If you’re running a WooCommerce store, it’s essential that you keep it secure. This is where WooCommerce SSL comes in.
Even if you’re sending customers to a third party site to take payments, you will be collecting data on your customers, and it’s essential that that data doesn’t get into the hands of people it shouldn’t do.
Adding SSL to your WooCommerce store will help protect your site and your customer data. This is an essential step for any store owner.
Why You Need SSL for WooCommerce Stores
SSL isn’t just important for WooCommerce: it helps keep all websites secure. It also has SEO benefits, as Google ranks sites with SSL higher than those without.
For sites running any kind of ecommerce, including WooCommerce, SSL is particularly important. This is because you are collecting data from users in order to process purchases.
Even if you send users outside your site to make payment via a payment gateway like Paypal, you’ll still need to collect data such as address for deliveries or email address for downloads.
Installing SSL on your WooCommerce store will make it more secure and reduce the risk of this data being accessed by anyone other than you and your users.
That’s WooCommerce SSL, in short. Now, let’s look at what SSL is more generally.
What is SSL?
SSL stands for Secure Sockets Layer. It’s a technology that makes it harder for anyone who shouldn’t access data that’s being collected or processed by your website.
SSL uses key pairs to authenticate website access. The two keys are a public key, which anyone can access, and a private key, which is private. The relationship between the two means that only someone — the website owner — with the private key can encrypt information that’s transmitted using the public key. It also means anyone can use the public key to verify that the site is secure.
This doesn’t mean you have to store keys for your website. Instead, these are used by an SSL certificate that you install on your site.
A site with SSL installed will look different in the browser. Its URL will include https:// instead of http:// and you’ll see a padlock or other security symbol in the browser bar next to the URL.
Choosing the SSL Certificate for Your WooCommerce Store
It used to be that if you wanted to add SSL to your site, you’d have to pay for a certificate, buying it either through your hosting provider or via a third-party certificate authority.
At Kinsta, we provide free Cloudflare SSLs with wildcard support for all sites via our built-in Cloudflare integration. If you’re not hosted on Kinsta, most hosting providers offer free Let’s Encrypt SSLs. If your hosting provider doesn’t support Let’s Encrypt, you can install the SSL Zen plugin.
If you need a custom SSL certificate with additional features like Extended Validation, you can buy one from vendors such as Comodo, DigiCert, GeoTrust, Thawte, or Trustwave and then associate it with your site.
Installing an SSL Certificate for WooCommerce
If your site is hosted on Kinsta, you’ll be able to take advantage of our free Cloudflare SSL certificates without any manual setup! Once your domain is verified and pointed to Kinsta, it’ll automatically be protected by Cloudflare.
We also support custom SSLs for sites hosted on Kinsta. In some cases, certain business requirements may require you to install a custom SSL. If you’ve already purchased a custom SSL certificate from a third-party provider for your Kinsta site, check out how to get it installed.
Installing an SSL Certificate with a Plugin
If your hosting provider doesn’t include free SSL certificates as part of their plan, you can use the free SSL Zen plugin to add a free certificate with LetsEncrypt.
Install and activate the plugin on your site and then go to SSL Zen in the admin menu. Click the link to use the free version of the plugin and you will be taken to a setup screen.
Work through the wizard following the instructions and the plugin will access LetsEncrypt and install a certificate for you.
Forcing SSL
Once you’ve installed your SSL certificate, you’ll need to force it on your site, otherwise people would still be able to access the site via HTTP.
To do this in MyKinsta, go to the Tools tab for your site and select the Force HTTPS option. Select the domain you want to force HTTPS for and this will be enabled.
If you’re not withKinsta, you can also use a plugin to force HTTPS or add a few lines of code to either your Nginx or Apache server.
Alternatively, you can update your WordPress settings, add some code to your wp-config.php file, and make some edits to your .htaccess file.
To do this, start by going to Settings > General in your site. Edit the site URL and WordPress URL so that they include https:// instead of http://.
Next, you’ll need to force SSL for the admin screens too. Add this line to your wp-config.php file, right above the line that says ‘That’s all, stop editing!’:
define('FORCE_SSL_ADMIN', true);
The final step is to edit your .htaccess file. Open it in a code editor and find any lines with the site URL in. Replace any instances of http:// with https:// then save the file.
You’ve now forced SSL on your site.
Frequently Asked Questions about WooCommerce SSL
Here are the answers to some frequently asked questions about WooCommerce SSL.
How Do I Add SSL to my WooCommerce Cart Page?
Sometimes you might want to add SSL to WooCommerce but not to the rest of your site. This is something that’s becoming less frequent now as more sites switch over to SSL for security and SEO reasons.
If for some reason you choose not to install SSL on your site as a whole, you must add it to your Cart pages in WooCommerce. This is because those pages are transmitting sensitive information. If your customers’ data is stolen, you could be liable.
To do this, you don’t force SSL on your entire site. However, you do have to install a certificate on your site.
Once you’ve done that, go to WooCommerce > Settings > Advanced. If your site isn’t running on HTTPS there will be a Force SSL setting. Toggle this to “On” and save your changes.
Note: if your site is already running on SSL, this option won’t be available.
What’s the Difference Between WooCommerce SSL and HTTPS?
SSL and HTTPS aren’t strictly speaking the same thing, but in terms of application, they mean much the same.
SSL is the technology that protects your site: you use an SSL certificate to add it to your site. HTTPS is the protocol used when a browser visits your site. The https:// tells visitors that you have an SSL certificate installed.
Suggested reading: TLS vs SSL.
Do I Need a Dedicated IP Address for WooCommerce SSL?
A dedicated IP address means that the Internet Protocol or IP address for your site isn’t shared with any other sites. This is a series of numbers that uniquely identifies each server on the web. URLs are the locators that translate IP addresses into a form that human beings can understand. If you’re using shared web hosting you won’t have a dedicated IP address unless you buy one or have one included in your package.
You don’t need to have a dedicated IP address to run SSL on your WooCommerce store.
Is SSL PCI Compliant?
PCI compliance stands for Payment Card Industry compliance and relates to the way data from payment cards is stored and transmitted online.
SSL isn’t all you need for PCI compliance but it is an important part of it. PCI compliance also includes security assessments and server scans.
Most WooCommerce sites link to a payment gateway for taking credit card payments and we’d recommend that you do the same. That way, you and your customers have the protection of the payment gateway provider.
How Do I Add SSL Certificate to a WooCommerce Site Running on WordPress Multisite?
If your site is running on WordPress Multisite, the way you approach SSL will depend on whether the site is using subdomains or subdirectories, and whether you’re using domain mapping.
Most WordPress sites running WooCommerce will be using a mapped domain to make the site appear as professional and branded as possible. This means that if your site is hosted at mynetwork.com/mysite, that won’t be the domain customers use. Instead, they’ll use the domain mysite.com (or whatever domain you map to the site). If you’re doing this, you will need to install an SSL certificate for mysite.com.
If the network is run on subdirectories (i.e. mynetwork.com/mysite), then one SSL certificate will apply to the entire network as it is running on one domain name.
If the network is using subdomains (mysite.mynetwork.com), you will need to install a wildcard SSL certificate, or manually install an SSL certificate for each subdomain. This is because each subdomain is treated as a separate domain.
Troubleshooting WooCommerce SSL
Once you’ve installed your SSL certificate it should work smoothly, but if not, follow these tips to troubleshoot any problems.
Troubleshooting ‘Non-secure Content’ Error Warnings
If you’re getting this warning on a site with SSL installed, it’s probably because some of your content isn’t being delivered securely (mixed content issue), most often images and other media. Occasionally it’s due to some of your scripts being loaded over HTTP.
Here are some steps that can help you resolve the problem.
- Open the source code for a page where this error is being generated. Search for ‘src=http//‘. This will help you identify the source of the problem.
- Make sure SSL is forced on your entire site, and not just via the Settings. See the section above on forcing SSL for details of how to do this.
- If scripts are being loaded insecurely, check if it’s the fault of a plugin. If so, try deactivating that plugin.
- If links and media inserted into the content are a problem, this may be because you inserted those links and media before adding SSL to your site. Try doing a search and replace in your database for http://yoursite.com and replacing it with the https:// equivalent.
- If external links to media are the issue, make sure you are hosting all content from a secure source. If you’re pulling in media from another site, that should also be running SSL.
Troubleshooting the ‘Your Store Is Not Using HTTPS’ Error Warning
If you get this error, it’s because you either haven’t forced SSL for WooCommerce or you haven’t forced it for the site as a whole. See the sections above on forcing SSL for details of how to do this.
If you’ve forced SSL in WooCommerce but not the whole site and you’re still getting this error, try running SSL on the site as a whole. This is what the WooCommerce documentation recommends.
Troubleshooting SSL Not Working in the WooCommerce Cart Page
If SSL isn’t running on the cart page, check that you have forced it in the WooCommerce settings (or for the site as a whole) and that you have a valid and up to date SSL certificate for your site. An invalid SSL certificate could trigger the “your connection is not private” error, which may drive your users away.
Forcing SSL in WooCommerce will only work if you have registered an SSL certificate for your domain.
Troubleshooting SSL Handshake Failed error
This error occurs when the browser is unable to establish a secure connection with the server. Unfortunately, this can happen because of various reasons. You can read our in-depth guide on how to fix this SSL connection-related issue.
Troubleshooting Expired SSL Certificates
Sometimes you’ll get an error message for SSL which is simply due to your certificate expiring.
Try to use a service which automatically renews your certificate, or failing that, make sure you diarize to renew it before it is due.
On Kinsta, you don’t need to worry about managing SSL renewals because our system automatically takes care of it for you. If you’re using a custom SSL on your site, be sure to keep track of certificate renewals to prevent downtime.
Summary
Installing an SSL certificate is an essential task for any WooCommerce site owner. It will protect your customer’s data, give your customers more trust in your brand, and benefit your SEO.
With LetsEncrypt, SSL is free and easy to set up. And if you’re hosting your WooCommerce store (or any other site) with Kinsta, you can easily add and manage SSL certificates through the MyKinsta dashboard.