Find out how to solve this common and frustrating WordPress security problem.
Whether you manually install WordPress or use a WP hosting provider, maintaining a valid SSL certificate is vital to cybersecurity. If your website URL doesn’t have “HTTPS” in front of it, you might be vulnerable to cyberattack.
And cyberattacks do happen. Without a valid SSL certificate, your web assets are open to a wide range of harmful exploits.
The astounding story of CoinHive’s worldwide cryptojacking conspiracy is a perfect reminder of why SSL certificates are so important. Even years after CoinHive disappeared, there are 1.4 million hardware routers still injecting malicious CoinHive scripts into every single traffic request that passes through them.
This is just one way SSL certificates mitigate cybersecurity risks. Web agencies have a responsibility to protect the integrity of the content they serve to their clients.
But sometimes WordPress fails to see SSL certificates. This is especially common for agencies that install the framework manually from WordPress.org (instead of WordPress.com). This can happen even if your third-party host employs SSL certificates natively.
What To Do When WordPress Can’t See Your SSL Certificate
First, it’s important to verify whether your certificates are valid. If you are using a third-party host, you should be able to validate those certificates quickly. If your SSL certificates are valid, but WordPress still displays a warning saying it is not secure, the problem is with WordPress.
Fortunately, you can force WordPress to use SSL. There are a few plugins that do this. The one we’ll focus on right now is Really Simple SSL.
All you have to do is log into your WordPress admin section and go to your Plugins. Click on Add New, search for Really Simple SSL, and click on Install Now. You may then Activate the plugin and start configuring it.
Configuring Really Simple SSL is as easy as its name implies. The plugin will immediately tell you which steps you need to take to enable HTTPS for your WordPress site. It can even force a 301 redirect for all HTTP requests to go to your HTTPS URL. As long as you already have a valid SSL certificate, it’s virtually guaranteed to work.
What If You Don’t Have a Valid SSL Certificate?
While Really Simple SSL is great, it can’t do everything by itself. You need to already have a valid SSL certificate to use it. Fortunately, getting an SSL certificate today is much simpler than it was back in the 1990s. In fact, you can get one instantly, for free.
Many hosting platforms and WordPress plugins allow users to create and use free SSL certificates. WP Encryption and SSL Zen are just two examples.
These plugins use Let’s Encrypt to automatically generate valid SSL certificates for free. Let’s Encrypt is a non-profit certificate authority that supports hundreds of millions of websites. Their list of sponsors includes Google, Facebook, Amazon, and dozens of other major tech companies.
How to Use Let’s Encrypt
Using Let’s Encrypt is also simple. In order to get a certificate, you must demonstrate control over the domain you wish to secure. Let’s Encrypt does this with software that runs on your web host.
In order to use the method best suited for your website, Let’s Encrypt will ask if you have shell access. The organization uses Certbot to automate the process of issuing and installing certificates with no downtime. You can choose to let the bot autoconfigure your SSL certificate or jump into expert mode and configure it yourself.
Let’s Encrypt even provides a staging environment for you to test your free SSL certificate before issuing it. This helps make sure you don’t run into rate limits or other problems down the line.
Don’t Forget to Manually Renew Your Certificate After 90 Days
Let’s Encrypt is a reliable, free SSL certification solution backed by some of the biggest names in tech – but there’s always a catch. In this case, you must manually renew your free SSL certificate every 90 days.
The good news is that some WordPress hosting environments allow you to run an automatic renewal script. Doing this allows you to guarantee secure connections for website visitors on your clients’ behalf without paying extra for the privilege.
Not sure if your SSL certificate is valid? You can verify your certificate using SSL Shopper’s SSL Checker. You should also see a closed padlock symbol in your web browser right next to your website’s URL.
If you don’t see that padlock symbol in your web browser, your website may be displaying resources from outside the certificate-secured protocol. You can check that on Why No Padlock. The free service will verify all of those elements and tell you exactly what’s wrong.
Make Sure Your Websites are Secure
There are many hosts that provide web agencies with free SSL certificates along with their hosting services. But it still falls on agencies to verify that WordPress accepts the certificates and guides visitors correctly. Using the tools and plugins described above will help ensure your clients have a seamless, secure web experience with all of your WordPress sites.
UnlimitedWP offers white label web development services to WordPress agencies with demanding technical needs. Find out how we can help you build and deploy secure WordPress sites efficiently.
