Contents
Introduction
Securing your WordPress website with HTTPS is no longer optional. It protects data integrity and privacy, boosts SEO rankings, and builds user trust.
Let’s Encrypt provides free, automated TLS/SSL certificates, making HTTPS adoption easier than ever.
Why HTTPS Matters
- Data Encryption: Prevents eavesdropping and man-in-the-middle attacks.
- SEO Benefits: Search engines favor HTTPS sites.
- Browser Warnings: Modern browsers flag non-HTTPS sites as “Not Secure.”
- User Trust: The padlock icon reassures visitors.
Overview of Let’s Encrypt
Let’s Encrypt is a nonprofit Certificate Authority that issues free certificates via
the Certbot client. It automates certificate issuance and renewal using the ACME protocol.
Prerequisites
- Root or sudo access to your server.
- Domain name pointing to your server’s IP.
- Basic knowledge of Linux command line.
- Web server (Apache or Nginx) hosting WordPress.
Step 1: Install Certbot
Certbot is the most popular ACME client. Install it via your package manager:
| OS | Installation Command |
|---|---|
| Ubuntu/Debian | sudo apt update ampamp sudo apt install certbot |
| CentOS/RHEL 7 | sudo yum install epel-release ampamp sudo yum install certbot |
Step 2: Obtain a Certificate
Choose your web server and run Certbot accordingly:
Apache
sudo certbot --apache -d example.com -d www.example.com
Nginx
sudo certbot --nginx -d example.com -d www.example.com
Certbot will:
- Validate domain ownership via HTTP challenge.
- Install certificates to /etc/letsencrypt/live/example.com/.
- Optionally configure your web server to use HTTPS automatically.
Step 3: Configure Auto-Renewal
Let’s Encrypt certificates expire every 90 days. Certbot installs a cron or systemd timer by default. To test renewal:
sudo certbot renew --dry-run
If no errors appear, auto-renewal is properly configured.
Step 4: Force HTTPS in WordPress
Update Site URLs
- Log into WordPress Admin gt Settings gt General.
- Change WordPress Address (URL) and Site Address (URL) to
https://your-domain.com.
Redirect HTTP to HTTPS
Add rules to your server configuration or .htaccess:
Apache (.htaccess)
ltIfModule mod_rewrite.cgt
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
lt/IfModulegt
Nginx (server block)
server {
listen 80
server_name example.com www.example.com
return 301 https://hostrequest_uri
}
Step 5: Fix Mixed Content
Mixed content occurs when non-HTTPS resources load on an HTTPS page. Use one or more of these methods:
- Install a plugin: SSL Insecure Content Fixer.
- Search amp replace URLs in database:
wp search-replace http://your-domain.com https://your-domain.com --dry-run. - Hard-code protocol-relative URLs:
//cdn.example.com/style.css.
Step 6: Test Your Configuration
- Visit SSL Labs to scan and grade your site.
- Check browser padlock and console for mixed-content warnings.
Advanced Tips
Enable HSTS
# Add to your HTTPS server block (Nginx) add_header Strict-Transport-Security max-age=31536000 includeSubDomains preload always
OCSP Stapling (Nginx)
ssl_stapling on ssl_stapling_verify on resolver 8.8.8.8 8.8.4.4 valid=300s
Troubleshooting
- Certbot renewal fails: Check logs at
/var/log/letsencrypt/letsencrypt.log. - Mixed content persists: Clear caches (plugin, CDN, browser) and re-scan.
- Redirect loops: Verify server and WordPress URL settings match (both HTTPS).
Conclusion
Implementing HTTPS with Let’s Encrypt on WordPress enhances security, trust, and performance. By following these detailed steps—installing Certbot, obtaining and renewing certificates, configuring your server and WordPress settings, and testing thoroughly—you ensure a robust, encrypted website experience.
References:
Let’s Encrypt,
Certbot,
WordPress Official Docs.
|
|
Acepto donaciones de BAT's mediante el navegador Brave 🙂 |