How to Add an SSL Certificate to WordPress and Enable HTTPS

Every website needs HTTPS — browsers mark HTTP-only sites as “Not Secure”, and Google uses HTTPS as a lightweight ranking signal. If visitors see a security warning before they’ve read a single word, most will leave immediately.

The process involves two distinct parts that often catch people out: installing the SSL certificate on your hosting account, then configuring WordPress to use it. Most modern hosts make the first part easy with free Let’s Encrypt certificates, but the second part — updating URLs, forcing redirects, and clearing mixed content errors — is where things tend to go wrong. Part of following the step-by-step guide to building a WordPress website is knowing that SSL setup should happen before you launch, not after.

This guide walks through the full process from installing the certificate to verifying everything is working correctly.

Table of Contents

What an SSL Certificate Does for Your WordPress Site

An SSL certificate encrypts the connection between your visitor’s browser and your web server. Once active, your site loads over HTTPS, and browsers display a padlock in the address bar. Without it, Chrome, Firefox, and Safari all display a “Not Secure” warning on any page that collects information — your contact form, checkout page, and login screen included.

HTTPS is also a prerequisite for several browser features, including service workers, geolocation, and push notifications. WordPress uses it for secure cookies and safe cross-site authentication. The WordPress HTTPS documentation confirms the platform is fully compatible with HTTPS once a certificate is installed and active at the server level.

Step-by-Step: How to Add SSL to WordPress

Step 1 — Get Your SSL Certificate

Most web hosts include a free Let’s Encrypt certificate with every hosting plan. Log into your hosting control panel and look for an SSL or TLS section.

In cPanel, go to Security > SSL/TLS Status. If your domain shows a green padlock, a certificate is already active. If not, click Run AutoSSL to install one automatically.

In Plesk, go to Domains > [your domain] > SSL/TLS Certificates and click Get it free under the Let’s Encrypt section.

If your host does not offer free SSL, you can purchase a certificate from a certificate authority and install it manually through your host’s SSL manager. For most WordPress sites, a free Let’s Encrypt certificate is sufficient.

Step 2 — Update Your WordPress URLs to HTTPS

Once the certificate is active on your server, tell WordPress to use it. In most sites I build, I update the WordPress URLs before adding the redirect rule.

Go to Settings > General in your WordPress dashboard. Update both the WordPress Address (URL) and Site Address (URL) fields from http:// to https://. Save changes.

If you are locked out after this change, add these lines to your wp-config.php file directly:

define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');

Step 3 — Force HTTPS With a Redirect

Updating the WordPress URLs changes where WordPress generates links, but it does not redirect HTTP traffic to HTTPS. You need a server-level redirect for that.

On Apache servers, add these lines to your .htaccess file above the existing WordPress block:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

On Nginx servers, add this redirect block to your server configuration:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

Managed hosts like WP Engine, Kinsta, or Pressable often have a one-click HTTPS redirect option in their dashboard — check there before editing server configuration files directly.

Step 4 — Fix Mixed Content Errors

After switching to HTTPS, you may still see a broken padlock or “Not Secure” warning. This usually means mixed content — HTTP resources such as images, scripts, or stylesheets loading on an HTTPS page.

Open your browser’s developer tools, go to the Console tab, and look for warnings flagged as “Mixed Content”. These identify exactly which resources are still loading over HTTP.

The fastest fix is the free Really Simple SSL plugin. It handles URL updates, mixed content issues, and the HTTPS redirect in one step. For a manual fix, use the Better Search Replace plugin to run a database search-and-replace — changing all instances of http://yourdomain.com to https://yourdomain.com.

How to Verify Your SSL Certificate Is Working

Visit your site and confirm the padlock icon appears in the address bar
Test that http://yourdomain.com redirects automatically to https://yourdomain.com
Open the browser Console and confirm no mixed content warnings remain
Use the SSL Labs test tool at ssllabs.com/ssltest to check your certificate grade, expiry date, and server configuration

Let’s Encrypt certificates expire every 90 days but most hosts auto-renew them. Check your hosting panel to confirm auto-renewal is enabled, and verify the certificate is current after the first renewal cycle.

Common SSL Mistakes to Avoid

Forgetting hard-coded HTTP URLs. Page builders and some plugins store absolute URLs in the database. Run a database search-and-replace after switching to catch these.

Relying only on the WordPress URL change. Updating Settings > General is not enough on its own — the server-level redirect must also be in place, otherwise HTTP traffic bypasses HTTPS entirely.

Not verifying certificate auto-renewal. If Let’s Encrypt renewal fails, your site will show a certificate error. Set a calendar reminder to check the expiry date in your hosting panel after the first 90-day cycle.

Missing proxy or firewall configuration. If you have a WordPress firewall or security proxy sitting in front of your site, update the origin URL to HTTPS there too — otherwise it will still pull content over HTTP.

Free vs Paid SSL: Which Do You Need?

For most WordPress websites — blogs, business sites, portfolios, and smaller WooCommerce stores — a free Let’s Encrypt certificate is entirely sufficient. It provides the same 256-bit encryption as a paid certificate and is trusted by every major browser.

Paid certificates offer extended validation (EV), which displays your organisation name in the browser bar in enterprise contexts, or organisation validation (OV), which adds verified business details to the certificate. In my experience, these are relevant only for financial institutions, legal firms, or enterprise environments where that visible trust signal matters to the audience.

For the vast majority of WordPress sites, Let’s Encrypt is the right choice. Combine it with proper WordPress file permissions and a regular WordPress security audit to cover the other key layers of site security.

Conclusion

Install the certificate through your hosting panel, update the WordPress URLs to HTTPS, add the server-level redirect, and run Really Simple SSL to clear any mixed content. The whole process takes under 20 minutes and removes the “Not Secure” browser warning that would otherwise drive visitors away before they’ve read a word.

Etienne Basson

Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.