WordPress SSL Certificate: Complete HTTPS Guide

Migrating your WordPress site from HTTP to HTTPS is no longer optional – it’s essential for security, SEO performance, and user trust. Search engines prioritize HTTPS sites in rankings, browsers display security warnings for non-HTTPS sites, and users increasingly expect the padlock icon indicating secure connections. This comprehensive guide walks you through every step of SSL certificate installation and complete HTTPS migration.

Why HTTPS Is Essential for WordPress

Google confirmed HTTPS as a ranking signal in 2014, giving secure sites a competitive advantage in search results. While the direct ranking boost is modest, HTTPS indirectly improves SEO through reduced bounce rates and increased user engagement resulting from the trust signals browsers display.

Modern browsers like Chrome, Firefox, and Safari prominently mark HTTP sites as “Not Secure,” particularly on pages with form inputs. This warning discourages visitors from interacting with your site, directly impacting conversions and user experience.

For e-commerce sites, HTTPS is mandatory – payment processors and PCI compliance requirements demand encrypted connections protecting customer financial data. Beyond compliance, HTTPS encrypts all data transmission between browsers and servers, preventing attackers from intercepting sensitive information like passwords, personal details, and session cookies.

Understanding SSL/TLS Certificates

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) certificates enable encrypted HTTPS connections. While technically distinct, the terms are often used interchangeably, with modern implementations exclusively using TLS.

Domain Validation (DV) certificates provide basic encryption and verification that you control the domain. These certificates issue quickly, often within minutes, and suit most WordPress sites. The validation process simply confirms domain ownership through email verification or DNS records.

Organization Validation (OV) certificates include business identity verification beyond domain ownership. Certificate authorities validate company information before issuance, providing additional credibility markers in certificate details.

Extended Validation (EV) certificates require the most rigorous verification process, validating legal entity existence, operational status, and physical location. EV certificates historically displayed company names in the browser address bar, though modern browsers have deprecated this prominent display.

Wildcard SSL certificates secure a domain and all its subdomains with a single certificate. For example, a wildcard certificate for *.example.com covers www.example.com, blog.example.com, shop.example.com, and any other subdomain.

Free vs Paid SSL Certificates

Let’s Encrypt revolutionized SSL accessibility by providing free, automated DV certificates trusted by all major browsers. The nonprofit certificate authority issues 90-day certificates that can be automatically renewed, eliminating cost barriers to HTTPS adoption.

Most modern hosting providers offer integrated Let’s Encrypt support through cPanel, Plesk, or custom control panels. These integrations handle certificate generation, installation, and renewal automatically.

Commercial SSL certificates from providers like DigiCert, Sectigo, and GlobalSign offer extended warranties, dedicated support, and OV/EV validation options. For most WordPress sites, free Let’s Encrypt certificates provide equivalent security to paid DV certificates.

Installing SSL Through cPanel

Most shared hosting providers offer cPanel with integrated SSL management. Access your cPanel, navigate to the Security section, and click “SSL/TLS Status” or “Let’s Encrypt SSL.”

For Let’s Encrypt certificates, select the domains to secure (typically your primary domain and www subdomain), then click “Install.” The system automatically generates the certificate, private key, and configures your web server.

Alternative manual installation through cPanel involves generating a Certificate Signing Request (CSR) in the SSL/TLS section, submitting this CSR to your certificate provider, then installing the received certificate files through “Manage SSL Sites.”

Manual SSL Installation

For VPS or dedicated servers without automation, manual installation provides full control. First, generate a private key and CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

This command creates a 2048-bit RSA private key (yourdomain.key) and CSR (yourdomain.csr). Submit the CSR to your certificate authority, keeping the private key secure and never sharing it.

When you receive certificate files from your provider, you’ll typically get the primary certificate (yourdomain.crt) and intermediate certificate bundle (intermediate.crt). Install these in your web server configuration.

For Apache, edit your virtual host configuration:

<VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /path/to/yourdomain.crt
    SSLCertificateKeyFile /path/to/yourdomain.key
    SSLCertificateChainFile /path/to/intermediate.crt

    # Modern SSL configuration
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
</VirtualHost>

For Nginx, configure the server block:

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/html;

    ssl_certificate /path/to/yourdomain.crt;
    ssl_certificate_key /path/to/yourdomain.key;

    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
}

After configuration, restart your web server:

# Apache
sudo systemctl restart apache2

# Nginx
sudo systemctl restart nginx

Configuring WordPress for HTTPS

Once SSL is active, update WordPress to use HTTPS URLs. In the WordPress admin panel, navigate to Settings > General and update both “WordPress Address (URL)” and “Site Address (URL)” from http:// to https://.

For security, force HTTPS in wp-config.php by adding these lines before “That’s all, stop editing!”:

define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
    $_SERVER['HTTPS']='on';

The first line forces HTTPS for admin access. The second handles reverse proxy situations common with load balancers and CDNs.

Redirecting HTTP to HTTPS

Implement 301 permanent redirects sending all HTTP traffic to HTTPS. For Apache, add this to your .htaccess file at the top, before WordPress rules:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

For Nginx, add this to your server configuration:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Test the redirect by visiting http://yourdomain.com and confirming automatic redirection to https://yourdomain.com.

Updating Database URLs

WordPress stores URLs in the database that need updating from HTTP to HTTPS. The Better Search Replace plugin provides a safe interface for this critical operation.

Install Better Search Replace from the WordPress repository, navigate to Tools > Better Search Replace, and configure:

Search for: http://yourdomain.com
Replace with: https://yourdomain.com
Select all tables
Deselect “Run as dry run” only after testing
Click “Run Search/Replace”

Run initially as a dry run to preview changes before executing the actual replacement.

For command-line enthusiasts, WP-CLI offers efficient search-replace:

wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables --dry-run

Remove –dry-run to execute after confirming the results look correct.

Fixing Mixed Content Issues

Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) via HTTP, causing browser warnings and security issues. Browsers block mixed content, breaking functionality and displaying security warnings.

Identify mixed content using browser developer tools. Open DevTools (F12), navigate to the Console tab, and look for mixed content warnings like “Mixed Content: The page was loaded over HTTPS, but requested an insecure resource.”

The Really Simple SSL plugin automatically detects and fixes most mixed content issues by rewriting HTTP URLs to HTTPS. Install from the WordPress repository, activate, and the plugin handles the migration automatically.

For manual fixes, search your theme and plugin files for hardcoded HTTP URLs:

// Bad - hardcoded HTTP
<img src="http://yourdomain.com/image.jpg">

// Good - protocol-relative
<img src="//yourdomain.com/image.jpg">

// Better - HTTPS
<img src="https://yourdomain.com/image.jpg">

// Best - dynamic
<img src="<?php echo esc_url( home_url( '/image.jpg' ) ); ?>">

Update external resources to HTTPS versions. Google Fonts, Analytics, and most CDNs support HTTPS. Replace HTTP CDN URLs with HTTPS equivalents.

Testing HTTPS Implementation

SSL Labs Server Test (ssllabs.com/ssltest) provides comprehensive SSL configuration analysis. Enter your domain and wait for the scan to complete. Aim for an A+ rating by following the recommendations.

Common issues flagged include outdated TLS protocols (disable TLSv1.0 and TLSv1.1), weak cipher suites, and missing security headers like HSTS (HTTP Strict Transport Security).

Verify the padlock icon appears in all major browsers by testing in Chrome, Firefox, Safari, and Edge. Click the padlock to view certificate details and confirm validity.

Use online tools like WhyNoPadlock.com to identify mixed content preventing the secure padlock display.

Updating External Services

Update Google Search Console by adding the HTTPS version of your site as a new property. Set up the HTTPS property, verify ownership, and submit an HTTPS sitemap. Keep the HTTP property active temporarily to monitor the migration.

In Google Analytics, update the property URL from HTTP to HTTPS in Admin > Property Settings > Default URL. This ensures accurate tracking during and after migration.

Update social media profiles on Facebook, Twitter, LinkedIn, and other platforms to reflect your HTTPS URLs. This maintains proper link sharing and Open Graph previews.

High-authority backlinks pointing to HTTP versions still pass value through 301 redirects, but consider reaching out to major referral sources to update links directly to HTTPS URLs.

SSL Certificate Renewal

Let’s Encrypt certificates expire after 90 days, requiring regular renewal. Most hosting providers with Let’s Encrypt integration handle automatic renewal through cron jobs.

Verify auto-renewal is configured by checking for certbot renewal cron entries:

sudo crontab -l | grep certbot

You should see entries like:

0 0,12 * * * /usr/bin/certbot renew --quiet

Test renewal manually without affecting current certificates:

sudo certbot renew --dry-run

Set up certificate expiration monitoring using services like SSL Checker or Uptime Robot that alert you before certificates expire.

Performance Benefits of HTTPS

HTTP/2 protocol requires HTTPS and provides significant performance improvements including multiplexing (multiple requests over a single connection), header compression, and server push. These features typically improve load times by 10-30%.

Enable HTTP/2 in your web server configuration. Most modern servers support HTTP/2 when SSL is enabled. Verify HTTP/2 is active using browser developer tools Network tab or online checkers.

TLS session resumption reduces the overhead of establishing encrypted connections by caching session parameters. Modern web servers enable this by default, but verify with:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Troubleshooting Common SSL Issues

“ERR_SSL_PROTOCOL_ERROR” typically indicates server configuration issues. Verify your SSL certificate files are correctly installed and web server configuration is valid. Check server error logs for specific issues.

“NET::ERR_CERT_DATE_INVALID” means your certificate has expired or is not yet valid. Check certificate dates and renew if necessary. Ensure server time is accurate, as incorrect system time can cause validation failures.

Redirect loops often occur with CDN services like Cloudflare using Flexible SSL. This happens when Cloudflare connects to your origin server via HTTP while presenting HTTPS to visitors. Fix by either using Full SSL mode in Cloudflare or detecting HTTPS through X-Forwarded-Proto headers.

Mixed content warnings persist after migration when cached pages contain old HTTP URLs. Clear all caching layers including WordPress cache plugins, CDN cache, and browser cache. Force cache busting by incrementing version numbers on enqueued scripts and styles.

By following this comprehensive HTTPS migration process, your WordPress site gains the security, SEO benefits, and user trust that come with proper SSL implementation while avoiding common pitfalls that can disrupt functionality during the transition.

External Links

Call to Action

Secure your site with bulletproof backups! Backup Copilot Pro offers automated security audits, malware scanning before backups, and instant recovery—try it free!