How to Prepare Your WordPress Site for SSL/TLS Certificate Usage

If you're going to integrate eCommerce modules on your website including on-site credit card processing, SSL certificate is one of the prerequisites. It may also be used if you're sharing sensitive information with registered users who may require a secure and encrypted connection to access the restricted content. If you're using WordPress for hosting your website, configuring SSL usage is quite simple provided you have the right tools for the same. We'll first take a look at the simple process of installing the certificate on the web server. Thereafter, we'll see how our WordPress site can start using secure and encrypted connection once the certificate is installed. We'll take a look at the most common Apache server SSL configuration. So let's get started and see how we can use SSL certificate on our professional WordPress website.

Buying an SSL certificate

The first obvious step is to obtain an SSL certificate from a certificate issuing authority. There are several popular certificate issuing authorities like DigiCert, VeriSign, Thawte and GeoTrust from where you can purchase one.

Apart from the regular single domain SSL certificate, several other types of certificates like multi-domain or wild card SSL certificates are also available to fulfill your business needs. Buying an SSL certificate is quite easy, so we're going to skip that part. Let's move forward and see how to first integrate (install) it on your web server so that you can use secure SSL connection for your WordPress website.

Installing SSL Certificate on Apache Web Server

Though nowadays web hosts allow SSL on shared IPs that sometimes negatively affect other websites on the server, getting a dedicated IP address for your SSL certificate is always advisable. Also, make sure that mod_ssl security module is installed and active on your Apache web server.

Start with generating a CSR to obtain your certificate and the associated keys. Once this step is completed, copy the primary certificate file and the keys within the directory where all SSL certificates and keys are stored on your web server.

Caution: Your certificate and key files should be only readable by root.

The next important step involves editing the httpd.conf file to add or modify existing records associated with the SSL certificate. Make sure you keep a backup of the original file before making any changes to it. Use a normal text editor to edit the file instead of using a rich text editor.

Start with adding the following records in the file.

<VirtualHost 127.0.0.1:443>
ServerName www.domain.com
DocumentRoot /path/to/your/document/root/htdocs

SSLEngine ON
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key
</VirtualHost>

This sample code includes localhost IP address 127.0.0.1 which should be replaced with your web server IP address. If a firewall is active on your web server, it may be possible that 443 port is not open within it to allow inbound or outbound SSL connections. You can confirm it by running the following command.

# sudo /sbin/iptables -L

If the port is not opened in the listing, you can ask your web host support staff to add the relevant rules to the firewall. And last but not the least; you need to restart your Apache web server to ensure changes are applied on the server instance. You can do that through the following command.

# /etc/init.d/httpd restart
or use the following command...
# /etc/init.d/apache2 restart

After doing all the dirty work, your SSL configuration must be tested to ensure it is installed and working correctly. For that, use this useful SSL Server Test service. Simply punch in the IP address or the domain name associated with your web server to see the report about the SSL configuration.

Using SSL with WordPress

And now comes the easy part of using SSL security for your WordPress site. To make things easy, I've handpicked 3 popular plugins to ensure you can start using SSL facility with your WordPress in a few simple steps. Simply install one of them that you find the best for your needs.

HTTPS domain alias - This plugin works both with a single and multisite WordPress installation seamlessly. It can be used for different domains on the same server in case your certificate is generated for your primary domain. Users can define additional domains quite easily for providing secure connections to the respective addresses. The plugin requires minimal setup and works in all the popular web server environments. Since the plugin never touches your database, the functioning is lightning fast without any latency. Once do try this one on your WordPress blog.

CCS-HTTPS - This is yet another handy plugin ideal for using SSL encryption on your WordPress site. It can be used in cases where you want selective pages to use HTTPS mode and the rest of the pages in HTTP mode. Simply mark or select those specific pages and it works flawlessly. If you've already defined HTTPS usage options for login and admin pages, this plugin won't generate any conflict with those rules. The setup process is dead simple and only requires the selection of pages on which you need to enforce HTTPS connection. It's a must-have plugin for HTTPS usage.

WordPress HTTPS (SSL) - And last but not the least, this is one of the most popular plugins for using HTTPS connections with your WordPress blog. It's a versatile and flexible plugin letting you easily customize the HTTPS settings on your WordPress website. It includes a powerful regular expression powered filtering feature that lets you specify different types of pages for HTTPS usage or exclusion. You can also set or unset SSL settings on per post basis while editing or writing a blog post. I'd highly recommend once using this excellent SSL plugin for WordPress.