Get SSL Certificate WordPress: 7 Steps to Follow
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

If you searched for how to get SSL certificate WordPress, you are probably trying to fix a browser warning, launch a new site, or make checkout and login pages safe. Start with your host, not with a random paid certificate or a WordPress plugin.
For most WordPress sites, SSL is free and already available in the hosting dashboard. The certificate is handled by your host, server, domain provider, or CDN. WordPress comes after that, when you switch the site to HTTPS and clean up old HTTP URLs.
TL;DR: Most WordPress sites can use a free SSL certificate from the host or Let’s Encrypt. Get the certificate active before changing WordPress settings. Then switch WordPress to HTTPS, add one clean redirect, fix mixed content, test important pages, confirm automatic renewal, and use MalCare for the WordPress security work SSL does not cover.
Choose the right SSL path
The first question is not “Which SSL certificate should I buy?” It is “Who controls SSL for this site?” Most site owners should check the hosting dashboard first. Managed WordPress hosts, shared hosts, cPanel, and Plesk often include free SSL through Let’s Encrypt or a similar provider.
| Your setup | Where to get SSL | Start here |
|---|---|---|
| WordPress.com | WordPress.com domain security | Check that the domain and DNS are connected correctly |
| Managed WordPress host | Hosting dashboard | Look for SSL, HTTPS, Security, or Domains |
| cPanel or Plesk | SSL/TLS, AutoSSL, or Let’s Encrypt | Enable SSL for the main domain and any needed subdomains |
| VPS or self-managed server | Certbot or another ACME tool | Confirm DNS points to the server first |
| Cloudflare or another CDN | CDN and origin server settings | Configure both the visitor side and the server side |
| WordPress admin only | Host, site owner, or server admin | Ask the person with hosting access to enable SSL |
The table shows the real issue: WordPress can use HTTPS, but it usually cannot install the certificate by itself. An SSL plugin may help with redirects or mixed content after SSL exists. It is not a magic installer if you do not control the host, DNS, server, or CDN.
This decision map shows why the SSL setup usually starts outside WordPress.

🔐 Note: If you only have WordPress admin access, do not buy a certificate yet. Ask the host or site owner how SSL is managed on that account. Buying the wrong certificate can leave you with files you cannot install.
Decide between free and paid SSL
Free SSL is enough for most WordPress sites.
A free domain-validated certificate, often called DV SSL, proves that you control the domain. It encrypts the connection between the visitor and your site. That is what most blogs, portfolios, brochure sites, local business sites, and many WooCommerce stores need.
Paid SSL is not automatically more encrypted. You usually pay for business validation, support, managed installation, warranty terms, trust processes, or easier handling for many domains.
| Certificate type | What it proves | Use it when |
|---|---|---|
| DV | You control the domain | You need HTTPS working on a normal WordPress site |
| OV | The domain and organization are checked | Your business needs verified company details |
| EV | The organization goes through deeper checks | Your industry or policy requires higher validation |
| Single-domain | One domain | Your site uses one main address |
| Wildcard | A domain and its subdomains | You use many subdomains |
| Multi-domain | Several domain names | You manage multiple brands or domains |
If you run a small business site, the certificate type is rarely the weak point. Expired certificates, bad redirects, mixed content, and forgotten renewal checks cause more real problems. Use this rule: choose free SSL unless you know why you need paid validation, managed support, or complex domain coverage.
Get the certificate active
Do this before changing WordPress URLs. If HTTPS is broken at the certificate level, WordPress settings cannot fix it.
Open your host SSL settings
Log in to your hosting dashboard and open the site, domain, security, SSL, or HTTPS area. Look for free SSL, Let’s Encrypt, AutoSSL, or a similar option.
Enable SSL for the exact domain visitors use. If your site uses both www and non-www, make sure the certificate covers both. Wait until the host marks the certificate as active, then open the HTTPS version in a browser.
⚠️ Note: Do not force HTTPS before the certificate is active. That can turn a small setup task into browser errors, redirect loops, or a WordPress admin page you cannot reach easily.
Check WordPress.com domain security
WordPress.com provides SSL for hosted and connected domains when the domain is set up correctly. If SSL is pending, check the domain’s nameservers, DNS records, CAA records, and DNSSEC status. In plain English, DNS tells the internet where your domain should go. If DNS points to the wrong place, the certificate authority cannot confirm that the domain belongs to the site.
Use cPanel or Plesk SSL tools
In cPanel, look for SSL/TLS, AutoSSL, or Let’s Encrypt. In Plesk, look for SSL/TLS Certificates or Let’s Encrypt.
Select the domain, include needed subdomains, issue the certificate, and wait for validation. If you bought a third-party certificate, the panel may ask for the certificate file, private key, and CA bundle. These must match.
🔑 Note: Protect the private key. Do not paste it into random tools, public docs, tickets, or chat threads. The private key is the secret part of the certificate setup.
Use Certbot on a VPS
If you manage your own server, you will usually use Certbot or another ACME tool. ACME is the automated process many certificate tools use to prove domain control and request certificates. Before you start, confirm that the domain points to the server, ports 80 and 443 are open, and you know whether the server runs Apache or Nginx. Back up the server configuration before editing it.
If that sounds uncomfortable, ask your host or developer to handle it. Server SSL mistakes can break the site for every visitor.
Match CDN and server SSL
A CDN such as Cloudflare can show HTTPS to visitors, but the connection from the CDN to your server still matters. Configure the CDN mode to match your origin certificate setup. Avoid adding HTTPS redirects in every layer. Pick one main place to own the redirect: host, server, CDN, or WordPress plugin.
Buy SSL only when needed
Buy from a certificate authority when you need OV, EV, wildcard, multi-domain coverage, or managed certificate support.
The usual flow is simple: choose the certificate, generate a CSR if required, complete domain or business validation, download the certificate files, install the SSL certificate in the host or server panel, then test HTTPS.
Certificate lifetimes are getting shorter across the industry. Public TLS certificates are moving from the older 398-day model toward shorter maximum periods, with staged reductions beginning in March 2026 and moving toward 47 days by March 2029. Treat automatic renewal as required, not optional.
Switch WordPress to HTTPS
Once the HTTPS version opens without a certificate warning, update WordPress.
Back up the site first
Back up before changing URLs, redirects, or database content. New sites are usually easy. Existing sites may have years of images, forms, widgets, page builder content, menus, and old links.
A backup turns a mistake into a restore task instead of a crisis.
Update the WordPress URLs
In WordPress admin, go to Settings > General. Change both WordPress Address (URL) and Site Address (URL) from HTTP to HTTPS. Save the settings and log back in if WordPress asks.
If those fields are locked, they may be controlled by the host or by constants in the WordPress configuration file. Ask your host or developer to change the values where they are defined.
Add one HTTPS redirect
Visitors and search engines should land on HTTPS even if they open an old HTTP link. Add a permanent redirect from HTTP to HTTPS through one main layer:
Do not turn on every redirect toggle you can find. Duplicate redirects are a common cause of “too many redirects” errors.
Replace old HTTP URLs
On a new site, updating the two WordPress URL fields may be enough. On an existing site, old HTTP links can remain inside posts, pages, media, menus, widgets, page builders, theme files, custom CSS, scripts, canonical tags, and sitemap output.
Use a WordPress-safe search-and-replace tool and keep the backup. Some WordPress data is stored in a special serialized format, which means a plain text database replacement can break saved settings if it changes lengths without updating the stored data. Plain version: use a WordPress-aware tool, not a careless find-and-replace.
Clear every cache
Clear the WordPress cache, CDN cache, server cache, object cache, optimization plugin cache, and browser cache. Caching stores old page versions to make the site faster. After an HTTPS move, it can also keep serving old HTTP assets until you clear it.
Fix common SSL problems
Most SSL problems fall into a few patterns. Start with the symptom you see.
| Problem | Likely cause | What to do |
|---|---|---|
| SSL stays pending | DNS, nameserver, CAA, DNSSEC, or validation delay | Confirm the domain points to the right service |
| Site says “Not secure” | Mixed content, cache, expired SSL, or wrong domain | Check certificate details and scan for HTTP assets |
| Certificate name mismatch | Certificate does not cover the exact domain | Include www, non-www, or needed subdomains |
| Too many redirects | Host, CDN, plugin, and WordPress all redirecting | Keep one redirect owner and disable duplicates |
| Admin login breaks | Wrong WordPress URLs or forced HTTPS too early | Check URL settings, redirects, and restore from backup if needed |
| Images or scripts disappear | Old HTTP media, theme, plugin, or builder URLs | Replace hardcoded HTTP URLs and clear caches |
Mixed content is the most common surprise. It means the page is HTTPS, but one image, script, font, iframe, or stylesheet still loads over HTTP. That is fixable. It does not mean the certificate failed.
Redirect loops are the other common issue. Each layer thinks it is helping, but the browser gets passed around instead of landing on the page. Fix one layer at a time. Here is the troubleshooting pattern as a quick visual checklist.
🧭 Note: If checkout, forms, or login pages behave oddly after the switch, test those pages before you keep editing settings. Payment scripts, form embeds, and cached pages often expose HTTPS problems that the homepage hides.
Test SSL before you move on
Do not stop when the homepage loads. Older posts, checkout pages, admin screens, forms, and templates can use different assets.
Use this checklist:
If your host or certificate tool supports a renewal test, use it. Manual renewal works until the one week everyone forgets.
Know what SSL does not do
SSL encrypts the connection between the visitor and your site. It helps protect logins, form submissions, and checkout data while they travel across the web. That does not mean WordPress itself is secure. SSL does not scan for malware, clean hacked files, block brute-force login attempts, patch vulnerable plugins, monitor suspicious admin activity, or replace backups.
After HTTPS is working, add the WordPress security layers that protect the site itself: updates, backups, malware scanning, firewall protection, login protection, vulnerability monitoring, and activity logs. That is the next step in securing your WordPress site, because HTTPS only protects data in transit.
This is where MalCare’s firewall and malware protection fits naturally. SSL handles the encrypted connection. MalCare helps with WordPress-side threats like malware, brute-force attacks, suspicious activity, vulnerable plugins, and firewall protection. The point is not to collect security badges. The point is to avoid mistaking a clean HTTPS URL for a healthy WordPress site.
FAQs
Can I get a free SSL certificate for WordPress?
Yes. Most WordPress sites can use free SSL from the host or Let’s Encrypt. Check your hosting dashboard first because many hosts include free automatic SSL.
Can I install SSL from the WordPress dashboard?
Usually, no. The certificate is normally installed through the host, server, CDN, or domain setup. WordPress settings and plugins help after the certificate is active.
How much does a WordPress SSL certificate cost?
It can cost nothing if your host provides free SSL or you use Let’s Encrypt. Paid SSL costs vary because validation, wildcard coverage, multiple domains, managed installation, support, and warranty terms vary.
Is free SSL enough for WordPress?
Yes, for most blogs, portfolios, brochure sites, and small business sites. Choose paid SSL when you need business validation, managed support, or complex domain coverage.
Why does my WordPress site still say Not secure after SSL?
The usual causes are mixed content, cache, an expired certificate, a certificate for the wrong domain, or a CDN and server mismatch. Check the certificate first, then scan the page for HTTP assets.
Conclusion
The safest way to get SSL on WordPress is to keep the order simple: get the certificate active through the host, server, CDN, or certificate authority first. Then switch WordPress to HTTPS, add one redirect, replace old HTTP URLs, clear caches, and test the pages that matter.
Free SSL is enough for most WordPress sites, but SSL is only one part of site hardening.
Once HTTPS is working, make renewal automatic, keep WordPress security updates on a routine maintenance schedule, and add WordPress security for malware, vulnerable plugins, login attacks, backups, and monitoring. That is how you turn the browser warning off without ignoring the risks behind the site.
Category:
Share it:
You may also like
-
Uh-Oh! Your Connection Is Not Private? Here’s How To Fix This Issue
You do not usually see a browser warning at a convenient time. It appears when you are trying to log in, check out, open a client site, or get into…
-
WordPress Login Redirect Loop 101: How to Fix It Safely
You know that the strong password you created is right. WordPress accepts the form, pauses for a second, and sends you straight back to the login screen. A WordPress login…
-
Cookie Stealing: What It Is and How to Protect Your WordPress Site
Sometimes, a WordPress break-in does not start with a guessed password. It starts with a browser that was already logged in. That is why cookie stealing is so unsettling. You…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.

