WordPress powers 43% of the web. Adding SSL/HTTPS involves three steps: get a certificate, install it on your server, and update WordPress to use HTTPS URLs. This guide covers all three.
Step 1: Get a certificate
Most WordPress hosts include free SSL — check first:
| Host type | How to check |
|---|---|
| Managed WordPress (SiteGround, Bluehost, WP Engine) | Control panel → Security/SSL section — often auto-enabled |
| cPanel shared hosting | cPanel → SSL/TLS Status — look for AutoSSL |
| VPS/dedicated | No built-in SSL — you need to install one yourself |
If your host doesn’t provide SSL, get a free certificate from GetHTTPS and install it via cPanel, Nginx, or Apache.
Step 2: Update WordPress URLs
After the certificate is installed on the server, tell WordPress to use HTTPS:
Method A: WordPress settings (easiest)
- Go to Settings → General
- Change both URLs from
http://tohttps://:- WordPress Address (URL):
https://yourdomain.com - Site Address (URL):
https://yourdomain.com
- WordPress Address (URL):
- Click Save Changes
You’ll be logged out — log back in at the new https:// URL.
Method B: wp-config.php (if you can’t access the dashboard)
Add before /* That's all, stop editing! */:
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');
define('FORCE_SSL_ADMIN', true);Step 3: Fix mixed content
WordPress stores absolute URLs in the database (post content, images, widget text). After switching to HTTPS, old http:// references cause mixed content warnings.
Quick fix: Really Simple SSL plugin
- Install Really Simple SSL plugin
- Activate it — it detects your certificate and fixes most mixed content automatically
- It adds
upgrade-insecure-requestsheader and rewrites URLs dynamically
Permanent fix: Search-Replace in database
For a clean solution without a plugin dependency:
# Using WP-CLI (recommended)
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tablesOr use the Better Search Replace plugin:
- Search for:
http://yourdomain.com - Replace with:
https://yourdomain.com - Select all tables
- Run (do a dry run first)
Manual SQL (advanced)
UPDATE wp_options SET option_value = REPLACE(option_value, 'http://yourdomain.com', 'https://yourdomain.com') WHERE option_name IN ('home', 'siteurl');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');Step 4: Set up HTTP → HTTPS redirect
Ensure all visitors are served HTTPS, even if they type http://:
.htaccess (Apache — most common for WordPress)
Add at the top of your .htaccess file (before WordPress rules):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Nginx
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}See our full redirect guide.
Step 5: Update external services
After migrating to HTTPS, update your URLs in:
- Google Search Console — add the
https://property - Google Analytics — Settings → Default URL → change to
https:// - Sitemap — regenerate with
https://URLs (Yoast/Rank Math does this automatically) - Social profiles — Facebook, Twitter links to your site
- CDN — if using a CDN, ensure it serves over HTTPS
Verify
- Visit
https://yourdomain.com— padlock icon should appear - Open DevTools (F12) → Console — check for mixed content warnings
- Test a few internal pages and blog posts
- Check Google Search Console for any crawl errors
Troubleshooting
Redirect loop after enabling HTTPS
Common when behind a proxy (Cloudflare, load balancer). The proxy sends HTTP to WordPress, which redirects to HTTPS, which the proxy sends as HTTP again. Fix:
// Add to wp-config.php if behind a proxy
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}“Your connection is not private” after installing SSL
The certificate may not be properly installed at the server level. Check the server configuration (Nginx or Apache) before troubleshooting WordPress.
Some images/resources still load over HTTP
Run the database search-replace (Step 3). Check theme files and custom CSS for hardcoded http:// URLs. Use the upgrade-insecure-requests CSP header as a safety net.
Frequently asked questions
Do I need a plugin for SSL on WordPress?
No. A plugin like Really Simple SSL makes the transition easier (especially mixed content), but it’s not required. You can update URLs manually and add redirects in .htaccess. The plugin adds a small amount of overhead on every page load.
Will switching to HTTPS affect my SEO?
Temporarily, there may be minor ranking fluctuations as Google recrawls your site. Long-term, HTTPS improves SEO — it’s a Google ranking signal. Use 301 redirects from HTTP to HTTPS so link equity transfers.
Can I use a free Let’s Encrypt certificate with WordPress?
Yes. Let’s Encrypt certificates work with any website, including WordPress. Get one from GetHTTPS and install it on your server or via cPanel. The certificate doesn’t know or care that WordPress is running behind it.
How do I renew the certificate for WordPress?
The certificate is installed at the server level, not in WordPress. Renew it by getting a new certificate and replacing the files on your server. WordPress itself doesn’t manage certificates.
What about WooCommerce / e-commerce on WordPress?
A free Let’s Encrypt DV certificate is sufficient for WooCommerce. PCI DSS does not require OV or EV certificates — it requires encryption, which DV provides. Your payment gateway (Stripe, PayPal, Square) handles the most sensitive payment card data anyway.
Can I use WordPress Multisite with SSL?
Yes. For WordPress Multisite with subdomains (e.g., site1.example.com, site2.example.com), use a wildcard certificate (*.example.com). For Multisite with subdirectories (e.g., example.com/site1/), a single domain certificate works.
My host says they provide free SSL — do I still need GetHTTPS?
If your host provides free SSL (via AutoSSL or a similar system), use it — it’s the simplest path. GetHTTPS is for cases where your host doesn’t offer free SSL, you need a specific certificate type (wildcard, multi-domain), or you want to control the private key yourself.