Although you can purchase an SSL certificate from the Certifying Authority (CA) and add it to your WordPress website, you will have to spend some money to buy and renew the certificate yearly.
This guide looks at two methods to set up a free SSL certificate on WordPress.
Why You Should Get a Free SSL Certificate for WordPress
What is SSL exactly, and why do you need it? A Secure Socket Layer or SSL certificate helps secure the connection to your WordPress site. It prevents attackers and hackers from accessing or modifying the information transferred from your web server to the user’s web browser and vice-versa.
When visitors visit your site, they see a padlock icon next to the URL in the address bar, indicating an SSL-secured website.
You can use the Cloudflare free account to add SSL to your WordPress site and make it secure without spending a single buck. It’s easier and can be done in a few minutes after setting up a Cloudflare account. You may also install the certificate and set up SSL on your WordPress site using Let’s Encrypt.
Below, we have explained both methods to help you set up free SSL on a WordPress site.
How to Set Up a Free SSL Certificate on WordPress With Cloudflare
Setting up an SSL or other website security certificates and securing your unsecured HTTP site to HTTPS using Cloudflare is much easier, convenient, and more secure.
Also, you don’t need to renew the certificate as it’s done automatically. And in case you are still unsure whether to enable SSL or not, there are plenty of other reasons your site needs an SSL certificate.
To set up your WordPress site’s SSL certificate on Cloudhe steps are as follows:
1. Add Site To Cloudflare
- Visit Cloudflare and sign up using your email account.
- After creating the account, click on Websites and then click Add Site.
- Enter the website URL and click Add Site.
- Choose the Free plan and click Continue. It will scan for the DNS records. Click Continue > Confirm.
- Copy the new nameservers displayed by Cloudflare and then log in to your domain registrar website to update the nameservers.
- Once updated, click Done, check nameservers.
Your site may become inaccessible for a while as you update the nameservers and point the site to Cloudflare. However, this is temporary, and your site will be online after a few seconds or minutes.
- In Cloudflare, go to DNS and click Add Record.
- Choose A record, type @ in the Name field, and then enter the IP address of your web server. Make sure to keep the Proxy Status enabled and click Save.
- Similarly, add a CNAME record with “www” in the Target field.
2. Enable SSL in Cloudflare
Once the A and CNAME records are added, go to the SSL/TLS section and choose Full or Flexible. Do not choose Full (Strict).
This will force the site to HTTPS mode. However, to ensure your WordPress site loads with HTTPS, you need to make a few changes to the WordPress site.
3. Enable SSL on the WordPress Site
To ensure your WordPress site is secured and loads with an HTTPS connection, log in to your WordPress site as an administrator and follow these steps:
- Go to Plugins > Add New and install the ReallySimpleSSL plugin. After installation, activate the plugin.
- Then go to Settings > General and update the WordPress Address (URL) and Site Address (URL).
- Under Settings, click SSL.
- Turn on Mixed Content Fixer, Enable WordPress 301 redirect and Enable 301 .htaacess redirect options.
- Click Save.
At this stage, you have successfully enabled SSL encryption and enabled an HTTPS connection to your site. Next, visit your site URL with an HTTPS prefix—for instance, https://abc.com. Your WordPress site will load with an HTTPS connection.
How to Set Up a Free SSL Certificate on WordPress With Let’s Encrypt
If you don’t want to use Cloudflare for HTTPS and want to enable SSL on your original web server for complete encryption, you can follow the instructions below to set up Let’s Encrypt SSL.
If you use managed WordPress hosting, check with your web hosting service provider for Let’s Encrypt. Many provide built-in options to enable, disable, and manage Let’s Encrypt SSL.
However, if you use an unmanaged Linux server hosting for your WordPress site or the Let’s Encrypt option isn’t provided by the hosting provider, you can manually install and configure the Let’s Encrypt SSL certificate on the WordPress site with an Apache server by following these steps:
- Use Putty or Terminal to log in to your web server as an administrator.
- Install certbot by executing the following command.
sudo apt install certbot python3-certbot-apache
- Open the site configuration file using the Nano editor, and find your existing domain name.
sudo nano /etc/apache2/sites-available/My_domain.conf
- Check and ensure ServerName and ServerAlias are already there. If not, add them.
- To save and exit the editor, press CTRL+X, type Y and press the Enter key.
- Verify the changes and reload the Apache server by using the following commands.
sudo apache2ctl configtest
sudo systemctl reload apache2
- Check the firewall status and enable the Apache full profile.
sudo ufw status
sudo ufw allow 'Apache Full'
sudo ufw status
- Now obtain the SSL certificate using the Certbot we installed earlier.
- You need to validate the email address where you will receive an email for certificate renewal.
- After adding the email, type “A” and press Enter to agree to the Let’s Encrypt terms.
- Confirm if you want to share the email with EFF to receive information and news.
- Now, type the number of the domain displayed on the output to enable the certificate for the domain and subdomains.
- After you obtain the certificate, you need to select whether you want to redirect the traffic to HTTPS or not. Type the number two and press Enter to enable and redirect traffic to the HTTPS site.
- This will update the required configuration files. The certificate is valid for 90 days, so you need to renew it manually before then. You can also enable auto-renewal using the following commands.
sudo systemctl status certbot.timer
sudo certbot renew
- If you receive no errors, you can install and set up the free ReallySimpleSSL plugin on your WordPress site, as discussed above, to enable HTTPS connection to your site.
Which Should You Use: Cloudflare or Let’s Encrypt?
When you use Cloudflare for HTTPS, the connection from your web server to Cloudflare is not secure. However, users accessing your site will not see any HTTPS warning. This is because the data served or received by your web server isn’t secured completely, as there’s no end-to-end encryption.
On the other hand, Let’s Encrypt allows you to enable end-to-end encryption for your WordPress website. But, this is a highly advanced and complex process involving editing your web server files and services. If you are not experienced with web servers, avoid this method and use Cloudflare for WordPress SSL.
Installing an SSL certificate is one way to improve your WordPress site’s security. In addition, it might be worth installing some plugins to secure your website from hackers.