Follow the steps to install SSL on your website:
- Purchase and install the SSL certificate for your domain on your server. Installing SSL depends on your server and domain setup and you should check the documentaions of both or contact your server's administrator to find out how to do it.
- Check if SSL is enabled. If SSL is enabled for your domain you will be able to access static assets on your server (but not WordPress URLs) using HTTPS protocol. You can access any image that you have uploaded or any JS or CSS file to find out. Example: http://example.com/wp-includes/js/jquery/jquery.js and https://example.com/wp-includes/js/jquery/jquery.js will be both accessible when SSL is enabled.
- (Optional) As described in Administration Over SSL you can enable SSL just for the admin panel. In order to do that you'll have to log in to your server and open wp-config.php and add the following line inside:
define('FORCE_SSL_ADMIN', true);
. After you do that entire admin area should be served over HTTPS only. (If there is some problem and it isn't remove the line you added to wp-config.php for now and contact the server administrator.) - Go to Settings → General and update both "WordPress Address (URL)" and "Site Address (URL)" to
https://
prefix. Once you do that all back-end and front-end links will start pointing to the HTTPS version and all assets will be served with HTTPS prefix. - When you enter the front-end you may notice that your browser may tell you that "some assets on this website are served over HTTPS and some over HTTP" (and therefore your browser will not indicate that HTTPS is fully functional). To resolve this you will have to check which assets are still served over HTTP. You can do that in the source code of your website or some browsers may also indicate this in Web Developer Tools (hit F12 in Chrome). For example some settings and custom fields that were saved with HTTP prefix may have to be updated. (In development beta versions of this theme only logo fields in Appearance → Customize had to be updated but it may be alrady resolved by the time you read this.) When all assets are served over HTTPS your browser should indicate this with green HTTPS and a padlock symbol in the address bar. (You can still serve some assets like externally hosted images via HTTP.)
- Lastly, you will have to log in to your server again and open .htaccess that you will find in the same folder as wp-config.php. In .htaccess you will have to redirect the HTTP version of the website to HTTPS version. Then your HTTP version will no longer be accessible and everyone will be redirected to the HTTPS version.
Please note that the above instructions are not related to the theme but to your server and domain configuration and if something doesn't work as described you should seek help elsewhere.
FAQ
Q: Is it worth getting a SSL certificate?
Yes. For an online store it's almost obligatory.
- Some payment gateways (like Stripe or Apple Pay) require that you have SSL to use them.
- Google gives HTTPS websites a ranking boost.
- Google flags not encrypted sites in their search results as unsafe.
- Browsers like Google Chrome flag or will flag not encrypted sites as unsafe.
- WordPress starting from 2017 has features that require SSL.
There are other benefits too but since this is an extensive subject we recommend that you read more about them elsewhere.
Q: Which SSL certificate do I need?
If you'll be using only one domain without subdomains then it's sufficient to get the basic one without support for subdomains.
Q: Are there any free SSL certificates?
Yes, there's Let's Encrypt project and CloudFlare. Other than that they are generally paid.
Q: How long does it take for changes to take place?
Approving your purchased SSL certificate may take a couple of hours, all other changes should be instant. If something doesn't work it's more likely that there is some configuration issue than that the server didn't yet apply the changes. All changes described above should work instantly. (Note: When you're updating DNS records then this may in fact take even up to 24 hours but it's usually instant too.)
Q: I have updated the two URLs in Settings → General and now my website is no longer accessible at all.
This may happen to you in various circumstances:
- When you have updated the two URLs in Administration → Settings → General before enabling SSL for the domain.
- Or when your SSL certificate has expired.
- Or when you're trying to configure your CDN or additional servers whose certificate does not match yet.
- etc.
Whatever the reason your only option of regaining access may be to log in to your database (your server most likely comes with phpMyAdmin which should be accessible using some URL like mysql.example.com), go to wp_options
table and update these two options manually there back to HTTP prefix. There may be no other way to restore access to your WordPress installation.