If you run a WordPress site, securing it with HTTPS is no longer optional; it’s essential. An SSL certificate protects your visitors’ data, builds trust, and even helps in search rankings.
In this guide, we’ll walk you through how to install SSL on WordPress website step by step. Whether you choose a free or premium WordPress SSL certificate, the setup process is simpler than you might think.
We’ll also cover common issues and how to fix them so that your site shows the secure padlock symbol and gives your users complete confidence while browsing.
How to Install SSL on WordPress? (Using Hosting Provider’s Free SSL)
Below is how to add SSL certificate to WordPress using the free certificate provided by your web hosting provider:
Step 1: Log in to your hosting dashboard
- Sign in to your host (e.g., Bluehost, Hostinger, SiteGround, cPanel-based host).
- Open the site you want to secure. Look for a control panel area named Security, SSL/TLS, Certificates, Manage Site, or Site Tools—hosts label it differently, but it’s always inside your website’s settings.
Step 2: Open the SSL/HTTPS settings for your domain
- Inside the security area, pick the exact domain (and www/non-www variant) you want to protect.
- If you have multiple addon domains, be sure you’re inside the correct one. If you’re using a subdomain, ensure it’s listed and selectable here.
Step 3: Activate the free SSL (Let’s Encrypt or similar)
- Click Activate, Issue, or Enable on the free SSL option (commonly Let’s Encrypt).
- If your host offers “Auto-SSL,” turn it on. Leave default settings unless you have a special need.
- The request will trigger domain validation automatically.
Step 4: Ensure DNS points to your host and wait for issuance
- SSL validation requires your domain to resolve to your hosting server. If you manage DNS elsewhere (e.g., Cloudflare, GoDaddy DNS), confirm your A/AAAA records point to your host’s IP.
- After that, wait a few minutes (sometimes up to 15) for the certificate to issue. Most panels will show a success status when it’s done.
Step 5: Update WordPress URLs to HTTPS
- Go to WordPress Admin → Settings → General and change both WordPress Address (URL) and Site Address (URL) from http:// to https://.
- Click Save Changes.
- If your host locks these fields, they may have already forced HTTPS for you—proceed to the redirect step anyway.
How to Install SSL on WordPress? (Manual SSL Installation on WordPress)
If your hosting provider does not offer one-click free SSL, you can manually install an SSL certificate on WordPress site. This process involves creating a request, validating your domain, and uploading the certificate to your server.
Step 1: Generate a CSR (Certificate Signing Request)
Log in to your hosting control panel (like cPanel or Plesk). Find the SSL/TLS section and click Generate CSR. Fill in details such as:
- Domain name (your main domain, e.g., example.com)
- Organization name (your business or website name)
- City, state, and country
Once you submit, the system will generate a CSR code. Copy this code—it will be needed when buying or activating your SSL certificate.
Step 2: Purchase or Request an SSL Certificate
Go to a trusted Certificate Authority (CA) like DigiCert, Comodo, or your hosting company’s SSL section. Provide the CSR you generated.
Based on the certificate type (DV, OV, or EV), you may need to provide extra documents for verification. The CA will issue your SSL files after validation.
Step 3: Install the SSL Certificate on Your Server
Return to your hosting panel’s SSL/TLS section. Find Install SSL Certificate or Upload Certificate. Paste the certificate code or upload the .crt file you received from the CA. Also add the CA bundle or intermediate certificate if provided. Save the changes to apply SSL to your domain.
Step 4: Update WordPress to Use HTTPS
Log in to your WordPress dashboard → Settings → General. Update both WordPress Address (URL) and Site Address (URL) from http:// to https://. Save the changes.
Step 5: Force Redirect from HTTP to HTTPS
Edit your .htaccess file (in the root folder of WordPress) and add this redirect rule:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
For Nginx servers, add a redirect rule inside your server block. If you’re unsure, contact your hosting provider for exact instructions.
Step 6: Verify Installation
Open your website in a browser and check for the padlock symbol. Use tools like SSL Labs Server Test to confirm your certificate is valid, trusted, and properly installed.
Note: Manual installation is more technical and takes longer than using free SSL from your host, but it gives you full control and works when one-click SSL is not available.
How to Install SSL on WordPress Using Plugin?
If you want the easiest way to set up SSL on your WordPress site, a plugin like Really Simple SSL can handle everything for you. This method works best if your hosting provider has already installed an SSL certificate on your server, but your WordPress site still shows as “Not Secure.”
Step 1: Install the Really Simple SSL Plugin
Log in to your WordPress dashboard. Go to Plugins → Add New, search for “Really Simple Security,” and click Install Now. Once installed, activate the plugin.
Step 2: Detect SSL on Your Site
After activation, the plugin automatically checks if an SSL certificate is present on your server. If it finds one, you’ll see a message confirming that your site can be switched to HTTPS.
Step 3: Enable SSL with One Click
Click the Activate SSL button shown in the plugin notice. The plugin will automatically update your WordPress configuration to use HTTPS.
Step 4: Automatic Redirects
The plugin automatically sets up redirects from HTTP to HTTPS, ensuring all visitors are sent to the secure version of your site. This means you don’t have to edit .htaccess manually.
Suggested Post: Best Car Dealer Website Templates
Fixing Common WordPress SSL Certificate Issues
Even after installing an SSL certificate, you may face issues like “Not Secure” warnings or broken pages. Below is how to solve the most common SSL problems on WordPress:
Mixed Content Errors
This happens when some elements (like images, CSS, or scripts) still load over http:// instead of https://. To fix this, update all hardcoded links in your theme, widgets, or database. You can also use plugins like Really Simple SSL or Better Search Replace to rewrite old URLs automatically.
Redirect Loops
If your site keeps redirecting between HTTP and HTTPS, you may have conflicting rules in your .htaccess file or hosting panel. Check if both WordPress and your hosting provider are forcing HTTPS. Keep only one redirect method (preferably at the server level) to avoid loops.
“Not Secure” Warning
If you still see a “Not Secure” label, it usually means your SSL certificate is not installed properly or has expired. Check your hosting dashboard to confirm the certificate is active. Run your site through an online SSL checker (like SSL Labs) to find the exact issue. Renew or reinstall the certificate if necessary.
Expired Certificates
Free SSL certificates (like Let’s Encrypt) typically last 90 days. If your host doesn’t auto-renew, you’ll need to renew it manually from the hosting dashboard. Always enable auto-renew if your provider supports it to prevent downtime.
Plugin Conflicts
Sometimes caching, CDN, or security plugins may interfere with SSL redirects. Temporarily deactivate plugins one by one to identify the culprit. Once found, adjust its settings or replace it with a more SSL-friendly plugin.
How to Check if WordPress SSL is Installed Correctly?
- Look for the Padlock in Browser: Open your website in Chrome, Firefox, or any browser. A padlock icon next to your URL indicates SSL is active. If you see a warning or “Not Secure” label, something is still wrong.
- Confirm HTTPS in the Address Bar: Your site should load with https:// instead of http://. Try typing your domain with both versions—HTTP should automatically redirect to HTTPS.
- Use Online SSL Checker Tools: Free tools like SSL Labs Server Test, Why No Padlock, or SSL Shopper Checker let you test your domain. They show whether the certificate is valid, trusted, and properly configured.
- Test in Google Chrome DevTools: Press F12 (or right-click → Inspect) in Chrome, go to the Security tab, and check if the connection is secure. Chrome will also highlight if any resources are still loading over HTTP.
- Verify in Google Search Console: If you’ve connected your site to Search Console, add the HTTPS version as a property. Google will confirm crawling and indexing on the secure version of your site.
What is SSL Certificate?
An SSL certificate is a digital security file that encrypts data exchanged between your website and visitors. It ensures that sensitive information, like passwords or payment details, remains private and secure. It also activates HTTPS in your WordPress site, showing the padlock icon for trust.
Also Check: Free WHMCS Templates
Common Types of SSL Certificate for WordPress
- Domain Validation (DV) SSL: Basic security, quick approval.
- Organization Validation (OV) SSL: Verifies business identity.
- Extended Validation (EV) SSL: Highest trust level with green bar.
- Wildcard SSL: Secures main domain and all subdomains.
- Multi-Domain SSL (SAN): Protects multiple websites under one certificate.
HTTP vs HTTPS in WordPress
| Feature | HTTP (Without SSL) | HTTPS (With SSL) |
| Security | Data sent in plain text, vulnerable to hacks | Data encrypted and secure |
| Trust Symbol | No padlock, shows “Not Secure” warning | Padlock symbol in browser |
| SEO Impact | No ranking boost from Google | SEO ranking advantage with SSL |
| Data Protection | Risk of theft or interception | Protects passwords, payments, user details |
| Use in eCommerce | Not acceptable for online payments | Required for all payment gateways |
Why You Need WordPress SSL Certificate?
Protects User Data
SSL encrypts information like login credentials, payment details, and personal data, keeping it safe from hackers.
Builds User Trust
The padlock icon reassures visitors that your site is secure and reliable, encouraging them to stay longer.
Boosts SEO Rankings
Google gives preference to HTTPS websites, meaning a WordPress SSL certificate can improve your visibility in search results.
Essential for Online Payments
If you run an eCommerce store, payment gateways require SSL for processing secure transactions.
Prevents “Not Secure” Warnings
Without SSL, browsers show a “Not Secure” label, which can drive visitors away.
Strengthens Brand Reputation
A secure site shows professionalism and commitment to protecting your audience’s privacy.
How to Get SSL Certificate for WordPress?
Free SSL Certificates
Many WordPress hosting providers, such as Bluehost, Hostinger, and SiteGround, include a free SSL option, powered by Let’s Encrypt. This is perfect for personal websites, blogs, or small business sites that do not handle highly sensitive financial transactions but still want to ensure basic security and trust.
Paid SSL Certificates
For businesses that need stronger protection and validation, paid SSL certificates are a better choice. These can be purchased from hosting companies or certificate authorities like DigiCert, GoDaddy, or Comodo.
They provide advanced features such as extended validation, warranty, and premium support, making them suitable for eCommerce stores, financial institutions, or large organizations.
Choosing the Right Type
The type of SSL certificate you need depends on your website’s scale and purpose. A Domain Validation (DV) SSL works well for small sites or blogs, while Organization Validation (OV) or Extended Validation (EV) SSLs are better for businesses that want to display a higher level of trust.
Wildcard SSL is useful if you want to secure multiple subdomains, while Multi-Domain SSL is the right fit when managing several websites under one certificate.
Best Practices After Installing SSL Certificate on WordPress
- Redirect All Traffic to HTTPS: Set up a 301 redirect so every visitor is automatically sent from http:// to https://. This avoids duplicate content and ensures SEO benefits pass to the secure version.
- Update Internal Links: Go through your menus, widgets, and theme settings to replace old http:// links with https://. This helps prevent mixed content errors and keeps the padlock icon active.
- Update CDN and Third-Party Services: If you use a CDN like Cloudflare or services like Google Analytics, Search Console, and AdSense, make sure their settings point to your HTTPS domain.
- Renew SSL Before Expiry: Free SSL certificates (like Let’s Encrypt) expire every 90 days. Enable auto-renewal in your hosting panel or set reminders to manually renew so your site never shows “Not Secure.”
- Clear Cache and Monitor Regularly: Clear WordPress, server, and CDN caches after switching to HTTPS. Use SSL monitoring tools or uptime services to ensure your SSL remains valid and active at all times.
FAQs About WordPress SSL Installation
Yes. SSL protects user data, improves trust, and is a ranking factor in Google search results. Without it, browsers may show “Not Secure” warnings to your visitors.
Yes. Most hosting providers now offer free SSL certificates through Let’s Encrypt or similar services. These are usually enough for blogs and small business websites.
Free SSL offers basic encryption and trust. Paid SSL adds features like extended validation, warranty, and advanced support—ideal for eCommerce or corporate websites.
Using your host’s one-click SSL, it usually takes less than 5 minutes. Manual installation or premium SSL may take a few hours, depending on verification.
This usually happens due to mixed content errors or expired certificates. Make sure all links and resources load over HTTPS and check if your SSL is still valid.
Yes. You can update WordPress URLs to HTTPS in settings and set up redirects in .htaccess or Nginx configuration without needing a plugin.
Yes. If you have subdomains (e.g., shop.example.com), you’ll need either a separate SSL certificate or a Wildcard SSL that covers all subdomains.
Explore Our Themes: