How to implement SSL without using a plugin

Spread the love

If you’re using WordPress, chances are you’ll stumble upon some tutorials or web designers telling you to use the Really Simple SSL plugin to implement SSL encryption into your website easily. This is easy to do, and is easy to undo, and causes least problems, so I’d say it’s a great plugin for non-technical people. However in WordPress we generally try to reduce our dependency on plugins where possible, so use the steps below to implement SSL the “proper” way without slowing down your website.

1. Make sure you actually have an SSL certificate

Don’t assume you have SSL enabled. Go to https://yourwebsite.com to see if the SSL certificate loads fine or not. If you don’t have SSL, talk to your web hosting provider.

2. Edit your .htaccess file

You can do it two ways:

  1. By going directly into your hosting file manager, it’s usually in your root folder.
  2. By using a custom .htaccess code manager that’s part of another plugin (don’t install another plugin to edit .htaccess…. that’ll defeat the entire purpose of this exercise lol). For instance, Swift Performance has a custom .htaccess section where you can put your .htaccess code in there. Convenient if you already use Swift by default.

Use this code:

Option 1 (preferred):

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

Option 2 (if option 1 doesn’t work):

 # Redirect non-SSL to SSL
RewriteCond %{HTTPS} !on
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# Redirect www to non-www (SSL)
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.yourwebsite\.com [NC]
RewriteRule ^(.*)$ https://yourwebsite.com/$1 [L,R=301]

Credit: Swift Performance

3. Replace hardcoded non-SSL links with Better Search Replace

Your webpage may be SSL encrypted but depending on how your website was built, it may still be pulling content from the non-SSL link. This results in Google Chrome not showing the Secure padlock – see here for more information: whynopadlock.com .

To fix this:

Before you start: Better Search Replace does NOT have an “undo” feature so be VERY careful, watch for typos!

  1. Download and activate Better Search Replace
  2. Use these settings:
    • Search for http://yourwebsite.com
    • Replace with https://yourwebsite.com
    • Select all tables
    • Case insensitive (check), Replace GUIDs (check), Run as dry run (uncheck)
  3. Run Search/Replace
  4. Repeat steps 2 & 3 with:
    • Search for http%3A%2F%2Fyourwebsite.com
    • Replace with https%3A%2F%2Fyourwebsite.com

3. Test

Open a new tab and type yourwebsite.com (without the https:// prefix) and it should load the SSL version automatically, with the Google “Secure” padlock if you’re on Chrome.


Spread the love