You are reading this page because you have seen on your website that some of your pages within WordPress are showing as not secure.
There is a multitude of reasons for this and we will initially walk you through a checklist with the basics and lead onto more advanced techniques. However, its found that in 99% of cases its some misconfiguration in the WordPress software which needs addressing and not a server issue. |
This kb covers the following actions to resolve SSL issues.
1. Check WordPress Settings
2. Check if SSL is installed correctly on Cpanel
3. Check for Insecure Items
4. Implement Forced SSL in htaccess file
5. Perform WordPress Search and Replace
This kb will assume you have the knowledge and expertise to edit your WordPress settings, know how to edit htaccess files as well as other technical actions.
1. Check WordPress Settings
Check your settings in WordPress under Settings > General and check to make sure that your WordPress Address (URL) and Site Address (URL) is set to HTTPS.
2. Check if SSL is installed correctly on Cpanel
It could be that you don't have an SSL cert installed on your Cpanel hosting account.
1. Log in to Cpanel.
2. In the search bar type SSL.
3. Select SSL/TLS Status icon from the options.
4. Type www into the search field to reveal the status of the SSL.
3. Check for Insecure Items
Your content or your theme might be trying to load a file that is not being called from an HTTPS address which makes the browser security break. This issue is more common than you think and easy to catch.
1. Go to www.whynopadlock.com
2. Enter the page url of the page which is having the ssl issue.
3. Then it will show you the issues with the page.
For example, in the test below it says SSL is not being forced. This means you need to look at the forced SSL code which you need to put in your htacess file.
In other tests, it might show an image or a file linking to a non SSL link.
4. Implement Forced SSL in htaccess file
This is an intermediate level of a fix as you need to edit your htaccess in order to force SSL so in the case you have people/links/bots going to a non SSL page, this script will do an SEO friendly redirect to the secure page, hence "Forcing SSL".
1. Log in to Cpanel.
2. In the search bar type File Manager.
3. Click the icon to enter the File Manager.
4. In most cases you will be dropped into the "root" of your account so check if there is a public_html folder.
5. Once inside the public_html folder look for a file that is called .htaccess and right-click to edit it.
NOTE: if you do NOT see the .htaccess file, then possibly the file manager is configured to hide dotfiles (.htaccess is a dotfile). To resolve this you need to click on the settings button in the top right and check the box marked Show Hidden Files (dotfiles)
6. With the .htaccess file open you can now copy the code below into the top of the .htaccess file.
######################################
# force ssl and www
# https://www.jucra.com/whmcs/knowledgebase/49/
######################################
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} ^{HTTP_HOST} [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NC]
5. Perform WordPress Search and Replace
In some cases, there might still be URLs within your WordPress content that are pulling in insecure URLs. The way to resolve it permanently is to perform a search and replace it on your WordPress database.
1. Log in to WordPress.
2. Go to Plugins > Add New.
3. In the search bar, enter Better Search Replace
4. Once found, install the plugin
5. Once installed go to Tools > Better Search Replace
6. In the Search for field type http://
7. In the Replace with field type https://
8. Select ALL the tables in the Select tables section
8. Then click Run/Search Replace button.
NOTE: It's recommended that you run it as a "dry run" the first time to make sure you did not make any mistakes. Then when you are happy to commit the changes to the database, run it again with Run as Dry Run? unticked.