Installing SSL certificates for WordPress sites

Welcome to the GoldHat guide for installing SSL certificates. Here at GoldHat.ca we started serving the entire site in HTTPS recently. Up until a few years ago serving a site in SSL meant some loss in performance, but not anymore. There are two main benefits to having HTTPS throughout the entire site. The first is it’s more secure for our users. We’re less likely to have various types of attacks on user information. We all know the importance of this when it comes to credit card data, checkout forms, but we should care about personal information and even the possibility of malware installation as well. The second benefit is that we may see a small boost in search engine rankings. It’s considered a positive factor for SEO to serve a page in HTTPS. And rumor has it, this benefit may increase in future search algorithm updates.

Overview for Installing SSL certificates

Now whether your goal is to secure part of your site, or all of it, you need to start by purchasing and installing an SSL certificate. In this guide we look at the generic steps involved in the process. Like other process guides we’ve created, the goal here isn’t to outline every detail of a specific certificate install on a specific server. There are many different certificate vendors, many different certificate types, and of course a lot of different servers and hosts. And then there is your actual website, in this case we’re focused on WP sites. But each site can have a different configuration of plugins and different theme. The challenge of solving insecure content warnings and other problems can be as much or more significant in terms of time and cost than the actual install. For the purpose of this guide, we will be focused on getting the certificate installed and working, and debugging the most common errors (mixed content) that you might find in your WordPress site after switching to SSL.

Step 1: Purchase from SSL Vendor

installing ssl certificates from thesslstore.com

You’ll need to open an account at an SSL vendor. This can be the issuer of SSL certificates, most sell directly, or it can be a reseller. There is no real advantage to buying directly from issuers, often the resellers have better prices than the issuers. We recommend GoGetSSL, and are authorized resellers for them. Another notable option is TheSSLStore.com. If you’re an agency or developer, you might also want to check out the GoGetSSL.com reseller program for yourself. Buying from either of these reputable vendors is a simple and reliable process, all have full integration with the CA (Certificate Authorities) that issue the SSL certificates. Once you have an account, you select the type of certificate you want and place your order. The initial order information (address/phone etc.) is not used to determine the SSL certificate, that’s handled later. So it’s fine to use your business or personal information, even if the certificate is for another party such as your client or a different business.

Step 2 – Generate a CSR (Certificate Signing Request)

The purpose of the CSR (Certificate Signing Request) is to identify the server you plan to install the certificate on. The steps to generate a CSR vary based on the type of server. A common server is Apache, and a manual generation of a CSR involves logging into the server with SSH, running server commands via command line and entering the information for your domain. A CSR will be generated, along with a Private Key File. The private key file is the mechanism that the server will use to decrypt the certificate, and it has to be stored in the correct place on the server. Clearly the manual generation of a CSR is not suitable for most site owners, and even many website developers find these steps difficult. It’s really a process best suited to experienced server managers. Nonetheless there are numerous guides for various server types, which you can find by searching for something like “generate csr apache”, and replace Apache with your server type if your running something else. Many hosts also have guides to SSL install, and searching “digital ocean generate csr” for instance will bring those up.

If you have cPanel, you may be able to use the SSL management features inside the control panel to generate a CSR. At GoldHat we buy our hosting from Digital Ocean, and we manage the servers using ServerPilot. We especially like this combination because the ServerPilot system makes SSL certificate installation very easy. Every app (domain) that we add to ServerPilot has an SSL tab, and getting the CSR is a one-click process. Note that this feature is only available with ServerPilot’s Coach (paid) license that is $10/month. Their free service does not have this feature. Also to manage a server with ServerPilot, you have to set it up when you create your droplet or server, before you setup your domains. So this option will only help you with an existing site if you are willing to setup a new droplet, install ServerPilot on it and then configure the site as an app. Having done all this for our sites, we can say it’s worth it not only for SSL install but just the many other time saving features of ServerPilot.

Step 3 – Request the SSL Certificate

We request the SSL certificate at the vendor where we made the purchase. The vendor will provide a form to complete with domain information and of course, the CSR that you created in the previous step. After you pass any validation in their forms, you should see confirmation on screen and by email that your request has been received. This will initiate a domain ownership verification email that will go to the email you specified when requesting the certificate. You usually have a limited range of emails to choose from and they have to be at the domain, so for instance “admin@your-domain.com”. Make sure you have your email setup and working for the domain before doing this step, and make sure you have access to the email address you select to perform the verification.

Step 4 – Verification for SSL Certificate

You’ll receive a domain verification email from the CA (Certificate Authority) such as RapidSSL, Comodo. It will contain a link to verify the domain ownership, and a code that you need to enter. For basic SSL certificates, once you verify the domain ownership the CA will usually issue the certificate immediately and the files will be sent to you via email, and/or available for download from the vendor where you purchased the SSL certificate.

EV (Extended Validation) certificates, and other types of certificates that have various extra validation will require further verification. These steps will be provided by the CA, and some will send you an email linked to a guide on their website. With EV certificates, the CA will attempt to automatically validate the existence of your business if your located in a region such as US/Canada, Europe, where they can find your business in a public registry. If this process fails either because you didn’t provide an accurate business name, or because your company isn’t registered, or other problem, they will email you asking you to prove your business information by sending in copies of registration documents.

Step 5 – Install the SSL Certificate

When your certificate is issued by the certificate authority, they’ll send you the package via email. This is often the first time we start celebrating in the process of installing SSL certificates. If you’ve purchased from a vendor, they’ll often have a download area for your certificates which helps when you need to get the files again. Manual install of a certificate using SSH is not a step suitable to most site owners. Even developers often are challenged by the process, but there are guides for nearly every available server that outline the process. An important step if you’re managing the server yourself is after the certificate files are in the right place, setting up the virtual host to serve traffic over the secured port (usually port 80).

As with the earlier step of issuing CSR’s, we utilize ServerPilot to take care of this otherwise time consuming process. With ServerPilot we can paste in the certificate to the correct app, and ServerPilot takes care of putting the files in the right place. We can also force SSL, rather than relying on the app (WordPress) to switch to SSL. Whether using the force SSL option or not, ServerPilot finalizes the install and from this point forward the focus is on serving SSL pages or the entire site, and fixing any issues that are causing a problem on secured pages.

Step 6 Configuring & Debugging WordPress SSL

If you haven’t setup your server to force SSL throughout the site, you’ll need to configure WordPress to serve secured pages. If your site runs WooCommerce, you’ll want to active the Force SSL option under the checkout settings in WooCommerce. See the WooCommerce docs page SSL and HTTPS for further details.

Other plugins that provide a checkout process usually contain support for SSL. You’ll want to find the documentation for that support by searching the plugin documentation. Once you activate SSL, be sure to test your checkout process to make sure it’s functioning correctly.

If you want to secure other parts of your site that don’t involve checkout, there are various WP plugins that can help. Search the WP directory for one that fits your implementation, or consult a qualified WP developer.

One of the most common and frustrating challenging issues we face in securing WordPress sites is the frequency of mixed content errors. These errors can be seen in the browser address bar as a warning, and aside from the actual security risk, it largely defeats the purpose of building trust with your users. These errors must be fixed in order for the browser to indicate the page is secured and confirm the connection is private. Mixed content errors show up when a non-secured asset, usually an image or script is included in the page served over HTTP. When your WP site serves an SSL secured page in HTTPS, all content on the page must also be secured. If you’ve integrated scripts or images by defining “http://” in the URL, then this will cause the page to be flagged as serving mixed content. Developers can identify which assets are being served unsecured by HTTP by opening the developer console, and these errors will be listed.

Fixing unsecured content that has been added to a page is relatively easy if it’s available via the WP admin, or in a widget. Where it becomes much more problematic is when the issue comes from a 3rd party theme or plugin. Developers may have to create filters, or take other steps to debug the error. In some cases it will not be possible to fix the problem without resorting to hacking the 3rd party plugin. And because that’s usually not a good idea, it may be better to contact the plugin/theme author, and ask them about releasing a fix to better support SSL. Unfortunately many WordPress themes and plugins define assets in a way that causes these mixed content errors, and sometimes there is no practical way to work around it. As a site developer you may have to consider removing plugins or switching themes, or resort to editing the original plugin/theme and then managing it without the original authors updates. These are difficult decisions to make, but are sometimes needed to fully resolve all mixed content errors.

Installing SSL certificates wrap-up

This concludes our guide on the processes of installing SSL certificates. Hope you found it helpful and have been successful in following the steps. If you discovered by reading this guide that the process is too technical or time consuming to do yourself, consider our SSL certificate install service which is just $35 for basic SSL installs. We can also perform more complex SSL certificate installations, such as EV certificates, multiple site domain certificates and wildcard certs. If you’re just setting up your site and don’t yet have a server or hosting, contact us about setting up a Digital Ocean droplet with ServerPilot account which is the combination of server/management that we use for this site and dozens of others.


Affiliate Disclaimer

GoldHat Group is an affiliate for ServerPilot and TheSSLStore.com. We’re also an Authorized Reseller for GoGetSSL.com. Some links contained in this article are from these affiliate programs, and some products listed on goldhat.ca are delivered via these affiliate programs or resellers.