SSL creates a secure connection between two machines or devices over the Web or an internal network, safeguarding and allowing sensitive data to be privately transmitted.
An SSL certificate is issued after verifying the authenticity of a website and identity of its owner, as indicated by the ‘S’ in https.
Many payment gateways require it. We strongly recommend it. And customers visiting your WooCommerce store see it as a sign of trustworthiness and expect to see the padlock in the address bar when browsing, buying, and entering their account and payment details.
What is SSL and HTTPS?
↑ Back to topSSL (Secure Socket Layer) is a protocol used on the Web for:
- Encrypting website data sent from the browser to the server, and vice versa, so it’s protected
- Authenticating your website so visitors know your identity has been verified
Just as “http://” means “this is a website,” seeing “https://” means “this is a website, and it’s using SSL to encrypt data and authenticate the website.”
Why you need SSL
↑ Back to top- You are accepting/transmitting sensitive information, such as addresses and credit card numbers, and need to keep them safe.
- You want to secure logins and signups on your site.
- You need to comply with privacy and security requirements.
- You want users to trust your website.
- You want customers to buy from your eCommerce store.
Websites with SSL are also said to rank higher with search engines and load faster.
How to set up SSL with WooCommerce
↑ Back to topTo use SSL on your website, you need to obtain an SSL certificate. You have free and paid options.
Free option – Let’s Encrypt
↑ Back to topLet’s Encrypt is a certificate authority (CA) providing free SSL certificates for the public to support a more secure and privacy respecting Web. WordPress and WooCommerce love this initiative. Learn more at: About Let’s Encrypt and How It Works.
There are two ways to get a free SSL from Let’s Encrypt.
Select a Hosting Company with Free SSL
Our WooCommerce hosting partners offer free SSL certificates for WordPress users that can be installed with only a few clicks, or often no installation if you purchase a web domain with the hosting package.
Other hosting companies: Ask your existing or preferred hosting company if they offer a free SSL from Let’s Encrypt, and then follow instructions given. If they do not offer this option, go to Install Yourself in the next section.
Install Yourself
Should you prefer or already have a hosting company that lacks a click-and-install tool but offers the option to install a free SSL certificate, you can still use Let’s Encrypt.
Support for installation and setup of a SSL certificate isn’t available from WooCommerce.com.
Paid SSL options
↑ Back to topThere are providers that sell a range of SSL certificates that you install on your website/store. And your hosting company may also sell SSL certificates, which they can help install on a new or existing website/store.
For low-cost options, see: Where can I get an affordable SSL certificate?
After SSL setup
↑ Back to topThe certificate is set up on your server, after which you can access your store via https://yoursite.com. Your browser may show a ‘lock’ icon in the address bar to show it is secured.
For new websites/stores
WordPress/WooCommerce URLs need to be updated after installation of an SSL certificate.
- Go to Settings > General.
- Update the WordPress Address and Site Address to include https://
- Save changes.
For existing websites/stores
Because your website/store has already been indexed under http:// , it now needs to be redirected to https:// so visitors and customers can continue to find you. Really Simple SSL is a plugin that can help with this.
Other tips:
- Amend internal links in your content, which can be achieved with Search and Replace
- Update Google Analytics settings, if you use it
- Use SSL Server Test to confirm SSL has been implemented and fix any issues
- Perform an SSL Check to uncover any non-secure links and content
WooCommerce Force SSL setting
↑ Back to topBefore using this setting, note that we highly recommend running your entire website/store with https, not just the checkout page.
If you choose not to take our advice, you can enable SSL only on your checkout page– note the “Force SSL” setting will not be offered if your site’s URL is already https. The Force SSL setting in WooCommerce (at WooCommerce > Settings > Checkout > Checkout Options in WooCommerce 3.3 and below, or WooCommerce > Settings > Advanced in WooCommerce 3.4+) ensures that certain pages are only shown over https when enabled. These pages are:
- Checkout
- Checkout > Pay (endpoint)
- My Account
Troubleshooting SSL issues
↑ Back to topError pages over HTTPS
↑ Back to topThis may indicate a setup issue with your certificate. We advise contacting your hosting provider to look into it.
Non-secure content warnings
↑ Back to topNon-secure content warnings when viewing a secure page indicate that you are linking directly to scripts, images, or stylesheets over http instead of https.
Most times, this is fixed by changing links to https or by using relative URLs (i.e., /wp-content/file instead of http://yoursite/wp-content/file).
To identify non-secure links, use your browser built-in developer tools, and look at the error console. Non-secure resources for the page you’re viewing, will be listed.
Redirect Loops
↑ Back to topWooCommerce uses the WordPress is_ssl() function to redirect non-secure pages. This can cause a redirect loop when:
- You have another SSL plugin installed, such as Easy HTTPS Redirection, trying to un-force the secure URL. Try removing the other plugin or turn off the Force SSL setting.
- Your host does SSL by proxy, making https undetectable. See SSL by Proxy Problems.
Websites behind load balancers or reverse proxies
↑ Back to topWooCommerce uses the is_ssl() WordPress function to verify if your website using SSL or not.
is_ssl() checks if HTTPS or on Port 443. However, this won’t work for websites behind load balancers, especially websites hosted at Network Solutions. For details, read WordPress is_ssl() function reference notes.
Websites behind load balancers or reverse proxies that support HTTP_X_FORWARDED_PROTO can be fixed by adding the following code to the wp-config.php file, above the require_once call:
if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
$_SERVER['HTTPS'] = 'on';
}