssl certificate

We’ve established that Chrome won’t like your site without SSL; Google, as the search engine, won’t either.


Many rely on search engine optimization (SEO) to achieve a higher ranking on Google. But search for anything, and the chances are the vast majority of results on the first page will have HTTPS addresses. Ask any SEO experts, and they’ll tell you that it’s vital for sites to be on the first two pages of results. Comparatively few look beyond that.

Anything (legal) you can do to stay ahead of the competition—particularly by prioritizing security—is crucial.

With an SSL Certificate, not only will readers trust you more, but search engines will too. This results in more readers, and the more popular your blog becomes, the higher it’ll rank on Google! It’s a win-win.

5. Improved Site Speed

why your site needs an ssl certificate

Your site ranking is also partially determined by site speed. The faster your website, the more people will visit, and the higher you’ll appear in search results.

So it’s a good thing that shifting to HTTPS also improves the loading speed of pages—despite what you’ve heard. It’s a myth that adding an SSL certificate slows everything down. In fact, there’s a whole site dedicated to demonstrating how much faster HTTPS is, compared to HTTP.

Except that’s not the whole truth. The margin between HTTP and HTTPS is slight, but the latter is often, in reality, a relatively-new protocol called HTTP/2. And HTTP/2 really is faster than HTTP and standard HTTPS.

You’ll benefit from increased performance, and so will your audience. Users are more likely to return if they know everything loads in quick time.

6. It Doesn’t Cost Much

Adding an SSL certificate is an intimidating task, which is why smaller websites frequently don’t do it. And why others are happy to charge huge fees for a typical technical request. You must tread carefully because there’s always someone looking to exploit others, particularly when it comes to technology.

Indeed, some web hosts make it sound overly complicated and penalize anyone who doesn’t employ the platform’s own SSL service.

But it doesn’t have to cost the earth. Prospective fees are greater the more certificates you need, yet it’s not imperative you hand over cash. Just look around for services that do this cheaply or free of charge. Compare what they offer and consider which is best for your position.

Take a look at Let’s Encrypt, for instance. Launched to the public in late 2015, the automated software is supported by big names, including Facebook, Shopify, and Mozilla. It’s probably the best-known free service of its kind, but it’s certainly not the only one.

7. Future Proofing

The security of the web is forever evolving. SSL certificates aren’t the ultimate defence against hackers, but they’re a good start. Because SSL has developed too.


Specifically, it’s being upgraded to Transport Layer Security (TLS). You’ve probably seen SSL and TLS used interchangeably, but there are differences. TLS is stronger due to more thorough verifications, newer algorithms, and better key generations. These authentications occur before any data is relayed, so happens incredibly fast.

Here’s what you should take away from this: TLS is SSL’s successor, so it’s more secure. When many companies talk about having SSL certificates, they often mean TLS is instead employed.


As long as it’s HTTPS, pages are encrypted between endpoints. Look for TLS, but also know that many services— like Let’s Encrypt and Symantec’s Encryption Everywhere—already implement it.

Keep Your Site Secure With an SSL Certificate

Big or small, e-commerce or blog, it doesn’t matter: every site needs solid security measures.

You really shouldn’t underestimate the reach of your site, nor your responsibilities as its owner. Similarly, you shouldn’t underestimate the power of HTTPS addresses, nor encryption as a whole. It’s a vital part of the internet. If you don’t have one already, it really is time you obtained an SSL certificate.

August 31

How to Properly Move WordPress from HTTP to HTTPS (Beginner’s Guide)

Setting up WordPress to Use SSL and HTTPs

After you have enabled SSL certificate on your domain name, you will need to set up WordPress to use SSL and HTTPs protocols on your website.

We will show you two methods to do that, and you can choose one that best fits your need.

Method 1: Setup SSL/HTTPS in WordPress Using a Plugin

This method is easier and is recommended for beginners.

First, you need to install and activate the Really Simple SSL plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Settings » SSL page. The plugin will automatically detect your SSL certificate, and it will set up your WordPress site to use HTTPs.

SSL enabled on a WordPress website

The plugin will take care of everything including the mixed content errors. Here’s what the plugin does behind the scenes:

  • Check SSL certificate
  • Set WordPress to use https in URLs
  • Set up redirects from HTTP to HTTPs
  • Look for URLs in your content still loading from insecure HTTP sources and attempt to fix them.

Note: The plugin attempts to fix mixed content errors by using output buffering technique. It can have a negative performance impact because it’s replacing content on the site as the page is being loaded. This impact is only seen on first-page load, and it should be minimal if you are using a caching plugin.

While the plugin says you can keep SSL and safely deactivate the plugin, it’s not 100% true. You will have to leave the plugin active at all times because deactivating the plugin will bring back mixed content errors.

Method 2: Setup SSL/HTTPS in WordPress Manually

This method requires you to troubleshoot issues manually and edit WordPress files. However this is a permanent and more performance optimized solution. This is what we’re using on WPBeginner.

If you find this method difficult, then you can hire a WordPress developer or use the first method instead.

As part of this method, you may need to edit WordPress theme and code files. If you haven’t done this before, then see our guide on how to copy and paste code snippets in WordPress.

First, you need to visit Settings » General page. From here you need to update your WordPress and site URL address fields by replacing http with https.

Update WordPress URLs

Don’t forget to click on the ‘Save changes’ button to store your settings.

Once the settings are saved, WordPress will log you out, and you will be asked to re-login.

Next, you need to set up WordPress redirects from HTTP to HTTPS by adding the following code to your .htaccess file.

1
2
3
4
5
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

If you are on nginx servers (most users are not), then you would need to add the following code to redirect from HTTP to HTTPS in your configuration file:

1
2
3
4
5
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}

Don’t forget to replace example.com with your own domain name.

By following these steps, you will avoid the WordPress HTTPS not working error because WordPress will now load your entire website using https.

If you want to force SSL and HTTPS on your WordPress admin area or login pages, then you need to configure SSL in the wp-config.php file.

Simply add the following code above the “That’s all, stop editing!” line in your wp-config.php file:

1
define('FORCE_SSL_ADMIN', true);

This line allows WordPress to force SSL / HTTPs in WordPress admin area. It also works on WordPress multisite networks.

Once you do this, your website is now fully setup to use SSL / HTTPS, but you will still encounter mixed content errors.

These errors are caused by sources (images, scripts, or stylesheets) that are still loading using the insecure HTTP protocol in the URLs. If that is the case, then you will not be able to see a secure padlock icon in your website’s address bar.

Not secure

Many modern browsers will automatically block unsafe scripts and resources. You may see a padlock icon but with a notification about it in your browser’s address bar.

Insecure content blocked

You can find out which content is served through insecure protocol by using the Inspect tool. The mixed content error will be displayed as a warning in the console with details for each mixed content item.

Mixed content errors displayed in browser console

You will notice that most URLs are images, iframes, and image galleries while some are scripts and stylesheets loaded by your WordPress plugins and themes.

Fixing Mixed Content in WordPress Database

Majority of the incorrect URLs will be images, files, embeds, and other data stored in your WordPress database. Let’s fix them first.

All what you need to do is find all mentions of your old website URL in the database that started with http and replace it with your new website URL that starts with https.

You can easily do this by installing and activating the Better Search Replaceplugin.

Upon activation, you need to visit Tools » Better Search Replace page. Under the ‘Search’ field, you need to add your website URL with http. After that, add your website URL with https under the ‘Replace’ field.

Search and replace

Below that, you will see all your WordPress database tables. You need to select all of them to run a thorough check.

Lastly, you need to uncheck the box next to ‘Run as dry run?’ option, and then click on ‘Run Search/Replace’ button.

The plugin will now search your WordPress database for URLs starting with http and will replace them with secure https URLs. It may take a while depending on your WordPress database size.

Fixing Mixed Content Errors in WordPress Theme

Another common culprit causing mixed content error is your WordPress theme. Any decent WordPress theme following WordPress coding standards will not cause this issue.

First, you will need to use your browser’s Inspect tool to find the resources and where they are loading from.

Using inspect tool to find mixed content error

After that, you will need to find them in your WordPress theme and replace them with https. This will be a little difficult for most beginners, as you will not be able to see which theme files contain these URLs.

Fixing Mixed Content Errors Caused by Plugins

Some mixed content resources will be loaded by WordPress plugins. Any WordPress plugin following WordPress coding standards will not cause mixed content errors.

We don’t recommend editing WordPress plugin files. Instead, you need to reach out to the plugin author and let them know. If they do not respond or are unable to fix it, then you need to find a suitable alternate.

Note: If for some reason, you’re still encountering mixed content error, then we recommend using the Really Simple SSL plugin temporarily, so your users are not impacted while you fix the issue on a staging website or hire a developer.

Submit Your HTTPS Site to Google Search Console

Search engines like Google consider https and http as two different websites. This means you will need to let Google know that your website has moved to avoid any SEO issues.

To do that, you just need to go to your Google Search Console account and click on ‘Add a Property’ button.

Add https site as a new property in Google Search Console

This will bring up a popup where you need to add your website’s new https address.

Add your https URL

After that, Google will ask you to verify ownership of your website. There are several ways to do that, select any method and you will instructions to verify your site.

Verify your website

Once your site is verified, Google will start showing your search console reports here.

You also need to make sure that both the https and http versions are added in your Search Console.

Once you have both versions, you need to go to the http version in your Google Search Console and click on the Settings Menu. From there, you need to select “Change of Site Address” option.

Google Search Console Change of Site Address

Google will automatically select your new site in the field below, but if it doesn’t, then you need to select the https version of your website and then submit the change of address request.

This tells Google that you want the https version of your website to be treated as the primary version. Combined with the 301 redirects that you setup earlier, Google will transfer your search rankings to the https version of your website, and you will most likely see improvements in your search rankings.

We know that we did when switched our websites from http to https.

We hope this article helped you add HTTPS and SSL in WordPress.