Google notified me repeatedly that my self-hosted WordPress websites weren’t secure, that they didn’t have the coveted “https:,” and that I should take care of it pronto.
I’m no WordPress expert, just a freelance writer and product creator who runs blogs. So I dread these sorts of things and put them off as long as reasonably possible, especially since I have several of my own sites, and I manage a few others for family members and nonprofits, so it can be quite a hassle. Well, last week I finally decided to tackle the project.
Caveat… as I just said, I’m no WordPress expert. I’m just a DIY guy who tries to do things himself first, and then hires an expert when necessary. So here’s what I did, and it worked for me, and I hope it will work for you. But if it doesn’t, I’m not a good source for help.
Why Does Having a Secure WordPress Site Matter?
There are at least three good reasons:
1. Google says that it is one of the many SEO signals it uses for ranking sites in web searches, meaning that having a secure site may improve your search results and thus the traffic you get from search.
2. Visitors will feel safer viewing your site and clicking your links, and especially entering any information into forms, meaning they are more likely to hire you, or buy your products, or just read your posts.
3. Browsers show whether or not your site is secure, leading back to #2 above.
How I Did It
First, of course, I did a full backup of all the sites, just in case something were to go dreadfully wrong.
Use Let’s Encrypt to Secure the WordPress Site
Next, I called my hosting company, A2 Hosting, to ask what I needed to do. I assumed I’d have to pay money, and perhaps a lot of money, but it turns out they (and many other hosts) have a free option: Let’s Encrypt.
How do you set up Let’s Encrypt? Turns out it’s something the hosting company can do easily, which A2 Hosting did while I was on the phone.
Install the Really Simple SSL Plugin
And it was really simple. I installed it and followed the easy instructions to get it working.
Unfortunately, it didn’t do the trick for several of my sites: no “secure,” no “https.” (Note: This is not the fault of the plugin, which is highly rated and has been updated regularly.)
So I called A2 Hosting again. They recommended I…
Use WhyNoPadlock.com, If Necessary
The website WhyNoPadlock.com goes through your site and shows you which files are still just “http” instead of “https.”
It turns out that the problem sites had one or two image files that hadn’t been converted by the Really Simple SSL plugin.
Once I knew the exact files, I logged into cPanel (server software that allows you to add, delete, and edit files, along with the ability to do a ton of other things) and I manually changed the offending file names by adding the “s” after the “http.”
There are plugins that will supposedly change the file names for you, but I didn’t want to trust them.
Absolutely nothing = nada, zilch, free! A2 Hosting didn’t charge me to set up Let’s Encrypt, and Really Simple SSL is a free plugin.
The Only Problem: Feedburner
On a few the sites I still use Feedburner to automatically notify subscribers of new posts. Well, after the change to secure https:, Feedburner sent subscribers a notification of the most recent post, or in one case a list of the last ten posts.
Have you made your WordPress site secure yet? Any problems making it https:?