Search

SSL and HTTPS

What is SSL and HTTPS? ↑ Back to Top

SSL (Secure Socket Layer) is a protocol used on the web for:

  • Encrypting website data so data sent from the browser to the server and vice versa is protected
  • Authenticating your website so visitors know your identity has been verified
HTTPS just means HTTP with SSL.
Just as “http://” means “this is a website,” seeing “https://” means “this is a website, and it’s using SSL to encrypt data and authenticate the website.”

Why would you want SSL? ↑ Back to Top

  • You are accepting or transmitting sensitive data, such as user details and billing information, and need to keep them safe
  • You want to secure logins and signups on your site
  • You need to comply with privacy and security requirements
  • You want users to trust your site

Setting up SSL with WooCommerce ↑ Back to Top

To use SSL on your website, you need to buy an SSL certificate. Many providers sell certificates, all ranging in price; your hosting provider may also sell certificates.

The certificate is set up on your server, usually by your host. Once set up, you can access your store via https://yoursite.com — your browser may show a ‘lock’ icon in the address bar to show it is secured.

WooCommerce currently supports dedicated SSL certificates – not shared.

The Force SSL setting ↑ Back to Top

The Force SSL setting in WooCommerce ensures that certain pages are only shown over HTTPS when enabled. These pages are:

  • Checkout
  • Checkout -> Pay
  • My Account

Troubleshooting SSL issues ↑ Back to Top

Error pages over HTTPS

This may indicate a setup issue with your certificate. We advise contacting your hosting provider to look into it.

Redirect Loops

WooCommerce uses the WordPress is_ssl() function to redirect non-secure pages. This can cause a redirect loop when:

  1. You have another SSL plugin installed, such as WordPress HTTPS, trying to un-force the secure URL. Try removing the other plugin or turn off the Force SSL setting.
  2. Your host does SSL by proxy, making https undetectable. SeeSSL by Proxy Problems.

Non-secure content warnings

If you have non-secure content warnings when viewing a secure page, it means you are linking directly to scripts, images, or stylesheets over http instead of https.

Most times, this is fixed by changing these links to https or by using relative URLs (i.e., /wp-content/file instead of http://yoursite/wp-content/file).

You can also use a plugin like WordPress HTTPS to force URLs to be secure. WooCommerce secures scripts that are enqueued correctly.

To identify non-secure links, use a tool such as Firebug for Firefox or Chrome’s built-in developer tools, and look at the error console. Non-secure resources will be listed.

Websites behind load balancers or reverse proxies

WooCommerce uses the is_ssl() WordPress function to verify if your website using SSL or not.

is_ssl() checks if HTTPS or on Port 443. However, this won’t work for websites behind load balancers, especially websites hosted at Network Solutions. For details, read WordPress is_ssl() function reference notes.

Websites behind load balancers or reverse proxies that support HTTP_X_FORWARDED_PROTO can be fixed by adding the following code to the wp-config.php file, above the require_once call:

if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
    $_SERVER['HTTPS'] = 'on';
}
If you use CloudFlare, you need to configure it.
Back to the top