What is SSL and HTTPS? ↑ Back to Top

SSL (Secure Socket Layer) is a protocol used on the web for:

  • Encrypting website data so that data sent from the browser to the server and vice versa is protected.
  • Authenticating your website so visitors know you are who you say you are
HTTPS just means HTTP with SSL.
Just as “http://” means “this is a website,” seeing “https://” means “this is a website, and it’s using SSL to encrypt data and authenticate the website.

Why would you want SSL? ↑ Back to Top

  • You are accepting or transmitting sensitive data such as user details and billing information and need to keep it safe
  • You want to secure logins and signups on your site
  • You need to comply with privacy and security requirements
  • You want users to trust your site

Setting up SSL with WooCommerce ↑ Back to Top

To use SSL on your website you will need to purchase an SSL certificate – there are many providers of certificates all ranging in price (your hosting provider may also sell certificates). The purchased certificate is set up on your server, usually by your host.

WooCommerce currently supports dedicated SSL certificates – not shared.

Once set up, you should be able to access your store via – your browser may show a ‘lock’ icon in the address bar to show it is secured.

The Force SSL setting ↑ Back to Top

The Force SSL setting in WooCommerce will ensure certain pages are only shown over HTTPS when enabled. These pages are:

  • Checkout
  • Checkout -> Pay
  • My Account

Troubleshooting SSL issues ↑ Back to Top

Error pages over HTTPS

This could indicate a setup issue with your certificate. It is advisable to contact your hosting provider to look into the problem.

Redirect Loops

WooCommerce uses WordPress’ is_ssl() function to redirect insecure pages. This can cause a redirect loop in the following instances:

  1. You have another SSL plugin installed, such as WordPress HTTPS, trying to un-force the secure URL. Remove the other plugin, or turn off the Force SSL setting.
  2. Your host does SSL by proxy making https undetectable. Seehere

Insecure content warnings

If you have insecure content warnings when viewing a secure page it means you will be linking directly to scripts, images, or stylesheets over http instead of https. Most of the time this is simply fixed by changing said links to https or by using relative URL’s (e.g. /wp-content/file instead of http://yoursite/wp-content/file).

You can also use a plugin like WordPress HTTPS to force the URLS to be secure. WooCommerce does secure scripts which are enqueued correctly.

To identify the insecure links you can use a tool such as Firebug for firefox, or Chromes built in developer tools, and look at the error console – insecure resources will be listed.

Websites behind load balancers or reverse proxies

WooCommerce uses is_ssl() WordPress function to verify if your website is over SSL or not.

is_ssl() checks if HTTPS or on Port 443. And this won’t work for website behind some load balancers, especially Network Solutions hosted websites. For details, read WordPress is_ssl() function reference notes.

Websites behind load balancers or reverse proxies that support HTTP_X_FORWARDED_PROTO can be fixed by adding the following code to the wp-config.php file, above the require_once call:

if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
    $_SERVER['HTTPS'] = 'on';
If you use CloudFlare, you’ll probably need to configure it.
Back to the top