This document gives an overview of SSL (Secure Sockets Layer) and HTTPS, explaining their importance for securing your WooCommerce store. You’ll learn why SSL is essential for protecting customer data and boosting consumer trust, as well as where to look to set up SSL on your site, including both free and paid options.
Additionally, we cover the WooCommerce “Force SSL” setting, and share troubleshoot tips for common SSL issues. In many cases it’s best to work with your host or a developer to get SSL working properly. Our aim with this guide is to assist you in ensuring a secure and reliable shopping experience for your users.
What are SSL and HTTPS?
↑ Back to topSSL (Secure Sockets Layer) is a protocol used on the Web for:
- Encrypting website data sent from the browser to the server, and vice versa, so it’s protected
- Authenticating your website so visitors know your identity has been verified
SSL creates a secure connection between two machines or devices over the Web or an internal network, safeguarding and allowing sensitive data to be privately transmitted.
An SSL certificate is issued after verifying the authenticity of a website and identity of its owner, and is indicated by the ‘S’ in https.
Most payment gateways require SSL. We strongly recommend it. Customers visiting your WooCommerce store see it as a sign of trustworthiness. They rightly expect to see the padlock in the address bar when browsing, buying, and entering their account and payment details.
Why you need SSL
↑ Back to topAny time you information needs to be transmitted securely. SSL is a must. You need to use it if:
- You are accepting/transmitting sensitive information, such as addresses and credit card numbers, and need to keep them safe.
- You want to secure logins and signups on your site.
- You need to comply with privacy and security requirements.
- You want users to trust your website.
- You want customers to buy from your eCommerce store.
Websites with SSL are also said to rank higher with search engines and load faster.
How to set up SSL with WooCommerce
↑ Back to topTo use SSL on your website, you need to obtain an SSL certificate. You have free and paid options.
Free option – Let’s Encrypt
↑ Back to topLet’s Encrypt is a certificate authority (CA) providing free SSL certificates for the public to support a more secure and privacy respecting Web. WordPress and WooCommerce love this initiative. Learn more at: About Let’s Encrypt and How It Works.
There are two ways to get a free SSL from Let’s Encrypt.
Select a Hosting Company with Free SSL
Our WooCommerce hosting partners offer free SSL certificates for WordPress users that can be installed with only a few clicks, or often no installation if you purchase a web domain with the hosting package.
Other hosting companies: Ask your existing or preferred hosting company if they offer a free SSL from Let’s Encrypt, and then follow instructions given. If they do not offer this option, go to the next section, “Install Yourself”.
Install Yourself
Should you prefer or already have a hosting company that lacks a click-and-install tool but offers the option to install a free SSL certificate, you can still use Let’s Encrypt.
Note: Support for installation and setup of a SSL certificate isn’t available from WooCommerce.com. Work with your web host for help.
Paid SSL options
↑ Back to topThere are providers that sell a range of SSL certificates that you install on your website/store. And your hosting company may also sell SSL certificates, which they can help install on a new or existing website/store.
For low-cost options, see: Where can I get an affordable SSL certificate?
After SSL setup
↑ Back to topThe certificate is set up on your server, after which you can access your store via https://yoursite.com. Your browser may show a ‘lock’ icon in the address bar to show it is secured. Or the information may be shown in a “Security” section of the address bar information modal.
For new websites/stores
WordPress/WooCommerce URLs need to be updated after installation of an SSL certificate.
- Go to Settings > General.
- Update the WordPress Address and Site Address to include https://
- Save changes.
For existing websites/stores
Because your website/store has already been indexed by search engines as having an http:// address , it now needs to be redirected to https:// so visitors and customers can continue to find you. Really Simple SSL is a plugin that can help with this.
Other tips:
- Amend internal links in your content, which can be achieved with Search and Replace.
- Update your Google Analytics settings, if you use it.
- Use SSL Server Test to confirm SSL has been implemented and fix any issues
- Perform an SSL Check to uncover any non-secure links and content
WooCommerce Force SSL setting
↑ Back to topBefore using this setting, note that we highly recommend running your entire website/store with https, not just the checkout page.
If you choose not to take our advice, you can enable SSL only on your checkout page– note the “Force SSL” setting will not be offered if your site’s URL is already https. The “Force SSL” setting at: WooCommerce > Settings > Advanced ensures that certain pages are only shown over https when enabled. These pages are:
- Checkout
- Checkout > Pay (endpoint)
- My Account
Troubleshooting SSL issues
↑ Back to topError pages over HTTPS
↑ Back to topThis may indicate a setup issue with your certificate. We advise contacting your hosting provider to look into it.
Non-secure content warnings
↑ Back to topNon-secure content warnings when viewing a secure page indicate that you are linking directly to scripts, images, or stylesheets over http instead of https.
Most times, this is fixed by changing links to https or by using relative URLs (i.e., /wp-content/file instead of http://yoursite/wp-content/file).
To identify non-secure links, use your browser’s built-in developer tools, and look at the error console. Non-secure resources for the page you’re viewing, will be listed.
Redirect Loops
↑ Back to topWooCommerce uses the WordPress is_ssl() function to redirect non-secure pages. This can cause a redirect loop when:
- You have another SSL plugin installed, such as Easy HTTPS Redirection, trying to un-force the secure URL. Try removing the other plugin or turn off the Force SSL setting.
- Your host does SSL by proxy, making https undetectable. See SSL by Proxy Problems.
Websites behind load balancers or reverse proxies
↑ Back to topWooCommerce uses the is_ssl() WordPress function to verify if your website using SSL or not.
is_ssl() checks if the connection is via HTTPS or on Port 443. However, this won’t work for websites behind load balancers, especially websites hosted at Network Solutions. For details, read WordPress is_ssl() function reference notes.
Websites behind load balancers or reverse proxies that support HTTP_X_FORWARDED_PROTO can be fixed by adding the following code to the wp-config.php file, above the require_once call:
if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
$_SERVER['HTTPS'] = 'on';
}