Website with HTTPS and padlock icon in the browser address bar

Switching your WordPress site from HTTP to HTTPS is no longer optional if you want to run a professional website — especially for businesses and e‑commerce. HTTPS encrypts the connection between your visitors and your server, improves trust, and is a Google ranking signal.

In this guide, you will learn how to install and configure a free SSL certificate (usually Let’s Encrypt) on WordPress, including how to force HTTPS, avoid mixed‑content warnings, and verify your site is fully secure.

Table of Contents

  1. What Is SSL/HTTPS?
  2. Step 1 – Check if Your Hosting Already Provides Free SSL
  3. Step 2 – Enable SSL in Your Hosting Panel (cPanel/Cloud Panel)
  4. Step 3 – Change WordPress Site URL and Home URL to HTTPS
  5. Step 4 – Force HTTPS Across Your Entire Site
  6. Step 5 – Fix Mixed‑Content Errors
  7. Step 6 – Verify Your SSL Installation
  8. Step 7 – Hardening with HSTS and Redirects
  9. Final Checklist Before You Launch

What Is SSL/HTTPS?

SSL (Secure Sockets Layer) and its modern version TLS are cryptographic protocols that encrypt data transmitted between a web browser and a server. When SSL is active, your site URL changes from http://example.com to https://example.com and a padlock icon appears in the browser.

Major benefits of SSL/HTTPS include:

  • Encrypted data (login details, form submissions, payments).
  • Improved visitor trust (no “Not Secure” warning).
  • Positive SEO impact; Google treats HTTPS as a ranking signal.[WordPress.com]

For most WordPress sites, Let’s Encrypt provides a free SSL certificate that automatically renews every 90 days.[TutorialsDojo]

Step 1 – Check if Your Hosting Already Provides Free SSL

Many modern hosting providers (including shared hosting and managed WordPress plans) now include a free SSL certificate via Let’s Encrypt. Before doing anything manually, check your hosting panel or documentation.

Common locations where you can enable SSL:

  • cPanel → “SSL/TLS” or “SSL/TLS Status”.
  • Cloud hosting dashboards (Hostinger, SiteGround, Cloudflare, etc.) with “Free SSL” or “Let’s Encrypt” sections.

If you see options like “Install SSL”, “Activate Let’s Encrypt”, or “Enable HTTPS”, click to generate and install a certificate for your domain.[MyDevIt]

Step 2 – Enable SSL in Your Hosting Panel (cPanel/Cloud Panel)

These steps are generic and may vary slightly depending on your host, but the idea is the same.

Option A – cPanel / shared hosting

  1. Log in to your hosting control panel (cPanel or similar).
  2. Look for options like “SSL/TLS”, “Let’s Encrypt”, or “Free SSL”.
  3. Select your domain (or “All domains”) and click Install or Enable.
  4. Wait for the certificate to be issued (usually a few minutes).

After this, your domain should be able to serve HTTPS, but WordPress may still redirect to HTTP until you update the site URL and force HTTPS.[Rumahweb]

Option B – Plugin‑based SSL (Auto‑Install Free SSL)

Some WordPress plugins automate the creation of Let’s Encrypt certificates:

  1. Go to Plugins → Add New and search for “Auto‑Install Free SSL” or “Let’s Encrypt”.
  2. Install and activate the plugin (make sure it is from a trusted source).
  3. Follow the plugin’s wizard to generate a certificate for your domain.

Plugins like “Auto‑Install Free SSL” integrate with Let’s Encrypt to generate and renew certificates automatically within WordPress.[WordPress.org]

Step 3 – Change WordPress Site URL and Home URL to HTTPS

Even if your server has a valid SSL certificate, WordPress may still treat your site as HTTP unless you update the site URLs.

Go to Settings → General and change both fields to use https://:

  • WordPress Address (URL)https://yourdomain.com
  • Site Address (URL)https://yourdomain.com

Click “Save Changes” and reload your site. If you see a blank page or redirect loop, you may need to fix mixed content or force HTTPS via other methods (explained in the next step).[WordPress.com]

Step 4 – Force HTTPS Across Your Entire Site

Manually editing .htaccess or using a plugin are the two most common ways to force HTTPS.

Option A – Using a plugin (recommended for beginners)

  1. Go to Plugins → Add New, search for “Really Simple SSL” or “SSL Insecure Content Fixer”.
  2. Install and activate the plugin.
  3. Follow the on‑screen setup that detects your SSL certificate and automatically applies HTTPS redirects.

These plugins handle most of the heavy lifting, including editing .htaccess and fixing mixed content issues.[Smackcoders]

Option B – Manual .htaccess redirect (for experienced users)

If you prefer to edit .htaccess directly, add this snippet at the top of your .htaccess file (usually in your site’s root folder):

# Redirect HTTP to HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This ensures all requests to http:// automatically redirect to https://. Make sure to backup your .htaccess before making changes.[Smackcoders]

Step 5 – Fix Mixed‑Content Errors

Mixed content occurs when your site loads over HTTPS but some assets (images, scripts, or CSS) still reference HTTP URLs. This can cause the padlock icon to disappear or show a warning.

To fix mixed content:

  1. Inspect your site with browser developer tools (F12 → Console).
  2. Look for messages like “Mixed Content” or blocked insecure requests.
  3. Update those URLs to use https:// instead of http:// (or relative URLs like //example.com/image.jpg).

Using an SSL plugin such as “Really Simple SSL” often automatically converts insecure URLs to HTTPS, reducing mixed‑content issues.[Smackcoders]

Step 6 – Verify Your SSL Installation

After enabling SSL and forcing HTTPS, double‑check your configuration.

  1. Visit your site in a browser and confirm the URL is https:// and a padlock icon appears.
  2. Use an online SSL checker (for example, SSL Labs’ SSL Test) to verify certificate validity and security settings.[SSL Labs]
  3. Verify that non‑www versions (if you use them) redirect properly to HTTPS.

A clean SSL test with no mixed‑content errors indicates that your site is correctly configured for secure browsing.[Smackcoders]

Step 7 – Hardening with HSTS and Redirects

For advanced security, you can enable HSTS (HTTP Strict Transport Security). HSTS tells browsers to always connect over HTTPS and never accept HTTP connections for your domain.

You can often enable HSTS in your hosting panel or via server configuration. Many security plugins also offer HSTS headers that can be turned on with a click.[Smackcoders]

Remember to only enable HSTS when you are confident all traffic is fully migrated to HTTPS, as it can be difficult to rollback once enabled.

Final Checklist Before You Launch

Before you consider your SSL setup “done”, use this checklist:

  • A valid SSL certificate (Let’s Encrypt or similar) is installed for your domain.
  • Both WordPress Address (URL) and Site Address (URL) use https://.
  • All HTTP traffic redirects to HTTPS (via plugin or .htaccess).
  • There are no mixed‑content errors in the browser console.
  • An SSL test (e.g., SSL Labs) shows your certificate as valid and secure.
  • Optional: HSTS is enabled if you are confident in your HTTPS configuration.

Once this is in place, your WordPress site is running over HTTPS and is much more secure and user‑trustworthy. This is not only good for security and SEO, but also for Google AdSense, which expects your site to be secure and reliable for visitors.[WordPress.com]