How to Install an SSL Certificate on Your WordPress Site

An SSL certificate (Secure Sockets Layer / TLS) is a cryptographic protocol binding that encrypts data in transit between a web server and a browser. On a WordPress site, installing SSL means every HTTP request is redirected to HTTPS, the browser displays a padlock, and sensitive data — login credentials, form submissions, payment details — travels over an encrypted channel rather than plaintext.

For WordPress specifically, SSL installation involves three distinct layers: provisioning the certificate at the server or hosting level, configuring WordPress itself to serve all assets over HTTPS, and eliminating mixed-content warnings that silently break the secure context. Miss any one of these and your site will either show a broken padlock, trigger browser security warnings, or fail HTTPS validation entirely.

Step 1: Choose the Right SSL Certificate Type

Not all SSL certificates offer the same level of validation or trust signal. Selecting the wrong type is a common mistake that wastes money or, in the opposite direction, under-protects a site that handles sensitive transactions.

Validation Tiers Compared

Free vs. Paid SSL

Let's Encrypt issues free, automated DV certificates valid for 90 days with auto-renewal support via ACME protocol. It is trusted by all major browsers and is the correct choice for the vast majority of WordPress sites. The short validity window is intentional — it forces automation and reduces the risk window of a compromised certificate.

Cloudflare's free SSL operates differently: it encrypts the connection between the visitor and Cloudflare's edge, but the connection between Cloudflare and your origin server may still be unencrypted unless you configure Full (Strict) mode with a valid origin certificate. This is a frequently misunderstood edge case that creates a false sense of security.

Paid certificates from commercial CAs (DigiCert, Sectigo, GlobalSign) are necessary when you need OV or EV validation, a warranty, or a specific SAN/Wildcard configuration not supported by Let's Encrypt.

If you need to purchase a trusted certificate for your domain, AlexHost provides SSL Certificates with straightforward issuance and management directly from your account panel.

Step 2: Install the SSL Certificate at the Hosting Level

The certificate must be installed on the web server before WordPress can serve HTTPS responses. The method depends on your hosting environment.

Installing SSL via cPanel (Shared and VPS Hosting)

cPanel is the most common control panel for shared and managed environments. If your host uses AutoSSL (Sectigo-backed) or supports Let's Encrypt natively, a single click provisions and renews the certificate automatically.

Manual installation steps when you have certificate files from a CA:

1. Log in to cPanel and navigate to Security > SSL/TLS.
2. Click Manage SSL Sites.
3. Select the target domain from the dropdown.
4. Paste the contents of three files into the corresponding fields:

• Certificate (CRT): The signed certificate from your CA.
• Private Key (KEY): Generated during CSR creation — never share this.
• Certificate Authority Bundle (CABUNDLE): The intermediate chain certificates.

1. Click Install Certificate.

If you are running WordPress on a VPS with cPanel, AutoSSL typically handles this automatically for all domains in WHM. Verify under WHM > SSL/TLS > Manage AutoSSL that the domain is covered and the certificate is not in a pending or failed state.

Installing SSL on a VPS with Apache (Manual Method)

On a self-managed Linux VPS running Apache, the process requires editing the virtual host configuration directly.

Install Certbot (Let's Encrypt client) on Debian/Ubuntu:

sudo apt update
sudo apt install certbot python3-certbot-apache -y

Obtain and install the certificate automatically:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Certbot modifies your Apache virtual host configuration, installs the certificate, and sets up a cron job or systemd timer for automatic renewal. Verify the renewal timer is active:

sudo systemctl status certbot.timer

For Nginx on a VPS:

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Manual certificate installation on Apache (when using a paid CA certificate):

Place your certificate files in a secure directory, then edit your virtual host:

<VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/yourdomain.crt
    SSLCertificateKeyFile   /etc/ssl/private/yourdomain.key
    SSLCertificateChainFile /etc/ssl/certs/yourdomain_ca_bundle.crt
</VirtualHost>

Restart Apache to apply:

sudo systemctl restart apache2

If you are managing a high-traffic WordPress installation on a Dedicated Server, you have full control over cipher suites, HSTS headers, and OCSP stapling — configurations that are not possible on shared hosting.

Installing SSL on a VPS with Nginx (Manual Method)

server {
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate     /etc/ssl/certs/yourdomain.crt;
    ssl_certificate_key /etc/ssl/private/yourdomain.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 1.1.1.1 valid=300s;

    root /var/www/html;
    index index.php;
}

Reload Nginx after editing:

sudo nginx -t && sudo systemctl reload nginx

Step 3: Force HTTPS at the Server Level with a 301 Redirect

Before touching WordPress settings, enforce the HTTP-to-HTTPS redirect at the server level. This is more reliable than relying solely on WordPress or a plugin, and it prevents the browser from ever loading the HTTP version.

Apache: .htaccess Redirect

Open your .htaccess file (located in your WordPress root, typically /var/www/html/.htaccess or accessible via cPanel File Manager) and add the following block above the existing WordPress rewrite rules:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Critical pitfall: If you place this block *after* the # BEGIN WordPress marker, it may be overwritten by WordPress core updates. Always place server-level redirect rules above the WordPress-managed block.

Nginx: Server Block Redirect

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

HSTS Header (Advanced, Recommended)

Once you are confident your HTTPS setup is stable, add an HTTP Strict Transport Security header to instruct browsers to never attempt an HTTP connection:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Warning: Do not enable HSTS with preload until you are certain every subdomain also has a valid SSL certificate. Preloading is irreversible in the short term and will break subdomains that do not have HTTPS configured.

Step 4: Update WordPress to Serve All Content Over HTTPS

With the certificate installed and the server-level redirect in place, WordPress itself must be told to generate HTTPS URLs for all internal links, assets, and API endpoints.

Option A: Update WordPress Site URLs Manually

1. Go to Settings > General in your WordPress admin dashboard.
2. Change both WordPress Address (URL) and Site Address (URL) from http:// to https://.
3. Click Save Changes.

WordPress will log you out immediately after saving. Log back in using the HTTPS URL.

Option B: Update URLs via wp-config.php

If you are locked out of the admin panel or prefer a code-based approach, add these lines to wp-config.php before the /* That's all, stop editing! */ line:

define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');

Option C: Update Hardcoded HTTP URLs in the Database

WordPress stores URLs in the database, including serialized data in post meta and options tables. A simple find-and-replace on the raw SQL can corrupt serialized arrays. Use WP-CLI for a safe, serialization-aware replacement:

wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guid --all-tables

The --skip-columns=guid flag preserves post GUIDs, which should not be changed per WordPress best practices. Run this from your WordPress root directory with appropriate database credentials configured in wp-config.php.

Alternatively, the Better Search Replace plugin performs the same operation through the admin UI with serialization support.

Step 5: Fix Mixed Content Warnings

A mixed content warning occurs when an HTTPS page loads one or more resources (images, scripts, stylesheets, iframes) over HTTP. This breaks the secure context, suppresses the padlock, and in some cases causes browsers to block the resource entirely.

Diagnosing Mixed Content

Open your browser's developer tools (F12), go to the Console tab, and look for warnings prefixed with Mixed Content:. The message will identify the exact resource URL causing the issue.

Alternatively, use the Why No Padlock? tool or run an SSL Labs scan to get a full report.

Fixing Mixed Content: Plugin Method

Really Simple SSL is the most widely used plugin for this purpose. After activation, it:

• Sets the HTTPS server variable to force WordPress to recognize the secure connection.
• Adds a JavaScript-based content filter to rewrite HTTP URLs on the fly.
• Optionally flushes rewrite rules and updates the site URL.

SSL Insecure Content Fixer offers more granular control, letting you choose between a simple output buffer replacement and a deeper WordPress filter hook approach — useful when Really Simple SSL's JavaScript method causes rendering issues with certain page builders.

Fixing Mixed Content: Manual Method

For hardcoded HTTP URLs in theme files or custom plugins, search your theme directory:

grep -r "http://yourdomain.com" /var/www/html/wp-content/themes/your-theme/

Replace all occurrences with https:// or, better, use protocol-relative URLs (//yourdomain.com/...) for third-party resources where you cannot guarantee HTTPS availability.

For embedded media uploaded before the SSL migration, run the WP-CLI search-replace command from Step 4 if you have not done so already, as image attachment URLs are stored in the wp_posts and wp_postmeta tables.

Step 6: Validate the SSL Installation

Never assume the installation succeeded — verify it systematically.

SSL Labs Test

Navigate to https://www.ssllabs.com/ssltest/ and enter your domain. A properly configured WordPress site should score A or A+. An A+ rating requires:

• TLS 1.2 and 1.3 support with TLS 1.0 and 1.1 disabled.
• A strong cipher suite (no RC4, no 3DES).
• HSTS header present.
• OCSP stapling enabled.
• No chain issues (intermediate certificates correctly installed).

Browser Verification

Click the padlock icon in the address bar. In Chrome, navigate to Connection is secure > Certificate is valid to confirm the issuer, validity dates, and Subject Alternative Names (SANs) match your domain.

Command-Line Verification

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

This outputs the full certificate chain, the cipher negotiated, and the TLS version. Look for Verify return code: 0 (ok) to confirm the chain is trusted.

Check Certificate Expiry

echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

For Let's Encrypt certificates, also verify the auto-renewal dry run works:

sudo certbot renew --dry-run

Step 7: Post-Installation Hardening and SEO Cleanup

Update Google Search Console

Add the HTTPS version of your site as a new property in Google Search Console. Google treats http:// and https:// as separate properties. Submit your HTTPS sitemap (https://yourdomain.com/sitemap.xml) to accelerate re-crawling of the updated URLs.

Update Your Sitemap and Canonical Tags

Ensure your XML sitemap (generated by Yoast SEO, Rank Math, or similar) outputs HTTPS URLs exclusively. Check that canonical tags in your theme's <head> reference HTTPS. A canonical tag pointing to the HTTP version of a page will confuse crawlers even if the 301 redirect is in place.

Notify Google of the Change

In Google Search Console, use the Change of Address tool only if you have migrated to a completely new domain. For HTTP-to-HTTPS migration on the same domain, the 301 redirects handle the signal transfer — no address change tool is needed.

WordPress Multisite Considerations

On a WordPress Multisite network, you must update the siteurl and home values in the wp_siteurl and wp_blogs tables for each subsite, not just the main site. WP-CLI handles this per-site:

wp search-replace 'http://subdomain.yourdomain.com' 'https://subdomain.yourdomain.com' --url=subdomain.yourdomain.com --all-tables

Practical Decision Matrix: Which SSL Method to Use

Key Technical Takeaways

• Certificate installation and WordPress configuration are separate steps. A certificate installed at the server level does not automatically make WordPress generate HTTPS URLs. Both must be configured.
• Mixed content is the most common post-migration failure. Run a database search-replace with WP-CLI before activating any SSL plugin to catch hardcoded HTTP URLs at the source.
• Let's Encrypt auto-renewal must be verified, not assumed. Run certbot renew --dry-run after initial setup and monitor expiry dates. A failed renewal silently breaks your site 90 days later.
• HSTS is a one-way door. Do not set a long max-age or enable preload until every subdomain has a valid certificate and you are committed to HTTPS permanently.
• Cloudflare's free SSL is not end-to-end encrypted by default. Set the SSL/TLS mode to Full (Strict) and install an origin certificate on your server to close the gap.
• On shared hosting, verify that your hosting provider's SSL covers both the apex domain (yourdomain.com) and the www subdomain. A certificate issued only for one will produce a name mismatch error on the other.
• Serialized data in WordPress databases cannot be safely updated with raw SQL REPLACE(). Always use WP-CLI or a serialization-aware plugin.

For sites hosted on Shared Web Hosting, the fastest path to SSL is enabling AutoSSL or Let's Encrypt through cPanel — the entire process takes under five minutes and requires no command-line access. For more complex deployments requiring custom cipher configuration, OCSP stapling, or multi-domain certificates, a VPS with a configurable control panel gives you the necessary server-level access.

FAQ

Does installing an SSL certificate directly improve my Google rankings?

Google confirmed HTTPS as a ranking signal in 2014. The direct ranking boost is modest, but the indirect benefits — reduced bounce rate from browser security warnings, eligibility for HTTP/2 and HTTP/3, and user trust — have a measurable cumulative effect on organic performance.

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the deprecated predecessor to TLS (Transport Layer Security). All modern certificates use TLS 1.2 or 1.3. The term "SSL certificate" persists as industry shorthand, but no browser or server has used actual SSL since 2015. If your server still accepts SSLv3 or TLS 1.0, disable them immediately — they are vulnerable to POODLE and BEAST attacks respectively.

Why does my site still show "Not Secure" after installing the certificate?

The most common cause is a mixed content error: at least one resource on the page is loading over HTTP. Open browser developer tools, check the Console for mixed content warnings, and use WP-CLI search-replace or the Really Simple SSL plugin to rewrite the offending URLs. A secondary cause is that the WordPress Site URL in Settings > General still points to http://.

How do I renew a Let's Encrypt certificate before it expires?

Certbot installs a systemd timer or cron job that attempts renewal automatically when the certificate is within 30 days of expiry. To force an immediate renewal, run sudo certbot renew --force-renewal. To test without making changes, run sudo certbot renew --dry-run. Check the renewal log at /var/log/letsencrypt/letsencrypt.log if renewal fails.

Can I install SSL on WordPress without access to the server or cPanel?

Yes, through Cloudflare. Add your domain to Cloudflare, point your nameservers to Cloudflare's, and enable the SSL/TLS setting. The visitor-to-Cloudflare leg is encrypted immediately. However, set the mode to Full (Strict) and install a Cloudflare Origin Certificate on your server to also encrypt the Cloudflare-to-origin leg. Without this, the connection between Cloudflare and your server remains unencrypted, which is a significant security gap on any site handling user data.