HTTPS For WordPress

For local development, you can create a self-signed certificate using OpenSSL, however this has limited use since any certificate generated will not be trusted by others, so should only be used for private servers.

There is no extra or special settings needed specifically for WordPress at the web server level for HTTPS. WordPress by default is ready to use HTTPS URLs if the web server is properly configured.

The default port for HTTP URLs is port 80, the default port for HTTPS is port 443. These ports not to be opened through any network firewall. Apache includes a mod_ssl module that needs to be enabled and properly configured. If using certbot, it can automatically configure and create the VirtualHost settings needed.

Implementing HTTPS for WordPress

To implement HTTPS support on WordPress, you only need to set the WordPress and Site Address URL to use https://. You can install WordPress either using HTTP or HTTPS to start, both will work, and you can switch over later.

 Go to Settings > General and make sure that the WordPress Address (URL) and Site Address (URL) is https. If not, add ‘S’ after http to make https and save it :


The Site health tools (Tools > Site health) will inform you that your website doesn’t use HTTPS.


Since version 5.7, WordPress can also automatically switch to HTTPS if an SSL certificate is already set up on your server.


Best Practices for HTTPS for WordPress

It is recommended for all production WordPress sites to use HTTPS.

  • Use a reputable web host, most provide HTTPS service as a standard.
  • Use a SSL Certificate from Let’s Encrypt, they are free and easy to use.
  • Serve Static Content from an SSL enabled CDN

You may need to redirect your HTTP traffic to your HTTPS site. For Apache, you can do so by creating two VirtualHost entries for example:

<VirtualHost *:80>
    Redirect /

<VirtualHost *:443>
    DocumentRoot /home/mkaz/sites/
    <Directory /home/mkaz/sites/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/
    IncludeOptional /etc/letsencrypt/options-ssl-apache.conf

Bad Practices for HTTPS for WordPress

  • Serving site from both HTTPS and HTTP urls, use HTTPS and redirect.
  • Using mixed content, ie. CSS, JS, or images served from HTTP on an HTTPS page

Leave a Reply

Your email address will not be published. Required fields are marked *