Installing an SSL Certificate on WP Engine
Whether or not you have an SSL and your site is presented over HTTPS, this blog can be for you. We’ve set up literally hundreds of SSL certificates through WP Engine and other hosting platforms, and we finally decided to make a post that not only sheds light on some tips & tricks to make this process easy, but to educate everyone why they should make the jump to HTTPS.
HTTP vs. HTTPS: Quick Overview
Before we get too deep into this process, let’s talk about it for a super quick second.
What is HTTP?
HTTP stands for Hypertext Transfer Protocol, basically this allows you to view websites. It allows for the communication of data between a web server (this holds all the website information) to your browser, which allows you to view web pages.
What’s the difference between HTTP & HTTPS?
The main difference is surprisingly not the addition of the letter S. It is actually that the information on an HTTPS website is encrypted. Encrypted information allows for the information that is being transferred between the server and the website to be protected against third parties trying to gather information. HTTPS is mainly used because it protects potential client information. For example, an e-commerce website that takes customer card information to process payments. HTTPS is accomplished with the help of an SSL Certificate. SSL is an acronym for “secure socket layers,” these secure socket layers are what adds the extra encryption to the information that is passed between the web server and the web browser.
The main benefit of HTTPS actually happens to be the S, “secured”. The data that is passed between the website and your computer is secured from other parties trying to gather your information. This basically means that if you buy something or create an account on any website that does not have “https” at the beginning of the URL, you are susceptible to having your information stolen.
This also helps the owner of the website secure their information as well. This helps the website pass information to and from the user without the risk of that data being modified or changed.
All of these benefits lead to one ultimate goal, building user trust. By authenticating and ensuring that the intended user can visit a website without there being a third party with malicious intentions, you can rest assured that your customers will likely return to your site. All because “https” gave them a warm fuzzy safe feeling.
A Few Other Benefits To HTTPS
Confidence & Trust
I know we just talked about trust, but let’s do it again!
The main goal of any website is to engage an audience, right? Well to do this you’ll want your website to be secured. Having the HTTPS at the beginning of your website URL means a world of difference to your customers.
This allows your customers to shop freely, to engage with your content, and to create accounts on your site without having to worry about their information being at risk.
SEO (Google Likes HTTPS)
1. Google gives preference to sites that have HTTPS.
2. Google will rank your website higher in its niche, if it is an HTTPS website vs your competition if they do not have an HTTPS website.
3. Chrome and Firefox gives warnings to sites that are not HTTPS.
Woah! Hold up…. Those are 3 pretty big reasons to get a free SSL set up with Let’s Encrypt if your hosting environment supports it.
P.S. Even if your host don’t support the free Let’s Encrypt SSL Certificates, it doesn’t cost that much nowadays to purchase one!
Chrome Update October 1st, 2017 Mandate
Sites that are not secure will now be notified to the user. When you are on a secure site, your URL bar at the top of your browser will look like this:
Websites that are not secure with Google’s new Chrome update will now look like this:
If you hit the little information icon, this is what will pop up:
Users will now be notified by google if they are on an unsecure website. If your site is not on HTTPS yet, now is the time to switch over. By notifying users that they are on an unsecure website, you will have a hard time keeping an engaging audience, people will not likely return to your site and you will suffer when it comes to ranking your site with SEO (Search Engine Optimization).
Alright It’s Time. How?
Okay so keep in mind that we are a WordPress focused agency, so our process is going to focused on setting up an SSL with WordPress. We also exclusively recommend WP Engine to our clients, so we will be going over setting up an SSL using our recommended set up. This might not be for everyone. If you don’t have a WordPress site or you’re not on WP Engine, but you’re still wanting to get an SSL and you’re not sure quite how. Shoot us an email and we’ll be happy to help!
Alright let’s get to it! As we mentioned before, we’ve done this countless times so we’ve pretty much seen it all. Be sure to follow along closely for some tips & tricks to avoid having to reach out to support (even though they’re very nice and they don’t bite) and see why you’re getting weird errors.
Part 1: Cloudflare ( Only if you’re using CNAME flattening )
NOTE: This is the recommended way of pointing your domain to your WP site on WP Engine, so you don’t have to worry about changing A records later on if something comes up, if you are using the A record method (just skip to Part 2).
Step 1 – Disable Proxy
We’ve tried several different ways, and it’s gone perfectly each time we start in Cloudflare and disable the default settings for Cloudflare Crypto and turn off Proxying ( ALL GREY CLOUDS ).
NOTE: The highlighted clouds will usually be orange. Turn them all grey, to help prevent redirect errors.
Step 2. Turn off Cloudflare SSL
After doing that, turn off the Crypto settings (SSL settings) in Cloudflare, to further prevent any conflicts.
Now you’re set to head to your WP Engine install that you’re wanting to set up the SSL on!
Part 2. WP Engine ( Requesting your Free SSL )
Step 1. Request SSL Certificates from Let’s Encrypt.
So, after logging in to WP Engine… Go to your WP install, click the SSL link on the left and you’ll click “Add Certificates”.
We’ll be using the free “Let’s Encrypt” certificates, so click “Get FREE certificates”.
NOTE: If you’re running a mission critical eCommerce site, or a site that has user-sensitive data then please consult a your developer (or you can always reach out to us) before just picking the free Let’s Encrypt SSL.
Pick the domains you want to secure (hopefully all of them), accept terms and conditions and request your SSL!
NOTE: If you just added your domains to the install, you might have to give it some time.
If you don’t see any domains then you’ll want to add them through the domains part of the dashboard.
After requesting your SSL Certificates, you’ll get email notifications that your order was received and you’ll get notifications when your order was completed.
NOTE: You may get an email that your request failed to process. This is often due to misconfiguration of your domain and you may want to consult a developer or WP Engine Support for more information on the topic. If you’re using the A record method, maybe consider trying out CNAME flattening through Cloudflare.
Step 2. Configure SSL
Once you get that “order complete” email from WP Engine, you can go back to the User Portal and in the SSL tab you’ll see more options regarding your SSL Certificates!
Match the configs below to secure everything from your WP-Admin area, to the non-www & www versions of your WordPress site.
NOTE: Don’t forget the above step! The last areas included in the last two screenshots are drop downs below the first section.
Step 3. Configure WordPress Site
You’re not done just yet! Now we have to make sure WordPress knows your site should be ‘https’ or it’s going to automatically redirect to ‘http’. This is easiest using WP Engine’s handy phpMyAdmin tool available in the User Portal or logging into your WordPress dashboard. I’ll show you both!!
Step 3.1 – phpMyAdmin
Step by step (I don’t want to expose our database schema so I’ll just show the last step):
1. Click “phpMyAdmin” from your WP Engine install. This will open a new tab.
2. Click the “+” next to your database table ( wp_yourinstallname ) on the left side.
3. Click “wp_options”, your general settings table could be different if you changed it for security purposes
4. Edit the “siteurl” and “home” to be ‘https’ instead of ‘http’
Step 3.2 – Through the WordPress Dashboard
First, get all logged in and go to Settings > General from the Dashboard
Second, adjust the “WordPress Address” and “Site Address” to be ‘https’ instead of ‘http’.
NOTE: It is very important that your WordPress Address and your Site Address match, this is notorious for causing infinite redirection loops.
Step 4. HTML Post Processing
This is the fun part! Often times, you’ll have some mixed content errors from explicitly putting ‘http’ in your links when building out your site. So even though you’re almost done, you might not have that green lock on your site yet, because you’re pulling insecure data.
You can fix this with a plugin, but I recommend since you’re on WP Engine’s platform that you take advantage of their lightweight tool that is super powerful and easy to configure. It leverages the power of regular expressions in PHP if you’re wondering.
Here’s a snippet of code to use:
#http://yoursite\.com# => https://yoursite.com
NOTE: Just remember replace “yoursite” with your ACTUAL site and “com” with any other extension, otherwise we might break your site. Also, this is a very powerful tool. Be careful.
Get there by going to WP Engine > General Settings in WordPress and scrolling all the way down!
You’ll enter the snippet of code I gave above into the white box in the screenshot.
Last but not least, clear your cache and you’re good to go!
If you run into any issues, send us an email or don’t be afraid to reach out to WP Engine Support, they’re a great team!
Signed – TXCAPstudio