Nowadays every website should have an SSL certificate. Ideally, every website should be 100% HTTPS, with every page and every piece of content served over an encrypted connection and with a trusted SSL certificate. At Maxer Host, we help all our hosting clients to achieve this by offering SSL certificates for every website through AutoSSL.
In the past, only e-commerce websites enforced HTTPS to secure confidential data on checkout pages and logged-in areas. However, a lot has changed in the past few years. There has been an industry-wide change to encourage websites to run through the HTTPS protocol by default. This change has been supported by big firms like Google, Microsoft, Mozilla, etc.
With this in mind, Maxer Host launched our free AutoSSL service in February 2017. It's available on all our shared hosting, enterprise hosting and reseller hosting plans and usually on any server running the cPanel control panel. The AutoSSL feature is enabled by default so our hosting clients can use HTTPS on their websites.
Whether you use the 90-day AutoSSL provided with your web hosting or you use one of the commercial certificates we sell from Sectigo, GeoTrust or GlobalSign, you can easily update your WordPress website to run through HTTPS.
Step 1 - Update the Site URL values under General > Settings in your WordPress admin dashboard.
Make sure these two URL values begin with https and not http!
Step 2 - Use an .htaccess file to force redirect all HTTP requests to HTTPS.
Simply add the following lines to the top of the domain's .htaccess
file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
This code is pretty simple. If the mod_rewrite module is installed on the server (it is on all our servers), it checks if the request has been made through the HTTPS protocol and redirects all non-HTTPS requests to HTTPS.
The .htaccess
file should be located in the main directory. The main directory is normally called public_html
, unless you are working with a sub-domain or addon domain, which may have its own directory.
If you do not have an existing .htaccess
file, you can simply create one, although all WordPress sites should normally have an .htaccess
file with some WordPress-generic rules. If you use the cPanel File Manager, make sure to enable "Show Hidden Files (dotfiles)" under "Settings" in the top-right corner.
Step 4 - Force WordPress admin pages to use SSL.
Open the wp-config.php
file and add the following line of code:
define('FORCE_SSL_ADMIN', true);
The wp-config.php
file is found in your main website directory (e.g. public_html
), where the .htaccess
file is also located.
Step 5 - Check your website for any non-HTTPS content
Your website should now be running 100% through HTTPS, but if any parts of your website (the theme or plugins) link to non-HTTPS elements (images, stylesheets or other content), it will cause a warning on most web browsers. We recommend typing your website address into the site scanner at Why No Padlock?
If the site scanner finds any "mixed content" on your website, you have two options. You can manually go through the images/content and update the relevant code to use HTTPS instead of HTTP, or you can use a WordPress plugin to force the content to be delivered over HTTPS. For example, a plugin such as Really Simple SSL.
If the site scanner continues to give warnings, we recommend discussing the issue with your website developer.
Extra Step 6 - Problems with SSL coverage?
To check the SSL coverage for your domains, login to your cPanel control panel and navigate to the "SSL/TLS Status" page. This will list all your domain names, including addon domains and sub-domains, and they should all have protection. You can click "Run AutoSSL" and the system will re-check SSL coverage (this takes about 10 minutes to run).
You can also do a thorough check of an SSL certificate using this online tool: SSL Server Test (Powered by Qualys SSL Labs)
Our commercial SSL certificates are issued by Sectigo, GeoTrust or GlobalSign, and the free AutoSSL certificates are issued by cPanel Inc. in collaboration with Sectigo.
If the SSL certificate has been issued by "Cloudflare Inc.", you'll need to activate SSL via your CloudFlare dashboard. We have a guide for this here: Enabling HTTPS on your website via CloudFlare
DISCLAIMER: The scripts provided in our knowledgebase are for informational purposes only. We do not provide any warranty or support. It is essential to review and modify the scripts to fit your site's specific needs. There may be unforeseen outcomes when adding new script code to an existing website. You should discuss it with your website manager and seek advice from an experienced website developer if you are unsure.
Updated by SP on 22/12/2022