If you have a WordPress site hosted on Amazon Web Services (AWS), it’s relatively easy to configure it to use HTTPS, so that you can facilitateÂ secure communication between your website and end users.
Recently, Google Chrome started listing all HTTP sites as ‘Not Secure’, which may turn visitors away, even from a simple blog site. So an additional benefit of securing your site using HTTPS is that browsers will mark it as being ‘Secure’:
The steps below are for a WordPress site hosted on an AWS EC2 Linux instance and using AWS Certificate Manager, Route 53 and Elastic Load Balancer services.
The first thing you need to do is obtain a Public SSL Certificate, which will be used to secure network communications with your site. This is a simple process using the AWS Certificate Manager, which can be found in the Console under ‘Security, Identity & Compliance’:
Once obtained, the CNAME records will need to be added to your DNS service, which is part of the validation process – if you use AWS Route 53, this is a simple case of clicking the ‘Create record in Route 53’ button. The full process is clearly detailed in the relevant AWS user guide:
Once you’ve obtained the certificate and it’s status has changed from ‘Pending Validation’ to ‘Issued’, you can then create an Application Elastic Load Balancer (ALB) and configure an HTTPS listener using the certificate that you just obtained. Again, this process is well documented by AWS:
One additional step that I performed was to make sure that any HTTP traffic was re-routed to HTTPS.Â You can achieve this under the ‘Listeners’ section of your ELB,Â by selecting ‘view/edit rules’ against the 80 listener ID:
Create/Edit the rule to redirect to HTTPS on port 443:
The next thing you need to do is update the configuration of your WordPress server to use HTTPS instead of HTTP. This is a simple case of modifying your wp-config.php file. I did this using the Nano text editor – I recommend creating a backup copy of your existing file first!
Once opened in Nano, you need to add the following lines (changing your.website.com for the address of your site):
if (strpos($_SERVER[‘HTTP_X_FORWARDED_PROTO’], ‘https’) !== false)
The first line ensures that the admin pages and login are secure.
The second and third lines set the default WordPress Home and Site addresses.
The final command configures the WordPress HTTPS redirection.
These lines must all be added BEFORE the /* That’s all, stop editing! Happy blogging.*/ line – do not add them to the very end of the file:
Then restart the HTTPD service using the command ‘service httpd restart’ and test out the configuration.
I initially found that whilst my site was now partially secure and the certificate was showing as valid, there was some ‘mixed content’ that was preventing my site from being classed as ‘Secure’ by Chrome:
On further investigation, this turned out to be due to the image links in existing posts remaining set to http, rather than https.
For my new and very basic site, this was easily resolved by manually editing the image URL’s in the few posts that I had:
If you have a large number of existing posts and images, you would need to look into bulk modifying the relevant database entries, using a search and replace tool.
Any new images added will automatically be set to https.