AgilePress

Tag: HSTS

  • Stop Using SSL Plugins: Why “Really Simple SSL” is Making Your Site Slow

    In 2026, HTTPS is not a “feature”; it is the baseline. Yet, millions of WordPress sites still rely on plugins like Really Simple SSL (now rebranded as Simple and Performant Security) to handle their encryption.

    This is a mistake. While these plugins are marketed as “one-click solutions,” they are actually performance taxes disguised as convenience. They solve a database problem by using PHP to rewrite your site’s code on every single page load.

    At AgilePress, we believe in fixing the root cause, not patching the symptoms. Here is why you should delete your SSL plugin today and how to configure HTTPS the right way.

    1. The Myth of the “One Click SSL”

    Why do people install these plugins? Because they see the dreaded “Broken Padlock” (Mixed Content Warning) in their browser. Instead of fixing the broken links, they install a plugin that promises to “fix it automatically.”

    But there is a catch. The plugin doesn’t actually fix your content in the database. It acts as a middleman.

    2. The Villain: Output Buffering

    The core problem with SSL plugins is how they achieve their “magic.” They use a technique called Output Buffering.

    • How it works: When a user visits your site, WordPress generates the page. Before sending it to the user’s browser, the plugin interrupts the process. It scans the entire HTML code held in memory, searches for every http:// instance, and replaces it with https:// dynamically.
    • The Cost: This happens on every single page view (unless aggressively cached). You are forcing your server to perform a “Search & Replace” text operation millions of times a day, increasing your Time to First Byte (TTFB).

    Furthermore, these plugins often handle redirects via PHP (wp_redirect). This means a visitor requesting http://example.com has to wait for WordPress to boot up just to be told to go to https://. A server-level redirect (Nginx/Apache) would handle this in milliseconds, before WordPress even wakes up.

    Finally, the “Feature Creep.” Really Simple SSL is no longer just an SSL plugin; it has morphed into a full security suite with firewalls and login protection. If you already have a security plugin, you are now running redundant code.

    3. The AgilePress Solution (The “Hard” Way is the Fast Way)

    We don’t use plugins for SSL. We configure the server. Here is the protocol to migrate away from SSL plugins without breaking your site.

    Step 1: The Certificate (Hosting Level)

    Ensure your hosting provider (SiteGround, Cloudways, Kinsta) has issued a Let’s Encrypt certificate. This is standard in 2026. Do not try to generate certificates via PHP plugins; let the server handle the renewal via certbot or cPanel.

    Step 2: The Database Cleanup (The Real Fix)

    Instead of filtering http:// on the fly, we will permanently change the links in the database.

    1. Backup your database.
    2. Install Better Search Replace (or use WP-CLI if you are a pro).
    3. Search for: http://yourdomain.com
    4. Replace with: https://yourdomain.com
    5. Run: This fixes 99% of mixed content errors permanently. The plugin is no longer needed to “filter” output because the output is already correct.

    Step 3: Server-Level Redirects (301)

    We want to force HTTPS before WordPress loads.

    If you use Apache/OpenLiteSpeed (.htaccess): Add this to the very top of your .htaccess file:

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

    If you use Nginx: Add this to your server block configuration:

    server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

    Step 4: HSTS (The “Pro” Header)

    Many plugins charge for “Premium” to enable HSTS (HTTP Strict Transport Security). This is literally one line of code that tells browsers: “Never try to load this site over HTTP again, not even to check.”

    Apache (.htaccess):

    <IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

    Nginx:

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    Conclusion: Less is More

    By following this protocol, you have achieved three things:

    1. Removed a plugin (and its future update risks).
    2. Eliminated Output Buffering, lowering your CPU usage.
    3. Secured the site at the server level, which is faster and more robust.

    If your hosting provider does not offer a simple “Force HTTPS” button in 2026, the solution is not to install a plugin—it is to change your hosting provider.