WordPress runs more than 42% of all websites on the internet. Getting SSL right matters — not just for the padlock icon, but for payment security, browser warnings, and search visibility. Yet SSL on WordPress has more steps than most guides admit: the certificate lives on the server, but WordPress also stores its own URL, generates links in post content, and loads resources that can trip mixed content warnings the moment you switch to HTTPS.
This guide walks through every layer in the correct order: choosing a certificate, installing it in your hosting panel, updating WordPress URL settings, forcing the HTTPS redirect, and eliminating mixed content. It also covers WooCommerce, Cloudflare, and the most common errors with their fixes.
Do the steps in order
A common mistake is enabling HTTPS redirects in WordPress before the certificate is installed. The result is a redirect loop that locks you out of the admin. Always install the certificate first, then update WordPress settings, then force the redirect.
Why WordPress needs SSL
HTTPS is not optional for modern WordPress sites. Here is what you lose without it:
Browser security warnings
Chrome, Firefox, and Edge mark every HTTP page as "Not secure" in the address bar. On pages with login forms or payment fields, browsers display a prominent warning that actively deters users from continuing.
WooCommerce checkout requirements
WooCommerce requires HTTPS on checkout pages and warns you in the admin dashboard if SSL is not detected. Payment processors including Stripe and PayPal require HTTPS to operate on your checkout.
Blocked browser APIs
Service workers, push notifications, WebAuthn, and the Geolocation API all require a secure context (HTTPS). Contact forms that use reCAPTCHA may behave unexpectedly on HTTP.
Google uses HTTPS as a ranking signal
Google has used HTTPS as a ranking signal since 2014. The signal is deliberately weak — it affects fewer than 1% of queries and acts as a tiebreaker. The practical benefit is more about avoiding penalties and maintaining user trust than achieving major ranking gains.
Before you start
Before touching WordPress settings, confirm you have the following:
Pre-installation checklist
- An SSL certificate — either from your hosting provider or purchased separately. You'll need the certificate file, the private key, and any CA bundle (intermediate certificate) your CA provides.
- Access to your hosting control panel — cPanel, Plesk, DirectAdmin, or SSH access. You need this to install the certificate on the server before WordPress can use it.
- WordPress admin access — you'll update the Site URL settings in Settings > General.
- A recent site backup — URL changes in WordPress affect the database. Create a full backup before starting.
Step 1: Get an SSL certificate
The right certificate type depends on what your WordPress site does:
DV SSL — Blogs, portfolios, brochure sites
Domain Validation certificates are issued in minutes and cost as little as a few dollars per year. They encrypt all traffic and display the padlock icon. No organization identity information is included in the certificate — the CA only verifies you control the domain.
DV SSL is the right choice for most WordPress sites that don't process payments or collect sensitive personal data.
OV SSL — Business sites, WooCommerce stores
Organization Validation certificates include your company name in the certificate details, verified by the CA. Recommended for WooCommerce stores and business sites where customer trust is a priority.
Wildcard SSL — WordPress Multisite (subdomain mode)
A wildcard certificate (e.g., *.example.com) covers all first-level subdomains with one certificate. Essential for WordPress Multisite installations running in subdomain mode where each site has its own subdomain.
Not sure which certificate you need?
Use our step-by-step certificate chooser to find the right option for your WordPress site in under two minutes.
Step 2: Install SSL in your hosting panel
The SSL certificate is installed at the server level, not inside WordPress. Your hosting control panel handles this. WordPress is not involved until Step 3.
cPanel (most shared hosting)
In cPanel, go to SSL/TLS > Manage SSL Sites. Select your domain, then paste your certificate, private key, and CA bundle into the respective fields.
Full cPanel SSL installation guidePlesk
In Plesk, navigate to your domain > SSL/TLS Certificates. Click Add SSL/TLS Certificate, enter the certificate name, then upload or paste the certificate, key, and CA bundle.
Full Plesk SSL installation guideDirectAdmin
In DirectAdmin, go to SSL Certificates under the Advanced Features menu. Paste the certificate and key, enable SSL for the domain, and save.
Full DirectAdmin SSL installation guideNginx or Apache (VPS/dedicated)
Copy your certificate files to the server, then reference them in your virtual host config. See the dedicated installation guides for your web server.
Verify the certificate before touching WordPress
After installing the certificate, visit https://yourdomain.com directly in a browser and confirm the padlock appears without errors. Use the My-SSL SSL Checker to verify the chain is complete. Only proceed to Step 3 when the certificate is confirmed working.
Step 3: Update WordPress URLs
WordPress stores the site URL in two database settings: siteurl (the WordPress installation URL) and home (the URL visitors use to reach the site). Both must be updated from http:// to https://.
Method A: Settings > General (recommended)
- 1Log into the WordPress admin (
https://yourdomain.com/wp-admin) - 2Go to Settings > General
- 3Change WordPress Address (URL) from
http://yourdomain.comtohttps://yourdomain.com - 4Change Site Address (URL) the same way
- 5Click Save Changes. WordPress will log you out — log back in via
https://yourdomain.com/wp-admin
Method B: wp-config.php (if you're locked out)
If the admin is inaccessible, add these two lines to wp-config.php before the /* That's all, stop editing! */ line:
<?php
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');
/* That's all, stop editing! */
Note: when WP_HOME and WP_SITEURL are defined in wp-config.php, the fields in Settings > General become read-only. Remove the constants once you've confirmed the site is working correctly, then save the settings through the UI.
Step 4: Force HTTPS
Updating the WordPress URL setting tells WordPress to generate HTTPS links, but it doesn't automatically redirect visitors who type http:// in their browser. You need a server-level redirect for that — the rules below cover the common WordPress setups, and our dedicated HTTP-to-HTTPS redirect guide goes deeper, including redirect loops behind Cloudflare and proxies.
Apache — .htaccess redirect
The .htaccess file is in the root of your WordPress installation. Add these rules above the existing # BEGIN WordPress block:
# Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Nginx — server block redirect
Add a separate server block that listens on port 80 and redirects all traffic to HTTPS:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
Secure the WordPress admin over HTTPS
Add the following constant to wp-config.php to force HTTPS for all admin and login page access:
define('FORCE_SSL_ADMIN', true);
Only add this constant after the certificate is installed and the redirect is working. Adding it beforehand when the server is still on HTTP will lock you out of the admin.
Add HSTS after confirming HTTPS works
Once HTTPS is working correctly, HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain — even if someone types http://. It also protects against SSL stripping attacks. Enable HSTS only after you're confident HTTPS is fully working.
Step 5: Fix mixed content
After switching to HTTPS, your site may show a broken padlock or security warning. This is almost always mixed content — WordPress pages loading images, scripts, or stylesheets over HTTP. It's caused by hardcoded http:// URLs in post content, theme settings, or plugin assets that were written before HTTPS was enabled.
Option A: Really Simple Security plugin
Really Simple Security (formerly Really Simple SSL) is the most widely used WordPress SSL plugin, with over 7 million active installs. It automatically detects your certificate, updates WordPress settings, and applies a filter that rewrites HTTP URLs to HTTPS in WordPress-generated output.
- 1.In WordPress admin, go to Plugins > Add New
- 2.Search for "Really Simple Security" and install it
- 3.Activate the plugin — it will detect your SSL certificate and offer to enable SSL with a single click
- 4.Go to Settings > SSL to review what the plugin changed and confirm the mixed content fix is active
Option B: Database search and replace
For a permanent fix, update URLs stored in the WordPress database. Install the Better Search Replace plugin and replace http://yourdomain.com with https://yourdomain.com across all database tables. Run a dry run first to preview the changes.
Replace only your own domain. Do not run a blanket replace on all http:// URLs — third-party resources that only support HTTP should remain as-is (they'll need to be replaced with HTTPS alternatives separately).
For a deep explanation of active vs passive mixed content types, how Chrome and Firefox handle them, and server-level CSP fixes, see our complete mixed content errors guide.
WooCommerce SSL
WooCommerce has built-in SSL detection and actively warns you in the admin if HTTPS is not enabled. Once your certificate is installed and WordPress is set to HTTPS, WooCommerce will automatically use HTTPS for all pages.
WooCommerce HTTPS checklist
- Force secure checkout: In WooCommerce > Settings > Advanced, enable "Force secure checkout" — this ensures the cart and checkout pages always use HTTPS even if accessed via HTTP links.
- Check the WooCommerce status page: In WooCommerce > Status > System Status, the "Secure connection (HTTPS)" row should show a green checkmark.
- Test the checkout flow end to end: Add a product to the cart, proceed to checkout, and confirm the entire flow stays on HTTPS. Check for mixed content warnings in the browser console on the checkout and order confirmation pages.
- Payment gateway settings: If you're using a payment gateway that embeds its own payment form (like Stripe), confirm the gateway's webhook URL in its dashboard uses HTTPS.
For WooCommerce stores with payment processing, OV or EV SSL certificates provide CA-verified organization identity that appears in the certificate details — a trust signal for customers entering payment information.
Cloudflare with WordPress
Cloudflare is a popular CDN and DNS proxy used with WordPress. It adds a layer between visitors and your server, which creates a common SSL misconfiguration that causes redirect loops and mixed content errors.
Flexible SSL — Do not use with WordPress
Cloudflare's "Flexible" SSL mode encrypts traffic between the visitor and Cloudflare, but sends HTTP — unencrypted — between Cloudflare and your server. WordPress sees an HTTP connection and redirects to HTTPS. Cloudflare then re-sends the request over HTTP, which WordPress redirects again, creating an infinite redirect loop (ERR_TOO_MANY_REDIRECTS). Never use Flexible SSL with WordPress.
Full (Strict) — The correct setting
"Full (Strict)" encrypts traffic from Cloudflare to your server and requires a valid CA-signed certificate on your origin server. This is the correct setting for WordPress with a commercial SSL certificate installed. It eliminates redirect loops and ensures end-to-end encryption.
Full (non-strict)
"Full" (not Strict) also encrypts the Cloudflare-to-origin connection but accepts self-signed certificates on the origin. This avoids redirect loops but allows man-in-the-middle attacks between Cloudflare and your server. Use Full (Strict) whenever possible.
Cloudflare + WordPress HTTPS redirect tip
With Cloudflare active, use Cloudflare's own "Always Use HTTPS" setting (under SSL/TLS > Edge Certificates) instead of a server-level .htaccess redirect. This handles the HTTP-to-HTTPS redirect at the CDN edge and avoids any redirect timing issues on the origin.
You should still add the HTTPS redirect rule in .htaccess or Nginx as a fallback for direct-to-origin requests that bypass Cloudflare.
Troubleshooting common errors
ERR_TOO_MANY_REDIRECTS (redirect loop)
Causes and fixes:
- Cloudflare Flexible SSL: Change Cloudflare SSL mode to Full (Strict)
- FORCE_SSL_ADMIN with HTTP server: Remove the constant from wp-config.php, confirm the certificate is installed, then re-add it
- Conflicting redirects: Deactivate your SSL plugin via FTP (rename the plugin folder), then test
Broken padlock / "Not fully secure" warning
Open Chrome DevTools > Console. Look for "Mixed Content:" messages. These identify the exact HTTP URLs loading on the page. Fix them using the database search-and-replace or the plugin approach in Step 5 above. See the mixed content errors guide for a full walkthrough.
White screen of death after enabling SSL
A white screen usually means a PHP error, not an SSL issue. Enable WordPress debug mode by adding define('WP_DEBUG', true); to wp-config.php, then reload the page. The error message will appear in the browser or in the server PHP error log. Common causes are a plugin conflict triggered by the URL change or a redirect that breaks the PHP session.
Certificate not trusted on mobile or email clients
This is almost always a missing intermediate certificate (chain problem). Desktop Chrome has an AIA chasing mechanism that can fetch missing intermediates automatically, which masks the problem in the desktop browser while mobile clients still fail. Use the My-SSL SSL Checker to verify your chain is complete. See our certificate chain guide for how to fix a broken chain.