We use cookies to ensure you can get the best experience on our site. If you keep using this site we assume that you agree to our use of cookies. Privacy Policy OK

How Do I Enable HTTPS on a Site Running WordPress 5.7 or Later?

by | May 20, 2021

What you need to know:

A new feature in WordPress 5.7 and later allows you to quickly enable HTTPS on your website. The option is found in your Site Health settings. You just need to make sure that you have a valid SSL installed beforehand.

WordPress has long supported the ability to use HTTPS for enhanced security, however setting up HTTPS and SSL on a WordPress site has always been a hassle that involves multiple steps and various tools. Fortunately, with the release of WordPress 5.7, the CMS developers have made the process much simpler and more straightforward. In this article, we will show you how you can enable HTTPS on a site running WordPress 5.7 or later.

Table of Contents:

Prerequisites

WordPress will surface the option to enable HTTPS only when it detects that you have a valid SSL certificate installed. As such, you need to get an SSL certificate for your website before you can proceed further with this tutorial.

Important:

You must ensure that your SSL certificate is properly configured and fully operational before proceeding. If in doubt, you can reach out to the Technical Support Team for assistance.

At this point, we should mention that SSL certificates are considered an advanced hosting feature. Therefore, only our premium shared hosting plans and Semi-Dedicated servers support SSL. If you are still using our free hosting service, then you would need to upgrade before you are able to take advantage of HTTPS.

Affordable Hosting with Full SSL Support.

How Do I Enable HTTPS on a Site Running WordPress 5.7 or Later?

With the release of WordPress 5.7, the basic setup of HTTPS has become a one-click task. Here, we will guide you through each step:

  1. For starters, you should log into your WordPress Dashboard:
The WordPress Dashboard is the default page you land on once you log into the WordPress back-end.
The WordPress Dashboard is the default page you land on once you log into the WordPress back-end.
  1. While you are on the Dashboard, look for the Site Health Status widget:
The Site Health Status widget gives you an overview of your website’s health.
The Site Health Status widget gives you an overview of your website’s health.
  1. In the widget, there should be a link that invites you to visit the Site Health screen. Click on this link.

Tip:

If you cannot find the Site Health Status widget or the link contained therein, you can simply select the Tools menu item and choose the Site Health option from there.

  1. Once you arrive on the Site Health screen, look for a recommended improvement that mentions HTTPS:
The Site Health screen contains various recommendations for improving your site performance, stability, and security.
The Site Health screen contains various recommendations for improving your site performance, stability, and security.
  1. Click on the HTTPS recommendation in order to expand it and view its details.
  2. You will see a button that says Update your site to use HTTPS. Click on it.
The HTTPS recommendation in WordPress is a one-click solution to enabling HTTPS on your website.
The HTTPS recommendation in WordPress is a one-click solution to enabling HTTPS on your website.
  1. That’s it! Just like that, your site was updated to use HTTPS:
The one-click HTTPS solution found in WordPress is both fast and simple to use.
The one-click HTTPS solution found in WordPress is both fast and simple to use.

The HTTPS migration tool provided by WordPress is truly a one-click solution which makes it straightforward and easy to use. Unfortunately, at its current stage, it leaves one notable security hole open that needs to be dealt with manually. We will describe this security hole in the next section and show you how to fix it.

Additional Tweaks

While the WordPress one-click HTTPS setup is very handy and convenient, its current version (5.7.2) leaves out one essential security setting – the ability to force a secure connection from the moment a visitor tries to access the website. In other words, if a visitor uses http:// to access your website, they would not be using HTTPS for that initial connection. Fortunately, there’s an easy fix for that.

In fact, we have already covered this fix in a whole separate guide about redirecting HTTP traffic to HTTPS. We recommend using one of the three .htaccess options to force a secure connection for your WordPress site.

Below, we will show you the before and after versions of our WordPress .htaccess file. We will be applying the third .htaccess option in the after version.

The default WordPress .htaccess contains:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

The above directives do not force a secure connection in any way, which is why when you navigate to your website without specifying https://, you may see a Not Secure warning, like the one shown below:

The WordPress 1-click HTTPS enabler still leaves your home page unprotected unless your visitors request HTTPS explicitly.
The WordPress 1-click HTTPS enabler still leaves your home page unprotected unless your visitors request HTTPS explicitly.

And here is the .htaccess file once we have included the additional directives:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

With this upgraded .htaccess file, all visitors will be redirected to a secure version of your homepage:

You can ensure that all of your visitors use encryption just by adding a few lines of code in your .htaccess file.
You can ensure that all of your visitors use encryption just by adding a few lines of code in your .htaccess file.

And that’s it! Simply saving your changes will be enough for the changes to take effect immediately.

Tip:

If your WordPress site still does not force a secure connection even after saving your changes, you should try clearing your web browser’s cache and cookies, or alternatively, you may try using a different web browser.

Conclusion

Undoubtedly, the addition of a 1-click HTTPS enabler is one of the best features to come with WordPress 5.7. It transforms the error-prone process of manually editing your site configuration and database into a straightforward solution that is safe and fully automated. We truly believe that this will result in fewer broken WordPress sites and a safer web for all of us.

Related Posts

How to Install SSL and HTTPS on a WordPress Site

In this tutorial, we will provide information about SSL, including instructions on how to enable HTTPS in a WordPress application. What Is an SSL Certificate?...

How to Stop Spam in WordPress Comments

When we are creating something, whatever it is, we expect for people to engage with it. The best type of engagement that exists on the web are the comments....

How to Secure Your WP Admin Panel

We all know how important it is to keep our electronic data safeguarded and private. As cyber attacks continue to grow rapidly each day, so is the need...

awardspace logo
Where Ideas Turn Into Websites