If you are using any of our Premium Payment Gateways then we highly recommend that you get an SSL certificate and enforce HTTPS on your site so your donation data is securely encrypted. The importance of this cannot be understated. But it is not an easy task and involves many elements that most users are not familiar or comfortable with. This article is intended to be a guide to understanding the easiest way to make this happen for your site so you can get up and running with Give as quickly as possible.

There are 5 basic steps to configuring your WordPress website to use an SSL certificate and enforcing HTTPS for your whole site:

  1. Purchase and install an SSL certificate
  2. Update your site URL
  3. Force HTTPS throughout the site
  4. Resolve any insecure elements on your pages
  5. Update Google Webmaster Tools and Google Analytics

Each of these steps can be complicated and unique in each different hosting environment, so again, this is only a guide.

Purchase and Install an SSL certificate

The very first thing that must happen for all WordPress websites is to purchase and install an SSL certificate. While there are some new services that provide “free” SSL certificates we do not recommend them for the purpose of online donations. The type of encryption free certificates provide is not secure enough for passing credit card information with.

Instead, we highly suggest that you purchase your SSL certificate from your host directly and have them install it for you. While it is certainly possible to purchase and install an SSL certificate yourself, it is a very complex process and differs greatly with every hosting platform. If your host does not provide SSL certificates or the ability to install them for you, we would suggest looking for a new host.

If you want to look into installing an SSL yourself, here’s a few resources from popular hosts:

 

We highly recommend purchasing your SSL certificate from your web host and having them configure it for your website. If they don't offer those services, it might be time to move on.

Update your Site URL

Now that your SSL certificate is installed and configured for your site, you’ll notice that nothing has changed at all! That’s because your WordPress site hasn’t yet been configured to load using HTTPS instead of HTTP.

HTTPS is the “protocol” used to send encrypted data over the internet and what is required to make sure your donation transactions are secure.

For this step, all that is necessary is to go to “Settings > General” and change both the “WordPress Address” and “Site Address” urls to use “https://” instead of “http://”

WordPress Site URL Settings

After you’ve done that, you’ll be automatically logged out of your site. This is because the site now uses “https” and you are logged in with “http”. These are technically two different domains.

Force HTTPS Throughout your Site

Now that your site is configured to load with https, you want to make sure that ALL of your traffic is loaded via https. The issue is that Google has indexed your website everywhere using http. So you want to make sure that when a user finds your site with an http link, that they are automatically redirected to https instead.

The easiest way to do this is with this plugin: WordPress Force HTTPS

There are quite a few out there that claim to do this. The reason we suggest this plugin currently is that all you do is activate it and you’re done. Keep in mind, that every hosting environment is different. This plugin may not work exactly as you need.

If you find that doesn’t work for you, you might want to add the following to your .htaccess file via FTP.

Force HTTPS via HTACCESS

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>

Resolve Insecure Elements on your Pages

OK. Now that your site has an SSL certificate, you’ve updated your site url, and you are forcing all traffic to go to https, you might go to a page on your site and you’ll see a YELLOW lock or an alert that says you have insecure elements — or mix-content errors — on your page.

Insecure Content Yellow Lock

This happens because all the time that you were building your site with http, all of your images were loaded into your pages and posts using “http”. The easiest way to resolve this is with a plugin called “Better Search Replace“. Here are the steps:

  1. Install and Activate Better Search Replace
  2. Go to “Tool > Better Search Replace”
  3. In the “Search/Replace” tab, do the following:
    • Search for = http://yourdomain.com
    • Replace with = https://yourdomain.com
    • In the “Select tables” area, select both wp_postmeta and wp_posts. Press “CTRL” or “CMD” to select multiples.
    • Unselect “Run as Dry Run”
    • Hit “Run Search/Replace”

Better Search Replace Settings

 

What this does is search through all of your posts and pages and updates all the internal links that are loaded there, and sets their protocol to “https”. Please note that if your site uses “www” you’ll need to include that as well. Further, if your site once used “www” or vice versa you might want to run multiple searches for your domain with and without “www”. That’s why that “Dry run” setting comes in handy, you can check whether the search is relevant before actually replacing the results.

Once that is done, you’re all done! Congratulations!

Reasons Why You Still Might Not Be Done

So, now you’re bummed because you still have the Yellow lock on some pages. Unfortunately, there’s a really clear reason why this might happen, and it’s not fun.

Basically, you have a theme or a plugin which is loading “assets” like Javascript or CSS files onto your site using an outdated or incorrect method. WordPress has many functions to use to make sure all of these assets are loaded with the appropriate protocol. If this is the case, there are only a few things you can do:

  1. Put your site url into this tool. That will list all the insecure elements on your page. Look at those urls and you should see whether it’s a plugin or your theme. Contact the theme or plugin author to get them to fix it.
  2. If you are using a Child Theme, you can most likely override that script. Our own Devin Walker has a great article on that on our WordImpress Blog.
  3. This might sound harsh, but switch themes or plugins. If your theme or plugin is not loading scripts correctly then there may be other aspects of the theme or plugin that put your site at risk. It may be better for you to move on.

Update Google Search Console

Lastly, now that your site is fully configured with your SSL certificate and all traffic is being forced to “https”, you’ll want to let Google know about the change. As mentioned previously, Google has been busy indexing all your pages and posts with “http” for a long time. You want it to know that is no longer the best way to reach your site. There are a lot of online resources available for doing that, so this is just an overview:

  1. Create a new site in Google Source Console (formerly Webmaster Tools) with your updated https protocol
  2. Add your Sitemaps to that new account
  3. Tell Google to Index your new account