1. Get an SSL certificate
Mass Illusion provide you with a Free Comodo SSL Certificate for your sites
2. Start with the Admin
In WordPress-land, you might as well get HTTPS going in the admin area first. It's set up to handle it and there probably won't be any errors. (I keep saying "errors", I mostly mean "mixed content warnings" which I promise we'll get to.)
To force HTTPS in the admin area, put this line in your wp-config.php file at the root of your WordPress install:
define('FORCE_SSL_ADMIN', true);
Make sure you test that HTTPS is working properly first! Go to https://yoursite.com/wp-admin/ to check. Otherwise you'll be forcing URLs that don't work and that's bad. If you have trouble, remove that line right away.
All goes well, you'll get a secure connection. If it fails, then it means you have mixed content.
3. Try to get one page working on the front end
The next step is to get your front end on HTTPS. Forcing it all right away is probably going to be tough, so just start with one target page. For me, it was the signup page for The Lodge. That page can take credit cards, so really, it had to be HTTPS. This was the motivator for me early on to get this set up.
There is a plugin that can help with this: WordPress HTTPS (SSL). With that plugin, you get a checkbox on Posts/Pages to force it to be SSL.Get the plugin here: https://wordpress.org/plugins/wordpress-https/
4. Mop up Mixed Content Warnings
That's like: "Hey nice trying being HTTPS but you aren't fully so NO GREEN LOCK FOR YOU!"
In this case, it was some images being used in a CodePen embed with an HTTP src.
But it could be anything. HTTP <script>s, HTTP CSS <link>s, HTTP <iframe>s. Anything that ends up making an HTTP request that isn't HTTPS will trigger the error.
You just need to fix them. All. This plugin will do that for you https://shop.webaware.com.au/downloads/ssl-insecure-content-fixer/
5. Auto HTTPS
When you go to your site http://www.yoursite.com you need to get it to auto switch to https. You can do this here:
Add this line at the very beginning of your .htaccess file:
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]If this fails and you get a server error, try this:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R=301,L]and replace yoursite.com with your full domain with https.
And lastly, in wordpress, click Settings > General and in both of these fields WordPress Address (URL) and Site Address (URL) Enter the full https address to your site like this: https://www.yoursite.com and click save. (yoursite.com will be your own domain.)