For some time now, the online security of websites has improved, thanks in part to SSL certificates. Most major browsers acknowledge this with that little green padlock ‘trusted’ icon in the URL bar, and Google is starting to roll out a change in its ranking algorithms to favor sites with SSL. At this time that boost is minor, but they plan to significantly increase that. Soon, browsers will start to warn users away from sites that do not have SSL.
The only drag factor in this progress has been cPanel. cPanel software is installed on the majority of the servers being used to provide low cost hosting solutions and their customers have been been clamoring for a free and easy to use SSL solution. cPanel 58 has been out now for many weeks and has proved very stable, and it introduced a new tool for web administrators called AutoSSL. The single most requested feature to add to this, proving one of the most popularly supported feature request in years, was to add Let’s Encrypt to the AutoSSL tool. Even though cPanel are not usually known for acting with speed, they have now released a plugin to do just that. This blog post tells how to install it. As I type this, right now, I am going to do just that on my server. Let’s see how well that goes (BTW, my server has cPanel 58 on the ‘Current’ updates channel, using EasyApache 4).
Well, after logging in to SSH, typing in /scripts/install_lets_encrypt_autossl_provider and hitting enter, it took about a minute to tell me:
Installed the cpanel-letsencrypt RPM! AutoSSL can now use Let’s Encrypt.
Now I will log in to WHM and navigate to Home >> SSL/TLS >> Manage AutoSSL. I select the Let’s Encrypt option and tick both checkboxes (Agree to the T’s & C’s and Create a New registration, as I haven’t used them before). At this point you can enable AutoSSL for your server’s cPanel users by selecting the ones you want to do this for. There does not appear to be a cPanel user Feature List icon or function in this new plugin, so the cPanel user can’t do this themselves, but my guess is that most hosts will place an icon in the Security section of the cPanel features to let you enable Let’s Encrypt for your site(s).
Once you have your SSL certificate ready to go you can use it with your WordPress site. Before you go any further, don’t forget to backup your site before you make any changes. At least you can revert your site if something goes wrong. Let’s move on. In the WordPress admin, under Settings -> General, change the WordPress Address (URL) and Site Address (URL) to be https.
Next, for both single and Multisite installs, edit your wp-config.php file and add the following line of code. It forces both logins and access to the WordPress admin area to use SSL:
NB: Make sure it’s placed above the “stop editing” line, which looks like this:
We now need to set a ‘301 redirect’ so that visitors to your site will automatically be redirected to your secure site using https instead of http. Edit your .htaccess file, or create a new one if it doesn’t already exist. If you already have one, see this code:
You will see that this code is inside a condition that checks to make sure the server has the correct module for this to work. Don’t just paste this code into an existing file blindly. If your file already has such a section, then you can paste into that section some of the lines I show instead. My .htaccess had such a section, and already had the RewriteEngine On line as well, so I pasted only 2 of the sample code lines directly after that line. Don’t forget to replace “mysite.com” with your domain (or subdomain+domain) and make sure that you use the correct server port if yours isn’t 80.
Now visit your site to test it out. If https appears in your URL with a green padlock beside it you’re all set to go. Click the green padlock to make sure there are no issues. If you are having issues, like with mixed content, in the WordPress admin, add the Really Simple SSL plugin and set that up. It should help you fix things for you and manage the issues that WordPress often has with SSL.
Hopefully it all works for you, so that now the HTTPS protocol assures users that any sensitive information is sent encrypted.
Nice job Trevor,
it is important to note though, that if you add the tweaks to .htaccess and wp-congfig.php AND THEN DECIDE to use the Really Simple SSL plugin, you should REMOVE THE TWEAKS that you added to .htaccess and wp-cnfig.php BEFORE installing the plugin since the plugin handles all of these redirects for you as well as cleaning up any mixed content issues. It truly is a wonderful and compact little plugin.
NOTE> when installing the plugin, you should log into your wp back office using https://yoursite.com/wp-admin – otherwise the installation will appear to have failed (it won’t show the green start SSL button) until you add the https in your URL bar and hit refresh.