Prepare Your Site (or Fix it) to Get the 🔒 Lock Icon with an SSL Certificate

Before you add an SSL certificate to your site, you’ll want to make sure you can get the 🔒 lock icon in the address bar. This will ensure your images and site styles do not vanish after making the switch.

The person performing this should be familiar with how the site is built and may need to make changes to HTML code to ensure it works. This person is frequently your web developer, or the company that helped you set up your site. If you’re no longer in contact with them, our expert MODX Support team can certainly do the work for a nominal fee. 

If you have switched on SSL and your site appears broken, never fear, this document will help you fix that quickly.  

For a site to be considered secure, all assets, images and anything sent from your page to your visitor must all be served over a secured, HTTPS connection. Here’s a list of things to look for: 

  • The <base> tag in your MODX site with the URL including the http://
  • images with the full URL that contains http:// should be https: or just //
  • web fonts such as Google Fonts must use the https protocol or none
  • scripts such as Facebook Plugins or Google Maps need to use https or none
  • other web widgets, analytics and ad networks must use https or none

The easiest way to find them on the page is to use the View Source view on your website. On Windows the shortcut is CTRL+U and for Mac users, Command+U. Then use CTRL/command+F to find all instances of "http://". Once you've identified these links, you can audit the site to make sure all references are either relative to your domain name or contain https:// or //.

In MODX Revolution installs, it's very likely that there is a Chunk or a Template that contains a reference to your <base href="" /> If your site only has a single domain pointed at it, yours should be set to the following: <base href="[[!++site_url]]" />. For those of you in the know, this is not cached but due to how browsers and MODX works this will not cause a performance hit.

More importantly, it will ensure no matter how your visitors hit your site the URL will always be correct. 

For other CMSs, including WordPress or Evolution CMS, you’ll want to hard code the base href to omit the protocol as <base href="//" /> or to always use the https domain as <base href="" />.




Have more questions? Submit a request


Please sign in to leave a comment.