How to enable HTTPS across your WordPress site

Be sure to begin by enabling HTTPS on your domain. If, after completing those steps, you are not seeing the green lock / green bar when visiting your WordPress site, then there may be additional resources that are explicitly linking to their http:// URL.

With a purely HTML based website, you’d need to check every single file and adjust each resource to ensure it’s being loaded via HTTPS (e.g.: https://websavers.ca/image.png) or a relative URL (e.g.: /image.png), or even a protocol agnostic URL (e.g.: //websavers.ca/image.png). With WordPress there are many files that your theme loads for you, such as jQuery dependencies or stylesheets. When you changed the Site Address in step 2 above, it should have changed the URL to https throughout your site, however some themes and plugins ignore that setting and instead have hard-coded URLs (when they definitely should not).

Below are two methods of enabling secure resource URLs. If there are too many resources across too many pages, the automatic method is best. If it’s just a header and footer image (or something similar) then we recommend the manual option.

Secure Resources (automatic)

The simplest way to load them securely without having to make changes to the core theme files, is to use a plugin that will automatically detect http:// URLs and automatically change them to https:// dynamically while the page is generated. Here’s a couple plugins that do this:

  1. SSL Insecure Content Fixer
  2. Really Simple SSL

Install and Activate the plugin. Head to settings and progressively increase the ‘level’ of  setting until you’ve got one that works. Each level handles more intensive methods of ensuring SSL is enabled. Note that using the lowest level that ensures you get a green lock in the address bar is best for performance (don’t simply max out the setting on all sites as it will mean slower page generation times when you might have been able to use a lower setting to get the same result).

You’ll know it’s working fully when you see the lock icon in your address bar. Don’t forget to disable caching while testing this, or at least clear your cache after each change, then refresh your website in the browser.

Secure Resources (manual)

Look through your theme settings for any images being loaded (like your logo, or background images) and manually adjust their URLs by swapping http for https. Doing it manually like this will mean better performance for your website as compared to the automatic method, though the differential may be somewhat negligible. However, it’s understandable that in many cases this process can take too long and in other cases the theme files themselves are hard coded to not use https and cannot be easily fixed. In these cases, use the automatic fix instead.

Jordan is a computer, security, and network systems expert and a lover of all things web and tech. Jordan consults with project management for software companies. Jordan is a founder and managing partner at Websavers Inc.

Leave a Comment