Tutorial: How to fix some final WordPress SSL settings

After installing an SSL certificate and having the plugin Really Simple SSL on WordPress, there are still some errors (some things stay "disabled"). To fix them all, do this:

1. Enable HTTP Strict Transport Security (HSTS)

Open your .htaccess file in your root directory and add this:

2. Set Secure Cookies

Add in the wp-config.php file in your root directory and add this:

garryneville said:

After installing an SSL certificate and having the plugin Really Simple SSL on WordPress, there are still some errors (some things stay "disabled"). To fix them all, do this:

1. Enable HTTP Strict Transport Security (HSTS)

Open your .htaccess file in your root directory and add this:

Code:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

2. Set Secure Cookies

Add in the wp-config.php file in your root directory and add this:

Code:

//Begin Really Simple SSL session cookie settings
@ini_set(‘session.cookie_httponly’, true);
@ini_set(‘session.cookie_secure’, true);
@ini_set(‘session.use_only_cookies’, true);
//END Really Simple SSL cookie settings

Click to expand...

Hello,
HSTS header should not be enabled without understanding what is it, because when you enable HSTS, your site must continue to support HTTPS until the expiry time (max-age) has been reached.
Additional informations are available on https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security

If you have already installed an SSL certificate on your WordPress website and want to ensure that all final SSL settings are configured properly, here are a few steps you can follow:

Update the WordPress Address and Site Address: Go to your WordPress dashboard, navigate to Settings > General and update the WordPress Address and Site Address to use "https" instead of "http". This will ensure that your site is accessible over a secure connection.

Install and configure a security plugin: There are several security plugins available for WordPress, such as Wordfence, iThemes Security, and Sucuri. Install one of these plugins and configure it to enforce SSL on your site, as well as scan your site for any potential security vulnerabilities.

Redirect all HTTP traffic to HTTPS: To ensure that all visitors to your site are using a secure connection, you should redirect all HTTP traffic to HTTPS. This can be done by adding the following code to your website's .htaccess file:


Update your website's sitemap and Google Analytics: If you have a sitemap or Google Analytics set up for your website, make sure that you update them to use the new "https" URL. This will ensure that all traffic to your site is tracked properly and that search engines can index your site correctly.
By following these steps, you can ensure that your WordPress website is fully configured to use SSL and that all traffic to your site is secure.