How to Install an SSL Certificate on Your WordPress Site (Step by Step)

An SSL certificate is what turns your site address from http:// to https://, adding the padlock that appears in your visitor’s browser. Without one, every modern browser marks your site as Not Secure. That is bad for trust, bad for SEO, and in some cases a blocker for accepting payments.

You’ll often hear this described as “installing an SSL certificate on WordPress”. Technically, the certificate itself goes on your server, not inside WordPress (here’s how, for cPanel or Plesk). What this guide covers is everything you need to configure in WordPress once it’s active: pointing your site to HTTPS, fixing redirects, and cleaning up mixed content.

The good news: SSL certificates are free (thanks to Let’s Encrypt), and most decent WordPress hosts include one with every account. If you’d rather skip the manual steps below, Really Simple Security handles most of it automatically (see the link at the bottom).

 

Step 1: Get your SSL certificate 

Check your hosting control panel first. Most hosting providers include a free Let’s Encrypt SSL certificate with every account. Look for an SSL or Security section in your hosting dashboard.

On many managed WordPress hosts, such as Kinsta or WP Engine, an SSL certificate is often enabled automatically once your domain points to their servers. If you are not sure whether yours is already active, check your host’s documentation or contact their support.

If your host does not include an SSL certificate automatically, your options are:

  • Request a free Let’s Encrypt certificate through your host’s support
  • Install one via Certbot if you have direct server access
  • Manually generate a Let’s Encrypt SSL certificate via Really Simple Security
  • Purchase a certificate from a certificate authority (only necessary for very specific use cases)
 

For most WordPress sites, the first option is the right one. If you cannot find the SSL section in your hosting dashboard, contact your host’s support team and ask them to activate it.

 

 Skip the manual steps 

Really Simple Security detects your certificate, activates HTTPS and handles the WordPress configuration automatically. Install the free plugin from WordPress.org and it will walk you through the setup. 

  Get the free plugin 

  

Step 2: Update your WordPress settings 

Once your certificate is active, you need to tell WordPress to use https:// instead of http://. Go to Settings > General in your WordPress dashboard and update both the WordPress Address and the Site Address fields to use https. 

Save your changes. Your site will most likely redirect you back to the login page after saving — that is normal. Log in again and check the site. 

  

Step 3: Fix mixed content 

Mixed content is what happens when your site loads over HTTPS but some images, scripts or stylesheets are still being requested over HTTP. It is the most common issue after switching to SSL and the most common reason browsers still show a Not Secure warning even after you have installed a certificate.

To check: open Chrome DevTools (F12 or right-click > Inspect), go to the Console tab, and look for warnings mentioning Mixed Content.

To fix it, those hard-coded HTTP references need updating to HTTPS. Two ways to do this:

  • Manually: search your database for http:// and replace with https://. A plugin like Better Search Replace makes this straightforward. Back up your database before doing this.
  • AutomaticallyReally Simple Security identifies and fixes most mixed content errors without you needing to touch the database. This works at the output level dynamically, rather than rewriting stored content, so nothing in your database is permanently changed. If you deactivate the plugin, the site reverts to how it was before. This is different from a database search-and-replace approach, which makes permanent changes.

  

Step 4: Set up redirect from HTTP to HTTPS 

You want anyone visiting http://yourdomain.com to land automatically on https://yourdomain.comThere are three ways to handle this, and which one applies depends on your hosting environment:

  • No redirect: If your host or CDN (for example, Cloudflare or a load balancer) already redirects HTTP to HTTPS at that level, you don’t need to add another one in WordPress. Adding one anyway can cause a redirect loop (more on this below).
 
  • 301 PHP redirect: This uses WordPress itself to redirect every request, and works on virtually any hosting environment, including Nginx-based hosts. If you’re setting this up manually and aren’t sure of your server type, this is the safer default.
 
  • 301 .htaccess redirect: This works at the server level, but only on Apache or LiteSpeed servers that use an .htaccess file. It will not work on Nginx-based hosts (including managed hosts like Kinsta or WP Engine). If your host supports it, this can be a good upgrade over the PHP redirect, but it isn’t the default or universally compatible option.
 
If you want to add the .htaccess version and your host supports it, add these lines to the top of your .htaccess file (the file is in your site’s root directory; you will need FTP access or the file manager in your hosting control panel):
 
RewriteEngine On 

RewriteCond %{HTTPS} off 

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

If you are using Really Simple Security, it automatically applies the correct redirect mode for your server, no manual setup required.

  

Step 5: Test your setup 

Once everything is in place, run a quick check:

  • Visit your site in Chrome and confirm the padlock appears in the address bar
  • Open Chrome DevTools > Console and check there are no remaining mixed content warnings
  • Run your domain through ssllabs.com/ssltest, this gives you a grade and flags any configuration issues worth fixing
 

An A or A+ on SSL Labs means your certificate is correctly configured. If you get a lower grade, the result page will tell you specifically what needs attention.

 

  

Common errors after switching to HTTPS 

Certificate not detected 

Clear your browser cache and try a hard refresh (Ctrl+Shift+R or Cmd+Shift+R). If the issue persists, confirm with your host that the certificate was actually activated on your domain, not just installed. 

  

Too many redirects error 

This is almost always caused by a conflicting redirect somewhere outside of Really Simple Security: your host’s control panel, a CDN like Cloudflare, a caching plugin, or a server-level rule. Really Simple Security redirects to HTTPS, but if something else is redirecting back to HTTP, you get a loop (http → https → http, and so on).

To fix it, look for and remove that conflicting redirect at the source, rather than adjusting the plugin’s own redirect. If you need to temporarily disable the plugin’s HTTPS redirect while you track down the cause, and the built-in deactivation doesn’t work, here’s how to manually revert the changes.

  

Site still showing as Not Secure 

Almost always mixed content. Open Chrome DevTools and check the Console tab. The error message will tell you exactly which URL is still loading over HTTP.

 

Want the automated version?

Really Simple Security handles Steps 2, 3 and 4 automatically. The free plugin is available on WordPress.org. Pro adds vulnerability scanning, two-factor authentication, a firewall and advanced hardening.

Simple and Performant Security.


Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.