Every WordPress site without an SSL certificate shows “Not Secure” in the browser address bar. Visitors see this warning and leave immediately – especially before entering passwords or payment details on your site. Forms on HTTP pages get blocked by modern browsers entirely. Your hosting account almost certainly includes a free SSL certificate through Let’s Encrypt, but WordPress needs manual configuration to use it properly. This tutorial installs the certificate and forces all WordPress traffic through HTTPS. The process takes about 15 minutes with no coding required.
What You’ll Need
- WordPress version: 5.0 or higher
- Permissions needed: Administrator + Hosting panel access (cPanel, Plesk, or similar)
- Time to complete: 15 minutes
- Difficulty level: Beginner
- Prerequisites: None – most hosts include free SSL via Let’s Encrypt
Step 1: Check Your Hosting Panel for Free SSL
Log in to your hosting account and open the control panel. Navigate to the Security section or search for SSL/TLS. Most hosts display SSL options under a padlock icon.
SiteGround places it under Security ? SSL Manager. Bluehost and Hostinger use Security ? SSL/TLS Status. cPanel hosts show it under Security ? Let’s Encrypt or SSL/TLS. Look for your domain in the list. If it shows “No certificate” or has an Issue button, you need to activate it.
[SCREENSHOT: hosting-panel-ssl-section]
Step 2: Issue the SSL Certificate
Click Issue or Enable next to your domain name. Select Let’s Encrypt as the certificate type if your host offers multiple options. The free Let’s Encrypt certificate provides the same encryption as paid certificates – the only difference is renewal frequency.
Issuance takes 1-5 minutes. Refresh the page until the status changes to Active or displays a green checkmark. Some hosts enable auto-renewal by default. Confirm auto-renewal is turned on so your certificate doesn’t expire in 90 days.
[SCREENSHOT: ssl-certificate-issued-active]
Step 3: Update WordPress URLs to HTTPS
Open your WordPress dashboard. Navigate to Settings ? General. Find the WordPress Address (URL) field and change http:// to https://. Do the same for the Site Address (URL) field directly below it.
Both fields must match and both must use https://. Click Save Changes at the bottom of the page. WordPress logs you out immediately after saving. This is normal. Log back in using https://yourdomain.com/wp-admin.
[SCREENSHOT: wordpress-general-settings-https-urls]
Step 4: Add an HTTPS Redirect to .htaccess
Navigate to your site root via FTP or your hosting file manager. Open the .htaccess file. Your .htaccess file must be writable – confirm this in your file permissions setup.
Add this redirect rule immediately after the RewriteEngine On line and before the WordPress rewrite block:
What this does: Forces all HTTP visitors to the HTTPS version with a permanent 301 redirect.
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Save the file. Test by visiting http://yourdomain.com in a new browser tab. The address bar should switch to https:// automatically. If your host already handles redirects, skip this step to avoid redirect loops.
[SCREENSHOT: htaccess-https-redirect-code]
Step 5: Fix Mixed Content Warnings
Navigate to Plugins ? Add New in your WordPress dashboard. Search for Better Search Replace and install it. Navigate to Tools ? Better Search Replace after activation.
Enter http://yourdomain.com in the Search for field. Enter https://yourdomain.com in the Replace with field. Select all tables in the database list. Check the Run as dry run box first to preview changes. If your database has excess overhead, clean up the WordPress database before running the replacement. Review the count, uncheck dry run, and click Run Search/Replace to apply. This updates every internal URL stored in posts, pages, menus, and widgets.
[SCREENSHOT: better-search-replace-http-to-https]
Step 6: Verify Your SSL Certificate
Open your site in Chrome or Firefox. Look for the padlock icon in the address bar. Click it and confirm the message reads “Connection is secure.”
Press F12 to open Developer Tools and switch to the Console tab. Look for any yellow “Mixed Content” warnings. These indicate specific images, scripts, or stylesheets still loading over HTTP. Note the URLs shown in the warnings and update them manually in your theme settings or post content. Once the console shows no mixed content errors, your SSL installation is done.
[SCREENSHOT: chrome-padlock-connection-secure]
Troubleshooting
Error: “Too many redirects” after adding the .htaccess rule
Fix: Remove the redirect rule you added – your host likely handles HTTPS redirects automatically.
Error: “Mixed Content” warnings persist in browser console
Fix: Run Better Search Replace again targeting the wp_options and wp_postmeta tables specifically.
Error: WordPress login page redirects in a loop after enabling HTTPS
Fix: Add define('FORCE_SSL_ADMIN', true); to wp-config.php above the “stop editing” comment line.
Error: SSL certificate shows as “Not Trusted” in the browser
Fix: Wait 5 minutes for DNS propagation, then clear your browser cache and reload the page.
Quick Recap
- Issued a free SSL certificate from your hosting control panel
- Updated both WordPress URLs from HTTP to HTTPS
- Added a 301 redirect in
.htaccessto force secure connections - Replaced all old HTTP URLs in the database with Better Search Replace
- Verified the padlock icon and checked for mixed content errors
For more on securing your WordPress installation, see How to Set Up a WordPress Staging Site Step by Step. The official WordPress HTTPS documentation is available at WordPress.org.