Whether or not you have concerns about security for content on your domain, there are very good reasons for understanding to make sure your content is served over SSL (Secure Sockets Layer), and how the http:// in front of web site addresses is different from ones that start with https:// (known as URL protocols).

Sites with web addresses that are reached via https:// send content that is certified to be secure. It’s based on a set of certificates issued to a site from an authority that can communicate their authenticity to your web browser. For a visitor this means the site is authentic, the information sent between them and the site has not been altered in anyway, and is secure (learn more about SSL and secure web browsing). Learn more about SSL:


You are likely not transmitting super secure information from your domain nor dealing with information that needs high protection, but when we do log into sites with passwords (like many of the applications such as WordPress), it’s worth setting up your sites to use SSL.

But more than that, modern web browsers will soon start inserting the word INSECURE before web content not using SSL, and Google will eventually be changing their search results to favor sites using SSL.

Another reason for creating content that can be served under SSL may come into play later is that there are ways you can bring your domain content into an Learning Management System / Virtual Learning Environment, using  iframe tags – for this to work, the content must be served over SSL.

While this may seem “cryptic” and highly technical, the tools in your cpanel make it easy to set up your content to work under both protocols, and also, to default to https. It’s well worth it to have an understanding and appreciation for what that one extra “s” in a web address means for  sites your domain.

About SSL Certificates in cPanel

For domains hosted by Reclaim Hosting including ones on StateU.org the good news is that getting an SSL certificate is not only free, it is set up for your domains (and subdomains) automatically. Using them comes into play typically when you install a new app, so when you find the place where the Installatron installer (like you might see first in the Domain Kit for installing WordPress) asks for a location to where to install the application. If you see options for both http:// and https:// addresses, use the latter:

Interface for choosing the location where to install Grav; under a dropdown menu for the domain gadgets.stateu.org, arrows point to http://sandbox.gadgets.stateu. org, and the one selected https://sandbox.gadgets.stateu.org

Always choose the https:// option for installing a new app.

SSL For Directory Based Web Sites

For some things in your web site you may be creating content directly, e.g. by uploading via the File Manager as we did with the Adding a Self Contained Site with File Manager kit. In this case. as well as where we might be testing different sites in subdirectory of a sandbox subdomain, by default we can use either say http://sandbox.gadgets.stateu.org/eduhack-demo/ or https://sandbox.gadgets.stateu.org/eduhack-demo/ to access the site. The certificate for the subdomain applies to any site within it

But if we may want to make sure we only use https for sites in our sandbox, we can make that happen. Go to your cPanel, and inside the Domains group, click the Domains icon.

This provides an overview of all domains and subdomains in your account, including the document root (where in your account to find the content in file manager), if the domain/subdomain has been set up to be a redirect (as we do in the Creating Subdomains for Different Sites kit), and for what we want now, a switch to Force HTTPS Redirect:

If we want all requests to sites in our sandbox.gadgets.stateu.org subdomain to be handled by https. we turn this on. Thus any request in that subdomain for an address like http://sandbox.gadgets.stateu.org/eduhack-demo/ will be automatically sent to https://sandbox.gadgets.stateu.org/eduhack-demo/ thus ensuring our content is served as SSL.

What If a Domain or Subdomain Does Not Have An Option for HTTPS?

This is likely not something you will see unless you have had a domain for a while, but it may mean that an SSL certificate was never installed.  You can have one created by going to cPanel, and under Security, use the icon for Lets Encrypt SSL to add a certificate to your domain.

What if a WordPress Site was Installed under HTTP, Do I Have to Start Over?

This might again be a specialized case that applies to older domains where WordPress is installed before all of these options for certificates were available. In this case you can install the Really Simple SSL WordPress plugin to make a site created originally for http work fully under https. See below for a link to a tutorial on how to do this.

This Kit is Confusing!

This is an attempt to explain a lot in a little box. This is where knowing that you have access to a Newbies Community to ask questions in a place where others are interested in helping you out.


Complete This Kit

After you complete this kit please share a link to it and a description so it can be added to the responses below. You can add it directly to this site.

Add A Response

Guides for this Kit

Have you created a helpful guide or do you know one that might help others complete this kit? You can share a guide if it is available at a public URL. .

Add a Guide

0 Responses for this Kit

3 Guides for this Kit

  • Force HTTPS for your site (Reclaim Hosting Community)
    shared by Alan Levine

    An explanation and video showing how to set up the force https option described in this kit

  • How to Install the Really Simple SSL WordPress Plugin (Reclaim Hosting Community)
    shared by Alan Levine

    A guided tutorial for adding a plugin to help existing WordPress sites be modified to work under https

  • What is SSL? (SSL.com)
    shared by Alan Levine

    An overview of Secure Sockets Layer, perhaps overly technical, but it does provide an understandable overview

Creative Commons License
This work by Alan Levine as part of the EduHack project is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.