Get SSL Certificate WordPress: 7 Steps to Follow

by

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

get ssl certificate wordpress feature image

If you searched for how to get SSL certificate WordPress, you are probably trying to fix a browser warning, launch a new site, or make checkout and login pages safe. Start with your host, not with a random paid certificate or a WordPress plugin.

For most WordPress sites, SSL is free and already available in the hosting dashboard. The certificate is handled by your host, server, domain provider, or CDN. WordPress comes after that, when you switch the site to HTTPS and clean up old HTTP URLs.

TL;DR: Most WordPress sites can use a free SSL certificate from the host or Let’s Encrypt. Get the certificate active before changing WordPress settings. Then switch WordPress to HTTPS, add one clean redirect, fix mixed content, test important pages, confirm automatic renewal, and use MalCare for the WordPress security work SSL does not cover.

Choose the right SSL path

The first question is not “Which SSL certificate should I buy?” It is “Who controls SSL for this site?” Most site owners should check the hosting dashboard first. Managed WordPress hosts, shared hosts, cPanel, and Plesk often include free SSL through Let’s Encrypt or a similar provider.

Your setupWhere to get SSLStart here
WordPress.comWordPress.com domain securityCheck that the domain and DNS are connected correctly
Managed WordPress hostHosting dashboardLook for SSL, HTTPS, Security, or Domains
cPanel or PleskSSL/TLS, AutoSSL, or Let’s EncryptEnable SSL for the main domain and any needed subdomains
VPS or self-managed serverCertbot or another ACME toolConfirm DNS points to the server first
Cloudflare or another CDNCDN and origin server settingsConfigure both the visitor side and the server side
WordPress admin onlyHost, site owner, or server adminAsk the person with hosting access to enable SSL

The table shows the real issue: WordPress can use HTTPS, but it usually cannot install the certificate by itself. An SSL plugin may help with redirects or mixed content after SSL exists. It is not a magic installer if you do not control the host, DNS, server, or CDN.

This decision map shows why the SSL setup usually starts outside WordPress.

SSL provider path explainer showing where WordPress site owners should start

🔐 Note: If you only have WordPress admin access, do not buy a certificate yet. Ask the host or site owner how SSL is managed on that account. Buying the wrong certificate can leave you with files you cannot install.

Decide between free and paid SSL

Free SSL is enough for most WordPress sites.

A free domain-validated certificate, often called DV SSL, proves that you control the domain. It encrypts the connection between the visitor and your site. That is what most blogs, portfolios, brochure sites, local business sites, and many WooCommerce stores need.

Paid SSL is not automatically more encrypted. You usually pay for business validation, support, managed installation, warranty terms, trust processes, or easier handling for many domains.

Certificate typeWhat it provesUse it when
DVYou control the domainYou need HTTPS working on a normal WordPress site
OVThe domain and organization are checkedYour business needs verified company details
EVThe organization goes through deeper checksYour industry or policy requires higher validation
Single-domainOne domainYour site uses one main address
WildcardA domain and its subdomainsYou use many subdomains
Multi-domainSeveral domain namesYou manage multiple brands or domains

If you run a small business site, the certificate type is rarely the weak point. Expired certificates, bad redirects, mixed content, and forgotten renewal checks cause more real problems. Use this rule: choose free SSL unless you know why you need paid validation, managed support, or complex domain coverage.

Get the certificate active

Do this before changing WordPress URLs. If HTTPS is broken at the certificate level, WordPress settings cannot fix it.

Open your host SSL settings

Log in to your hosting dashboard and open the site, domain, security, SSL, or HTTPS area. Look for free SSL, Let’s Encrypt, AutoSSL, or a similar option.

Enable SSL for the exact domain visitors use. If your site uses both www and non-www, make sure the certificate covers both. Wait until the host marks the certificate as active, then open the HTTPS version in a browser.

WordPress demo page loading over HTTPS

⚠️ Note: Do not force HTTPS before the certificate is active. That can turn a small setup task into browser errors, redirect loops, or a WordPress admin page you cannot reach easily.

Check WordPress.com domain security

WordPress.com provides SSL for hosted and connected domains when the domain is set up correctly. If SSL is pending, check the domain’s nameservers, DNS records, CAA records, and DNSSEC status. In plain English, DNS tells the internet where your domain should go. If DNS points to the wrong place, the certificate authority cannot confirm that the domain belongs to the site.

Use cPanel or Plesk SSL tools

In cPanel, look for SSL/TLS, AutoSSL, or Let’s Encrypt. In Plesk, look for SSL/TLS Certificates or Let’s Encrypt.

Select the domain, include needed subdomains, issue the certificate, and wait for validation. If you bought a third-party certificate, the panel may ask for the certificate file, private key, and CA bundle. These must match.

🔑 Note: Protect the private key. Do not paste it into random tools, public docs, tickets, or chat threads. The private key is the secret part of the certificate setup.

Use Certbot on a VPS

If you manage your own server, you will usually use Certbot or another ACME tool. ACME is the automated process many certificate tools use to prove domain control and request certificates. Before you start, confirm that the domain points to the server, ports 80 and 443 are open, and you know whether the server runs Apache or Nginx. Back up the server configuration before editing it.

If that sounds uncomfortable, ask your host or developer to handle it. Server SSL mistakes can break the site for every visitor.

Match CDN and server SSL

A CDN such as Cloudflare can show HTTPS to visitors, but the connection from the CDN to your server still matters. Configure the CDN mode to match your origin certificate setup. Avoid adding HTTPS redirects in every layer. Pick one main place to own the redirect: host, server, CDN, or WordPress plugin.

Buy SSL only when needed

Buy from a certificate authority when you need OV, EV, wildcard, multi-domain coverage, or managed certificate support.

The usual flow is simple: choose the certificate, generate a CSR if required, complete domain or business validation, download the certificate files, install the SSL certificate in the host or server panel, then test HTTPS.

Certificate lifetimes are getting shorter across the industry. Public TLS certificates are moving from the older 398-day model toward shorter maximum periods, with staged reductions beginning in March 2026 and moving toward 47 days by March 2029. Treat automatic renewal as required, not optional.

Switch WordPress to HTTPS

Once the HTTPS version opens without a certificate warning, update WordPress.

Back up the site first

Back up before changing URLs, redirects, or database content. New sites are usually easy. Existing sites may have years of images, forms, widgets, page builder content, menus, and old links.

A backup turns a mistake into a restore task instead of a crisis.

Update the WordPress URLs

In WordPress admin, go to Settings > General. Change both WordPress Address (URL) and Site Address (URL) from HTTP to HTTPS. Save the settings and log back in if WordPress asks.

WordPress Settings General screen with HTTPS site URLs

If those fields are locked, they may be controlled by the host or by constants in the WordPress configuration file. Ask your host or developer to change the values where they are defined.

Add one HTTPS redirect

Visitors and search engines should land on HTTPS even if they open an old HTTP link. Add a permanent redirect from HTTP to HTTPS through one main layer:

  • hosting dashboard
  • server configuration
  • CDN rule
  • WordPress HTTPS plugin

Do not turn on every redirect toggle you can find. Duplicate redirects are a common cause of “too many redirects” errors.

HTTP request ending on the HTTPS WordPress page

Replace old HTTP URLs

On a new site, updating the two WordPress URL fields may be enough. On an existing site, old HTTP links can remain inside posts, pages, media, menus, widgets, page builders, theme files, custom CSS, scripts, canonical tags, and sitemap output.

Use a WordPress-safe search-and-replace tool and keep the backup. Some WordPress data is stored in a special serialized format, which means a plain text database replacement can break saved settings if it changes lengths without updating the stored data. Plain version: use a WordPress-aware tool, not a careless find-and-replace.

Clear every cache

Clear the WordPress cache, CDN cache, server cache, object cache, optimization plugin cache, and browser cache. Caching stores old page versions to make the site faster. After an HTTPS move, it can also keep serving old HTTP assets until you clear it.

Fix common SSL problems

Most SSL problems fall into a few patterns. Start with the symptom you see.

ProblemLikely causeWhat to do
SSL stays pendingDNS, nameserver, CAA, DNSSEC, or validation delayConfirm the domain points to the right service
Site says “Not secureMixed content, cache, expired SSL, or wrong domainCheck certificate details and scan for HTTP assets
Certificate name mismatchCertificate does not cover the exact domainInclude www, non-www, or needed subdomains
Too many redirectsHost, CDN, plugin, and WordPress all redirectingKeep one redirect owner and disable duplicates
Admin login breaksWrong WordPress URLs or forced HTTPS too earlyCheck URL settings, redirects, and restore from backup if needed
Images or scripts disappearOld HTTP media, theme, plugin, or builder URLsReplace hardcoded HTTP URLs and clear caches

Mixed content is the most common surprise. It means the page is HTTPS, but one image, script, font, iframe, or stylesheet still loads over HTTP. That is fixable. It does not mean the certificate failed.

Redirect loops are the other common issue. Each layer thinks it is helping, but the browser gets passed around instead of landing on the page. Fix one layer at a time. Here is the troubleshooting pattern as a quick visual checklist.

SSL troubleshooting checklist for common WordPress HTTPS problems

🧭 Note: If checkout, forms, or login pages behave oddly after the switch, test those pages before you keep editing settings. Payment scripts, form embeds, and cached pages often expose HTTPS problems that the homepage hides.

Test SSL before you move on

Do not stop when the homepage loads. Older posts, checkout pages, admin screens, forms, and templates can use different assets.

WordPress Site Health screen used to verify HTTPS status

Use this checklist:

  • Open a private browser window and visit the site fresh.
  • Test the HTTP version and confirm it redirects to HTTPS.
  • Check both domain versions if you use www and non-www.
  • Open certificate details in the browser and confirm the domain and expiry date.
  • Run an SSL checker such as SSL Labs for certificate chain and protocol issues.
  • Scan for mixed content with browser developer tools or a mixed-content checker.
  • Log in to WordPress admin and confirm the dashboard loads normally.
WordPress dashboard loading normally after HTTPS is active
  • Test key actions such as forms, search, checkout, account pages, menus, and embedded media.
WordPress Pages list used to choose representative HTTPS test pages
  • Check SEO signals such as canonical URLs, sitemap URLs, analytics, and Search Console for existing sites.
  • Confirm renewal and set a reminder before the next renewal date.

If your host or certificate tool supports a renewal test, use it. Manual renewal works until the one week everyone forgets.

Know what SSL does not do

SSL encrypts the connection between the visitor and your site. It helps protect logins, form submissions, and checkout data while they travel across the web. That does not mean WordPress itself is secure. SSL does not scan for malware, clean hacked files, block brute-force login attempts, patch vulnerable plugins, monitor suspicious admin activity, or replace backups.

After HTTPS is working, add the WordPress security layers that protect the site itself: updates, backups, malware scanning, firewall protection, login protection, vulnerability monitoring, and activity logs. That is the next step in securing your WordPress site, because HTTPS only protects data in transit.

This is where MalCare’s firewall and malware protection fits naturally. SSL handles the encrypted connection. MalCare helps with WordPress-side threats like malware, brute-force attacks, suspicious activity, vulnerable plugins, and firewall protection. The point is not to collect security badges. The point is to avoid mistaking a clean HTTPS URL for a healthy WordPress site.

FAQs

Can I get a free SSL certificate for WordPress?

Yes. Most WordPress sites can use free SSL from the host or Let’s Encrypt. Check your hosting dashboard first because many hosts include free automatic SSL.

Can I install SSL from the WordPress dashboard?

Usually, no. The certificate is normally installed through the host, server, CDN, or domain setup. WordPress settings and plugins help after the certificate is active.

How much does a WordPress SSL certificate cost?

It can cost nothing if your host provides free SSL or you use Let’s Encrypt. Paid SSL costs vary because validation, wildcard coverage, multiple domains, managed installation, support, and warranty terms vary.

Is free SSL enough for WordPress?

Yes, for most blogs, portfolios, brochure sites, and small business sites. Choose paid SSL when you need business validation, managed support, or complex domain coverage.

Why does my WordPress site still say Not secure after SSL?

The usual causes are mixed content, cache, an expired certificate, a certificate for the wrong domain, or a CDN and server mismatch. Check the certificate first, then scan the page for HTTP assets.

Conclusion

The safest way to get SSL on WordPress is to keep the order simple: get the certificate active through the host, server, CDN, or certificate authority first. Then switch WordPress to HTTPS, add one redirect, replace old HTTP URLs, clear caches, and test the pages that matter.

Free SSL is enough for most WordPress sites, but SSL is only one part of site hardening.

Once HTTPS is working, make renewal automatic, keep WordPress security updates on a routine maintenance schedule, and add WordPress security for malware, vulnerable plugins, login attacks, backups, and monitoring. That is how you turn the browser warning off without ignoring the risks behind the site.

Category:

You may also like


How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.