This article describes basic steps to make your WordPress website work via a secure web protocol, as well as the main methods which can be used to get rid of insecure content in order to display a padlock or tune icon without warnings in browsers.
One of the key steps in ensuring that your WordPress site is secure is activating and installing a valid SSL certificate. This will enable users to exchange information with your site via secure, encrypted transfer protocols.
In order to make the changes work in WordPress, you will need to adjust your WordPress Address (URL) and Site Address (URL) accordingly (https://example.com). Follow the steps below:
1) Access your WordPress in your control panel.
2) Locate the link to access your WordPress admin panel.
3) Open or Login to your WordPress admin dashboard.
4) In the Settings menu, click General.
5) Add https:// before WordPress Address and Site Address URLs.
6) Once done, don’t forget to save your changes.
From now on, all your WordPress website pages should be accessible via https:// connection.
Now the links will automatically redirect to https://.
This process can be done either by manually editing WordPress inner redirect structure (however, this is not recommended) or by installing one of the HTTPS plugins used for such purposes.
Note: If you choose to edit WordPress structure manually, the following script can be used: https://interconnectit.com/products/search-and-replace-for-wordpress-databases/
We strongly recommend creating a backup of the database before making any changes.
The HTTPS plugin can be installed in WordPress administrative panel: Plugins > Add New.
(In the example shown, we use Easy HTTPS Redirection (SSL), a plugin used to make all pages and content accessible via https://.)
Once the plugin is downloaded and activated, use the following steps:
1) Select Installed Plugins in the left-side menu.
2) Locate the Settings of the plugin you wish to install.
3) In the Settings section, check the following boxes:
- Automatic Redirection to “HTTPS”;
- Force Resources to use HTTPS Redirect.
4) Click Save Changes.
Once done, your WordPress website will be accessible via https://.
If you still get the “This page contains both secure and non-secure data” error, refer to this article.
By default, WordPress installation does not contain insecure links and content, the issue may be caused within the theme. To correct this issue, locate the insecure links in theme scripts and replace them with secured ones (https://) .
If you don’t know where these links are located, you can use search cron command below or run the same command in Command Line Interface via SSH:
grep -r "http://" /home/cPuser/public_html/ > /home/cPuser/report.txt
(make sure to replace cPuser with your actual cPanel username)
NOTE: Keep in mind that setting up a cron job to run with the interval of less than 15 minutes may cause account resource overuse.
When the research is complete, you can check the report.txt file where all scripts/files containing insecure http:// links are specified. Below you can find an example of the output:
… /home/nctest/public_html/wp-content/themes/thbusiness/options.php:
‘std’ => ‘http://www.google.com/+Themezhutthemes’,
/home/nctest/public_html/wp-content/themes/thbusiness/languages/readme.txt:http://codex.wordpress.org/Function_Reference/load_theme_textdomain
/home/nctest/public_html/https/wp-content/themes/thbusiness/functions.php: wp_register_style(‘googleWebFonts’, ‘http://fonts.googleapis.com/css?family=PT+Sans:400,700,400italic’);…
As you can see, all results remain non-filtered, which means that non-related lines will be presented as well. You will need to either enhance the search command with regular expressions for a more precise search or look through the results as they are shown.
In raw results, the insecure link to fonts can be located:
http://fonts.googleapis.com/css?family=PT+Sans:400,700,400italic
You should change it to:
https://fonts.googleapis.com/css?family=PT+Sans:400,700,400italic
In /wp-content/themes/thbusiness/functions.php file.
Important:
- We suggest backing up the original file so you may restore it later if needed, as not every link will work after the changes to https:// take place.
- You can also use plugins (e.g. SSL Insecure Content Fixer) for updating CSS and JavaScript http:// links. Frequently used plugins can be found at:
https://wordpress.org/plugins/wordpress-https/
https://wordpress.org/plugins/ssl-insecure-content-fixer/
https://wordpress.org/plugins/really-simple-ssl/
If the issue persists, we recommend rechecking if any active plugin/extension/theme/template is causing the issue and if so, contact its developer for assistance with https:// implementation.
You might be interested – “How to Fix Common SSL Issues in WordPress (Beginner’s Guide)”