SSL and HTTPS

screen-shot-2016-11-16-at-17-15-11
SSL creates a secure connection between two machines or devices over the Web or an internal network, safeguarding and allowing sensitive data to be privately transmitted.

An SSL certificate is issued after verifying the authenticity of a website and identity of its owner, as indicated by the ‘S’ in https.

Many payment gateways require it. We strongly recommend it. And customers visiting your WooCommerce store see it as a sign of trustworthiness and expect to see the padlock in the address bar when browsing, buying, and entering their account and payment details.

What is SSL and HTTPS? ↑ Back to top

SSL (Secure Socket Layer) is a protocol used on the Web for:

  • Encrypting website data sent from the browser to the server, and vice versa, so it’s protected
  • Authenticating your website so visitors know your identity has been verified
HTTPS is/means HTTP with SSL.
Just as “http://” means “this is a website,” seeing “https://” means “this is a website, and it’s using SSL to encrypt data and authenticate the website.”

Why you need SSL ↑ Back to top

  • You are accepting/transmitting sensitive information, such as addresses and credit card numbers, and need to keep them safe.
  • You want to secure logins and signups on your site.
  • You need to comply with privacy and security requirements.
  • You want users to trust your website.
  • You want customers to buy from your eCommerce store.

Websites with SSL are also said to rank higher with search engines and load faster.

How to set up SSL with WooCommerce ↑ Back to top

To use SSL on your website, you need to obtain an SSL certificate. You have free and paid options.

Free options – Let’s Encrypt ↑ Back to top

Let’s Encrypt is a certificate authority (CA) providing free SSL certificates for the public to support a more secure and privacy respecting Web. WordPress and WooCommerce love this initiative. Learn more at: About Let’s Encrypt and How It Works.

There are two ways to get a free SSL from Let’s Encrypt.

Select a Hosting Company with Free SSL

Our WooCommerce hosting partnersBluehost, Pressable, and SiteGround — offer free SSL certificates for WordPress users that can be installed with only a few clicks.

Other hosting companies: Ask your existing or preferred hosting company if they offer a free SSL from Let’s Encrypt, and then follow instructions given. If they do not offer this option, go to Install Yourself in the next section.

Install Yourself

Should you prefer or already have a hosting company that lacks a click-and-install tool but offers the option to install a free SSL certificate, you can still use Let’s Encrypt.

  1. Register a domain name at a domain registrar, if you do not already have one. Free SSL certificates from Let’s Encrypt are domain based, and this is a requirement.
  2. Select a hosting company and a hosting plan, if you do not already have one.
  3. Go to ZeroSSL.com.
  4. Select Certificates and Tools, then Start.
  5. Enter the domain name of your website/store, accept the Terms of Service (TOS), then select Next. This generates a Certificate Signing Request (CSR).
  6. Download your CSR.
  7. Select Next to generate your RSA Private Key.
  8. Download your RSA Private Key. Once you’ve downloaded both your CSR and RSA Private Key, it’s safe to close the browser tab. If you close it before saving these two pieces of info, you’ll need to restart the process.
  9. Contact your hosting company for next steps. Every hosting company has a different procedure for uploading the free SSL certificate (CSR and RSA Private Key) you generated. Here’s an example from InMotion: Let’s Install a Let’s Encrypt SSL.

Paid SSL options ↑ Back to top

There are providers that sell a range of SSL certificates that you install on your website/store. And your hosting company may also sell SSL certificates, which they can help install on a new or existing website/store.

Each certificate is recommended for different situations and priced accordingly. For example:

For low-cost options, see: Where can I get an affordable SSL certificate?

After SSL setup ↑ Back to top

The certificate is set up on your server, after which you can access your store via https://yoursite.com. Your browser may show a ‘lock’ icon in the address bar to show it is secured.

screen-shot-2016-11-16-at-17-15-11

For new websites/stores

WordPress/WooCommerce URLs need to be updated after installation of an SSL certificate.

  1. Go to Settings > General.
  2. Update the WordPress Address and Site Address to include https://
  3. Save changes.

For existing websites/stores

Because your website/store has already been indexed under http:// , it now needs to be redirected to https:// so visitors and customers can continue to find you. Really Simple SSL is a plugin that can help with this.

Other tips:

  • Amend internal links in your content, which can be achieved with Search and Replace
  • Update Google Analytics settings, if you use it
  • Use SSL Server Test to confirm SSL has been implemented and fix any issues
  • Perform an SSL Check to uncover any non-secure links and content

WooCommerce Force SSL setting ↑ Back to top

Before using this setting, note that we highly recommend running your entire website/store with https, not just the checkout page.

If you choose not to take our advice, you can enable SSL only on your checkout page. The Force SSL setting in WooCommerce (at WooCommerce > Settings > Checkout > Checkout Options in WooCommerce 3.3 and below, or WooCommerce > Settings > Advanced in WooCommerce 3.4+) ensures that certain pages are only shown over https when enabled. These pages are:

  • Checkout
  • Checkout > Pay (endpoint)
  • My Account

Troubleshooting SSL issues ↑ Back to top

Error pages over HTTPS ↑ Back to top

This may indicate a setup issue with your certificate. We advise contacting your hosting provider to look into it.

Non-secure content warnings ↑ Back to top

Non-secure content warnings when viewing a secure page indicate that you are linking directly to scripts, images, or stylesheets over http instead of https.

Most times, this is fixed by changing links to https or by using relative URLs (i.e., /wp-content/file instead of http://yoursite/wp-content/file).

You can also use a plugin such as WordPress HTTPS to force URLs to be secure. WooCommerce secures scripts that are enqueued correctly.

To identify non-secure links, use a tool such as Firebug for Firefox or Chrome’s built-in developer tools, and look at the error console. Non-secure resources will be listed.

Redirect Loops ↑ Back to top

WooCommerce uses the WordPress is_ssl() function to redirect non-secure pages. This can cause a redirect loop when:

  • You have another SSL plugin installed, such as Easy HTTPS Redirection, trying to un-force the secure URL. Try removing the other plugin or turn off the Force SSL setting.
  • Your host does SSL by proxy, making https undetectable. See SSL by Proxy Problems.

Websites behind load balancers or reverse proxies

WooCommerce uses the is_ssl() WordPress function to verify if your website using SSL or not.

is_ssl() checks if HTTPS or on Port 443. However, this won’t work for websites behind load balancers, especially websites hosted at Network Solutions. For details, read WordPress is_ssl() function reference notes.

Websites behind load balancers or reverse proxies that support HTTP_X_FORWARDED_PROTO can be fixed by adding the following code to the wp-config.php file, above the require_once call:

if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
    $_SERVER['HTTPS'] = 'on';
}
If you use CloudFlare, you need to configure it.

WooCommerce - the most customizable eCommerce platform for building your online business.

Back to the top