How to get an SSL certificate for WordPress


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Most web hosts will provide WordPress sites with free SSL certificates, however, there are still those that don’t. In those cases, what do you do? 

Alternatively, you’ve recently learned that there are levels of SSL certificates, and perhaps your business needs to convey to customers that it is ultra secure about handling communication. Since your web host probably issued a garden-variety SSL certificate, you need to look at getting one directly from a certificate authority. 

Regardless of what kind of WordPress site you have, an SSL certificate is essential. 

TL;DR: Get an SSL certificate for WordPerss from a trusted certificate authority (CA). Install it on the web host that hosts your WordPress site to secure all the data exchanged between your site and its users. But to strengthen your site’s security, use MalCare for its robust firewall and malware defenses.

Why get an SSL certificate for WordPress

Getting an SSL certificate is like putting a strong lock on the front door of your website. It’s super important because it helps protect the information that flows between your website and your visitors. Without it, it’s like sending postcards instead of sealed envelopes—anyone could read what’s inside!

Plus, search engines like Google prefer websites with SSL certificates. They actively reduce the rankings of sites without SSL certificates, so getting this extra bit of security can lead to a big boost in your search appearances. This also means more people are likely to find and trust your site. So, getting an SSL certificate isn’t just about safety, it’s also about making your website more trustworthy and visible on the internet. It’s like giving your website a super suit!

Generally, your web host will provide your site with an SSL certificate. But in case it doesn’t, or in case you wish to obtain a different type of certificate from another vendor, then this article is for you.

How to get an SSL certificate for WordPress

Getting an SSL certificate for your WordPress website involves multiple steps. For your ease, we have streamlined the process making it easier for you to quickly get and set up an SSL certificate on your website.

  • Step 1: Check if your web host provides an SSL certificate
  • Step 2: If it doesn’t, get the correct website information
  • Step 3: Choose your required SSL certificate
  • Step 4: Select a Certificate Authority (CA)
  • Step 5: Process the Certificate Signing Request (CSR)
  • Step 6: Install your SSL certificate

Step 1: Check if your web host provides an SSL certificate

Most web hosting providers bundle SSL certificates with their hosting plans. But if you are unsure whether your web host has added a certificate for your WordPress site, it would be good to check for it before proceeding.

If your web host uses cPanel for site administration, you can find certificate details by navigating to Security and clicking on SSL/TLS Status.

cPanel Security SSL/TLS Status

All installed SSL certificates and their details will be shown here.

cPanel SSL/TLS Status

In case your web host uses a proprietary dashboard for site administration, you should consult their documentation or your hosting plan details to know if you already have an SSL certificate.

Step 2: Get the correct website information

Since SSL certificates are individually issued for websites, information such as your site’s IP address and proof that you do own the website are critically important. Hence, providing correct information about your site is essential to obtain the certificate.

Identify your site’s IP address

Your site’s IP address is usually displayed on your web host’s site administration page. For example, if your web host uses cPanel, you can find it on the General Information section upon logging in.

cPanel IP Address Information

In case your web host does not use cPanel, you should still find it upon logging in to your hosting account. For example, Cloudways shows the site IP address in the Application Credentials section on the Access Details page.

Cloudways IP Address

Another way to identify your WordPress site’s IP address is by simply going to and clicking on DNS Lookup. This can come in handy if you are unable to access your web host’s dashboard.

Enter the complete URL of your site in the text box, including the https:// tag at the beginning, and click on Lookup to obtain your site’s IP address.

Provide proof of your site ownership

To prove that it is you who owns the site for which you are trying to obtain an SSL certificate, you should provide the WHOIS record of your site to the CA. WHOIS is a public database maintained by the ICANN that contains all the information collected when someone registers a website domain name.

To do so, go to, click on Whois at the top, and enter your site’s name in the text box, without the https:// tag.

Click on Search and use the Raw Data section of the results to provide proof of your site ownership.

Raw Whois Data Manually Redacted

Some web hosts allow you to keep your personal data private, to ensure your privacy. This results in the WHOIS record of your site showing a ‘Redacted for Privacy’ message in place of personally identifiable information, as shown below.

Raw Whois Data Redacted for Privacy

In such cases, you will need to check with your preferred CA about any other documentation that they would accept to show ownership of your site.

If you are requesting an SSL certificate for a business website, you might need to provide some government registration information for your business as well.

Step 3: Choose your required SSL certificate

Figuring out which certificate you need may seem hard but trust us, it’s not as difficult as you think. 

To make things easier, we will break down the different types of certificates and their use cases in the following sections.

SSL certificates can be classified based on the number of sites and the validations they offer. 

More often than not, a domain validation certificate will suffice, but it is worthwhile to be aware of all the options available, and then choose the most appropriate SSL certificate for your website.

Classification based on validation

We’ve established that an SSL certificate is used to validate that your site is legitimate and that you are the proper owner of the site.

There are 3 different types of validations that SSL certificates can offer, and they tie in directly to the level of verification required of you:

i. Domain Validation (DV): Here, you just need to demonstrate that you control the website. An email verification is enough.

ii. Organizational Validation (OV): To get this certificate, you need to validate that you are the owner of the website. The certificate authority will contact you via the information provided when requesting an SSL certificate.

iii. Extended Validation (EV): Issuing authorities will go to great lengths before issuing this certificate. They first ensure that the organization your website represents is legitimate. Then, they verify ownership and finally contact the business owner to confirm that an SSL certificate has been requested in their name.

Classification based on the number of websites

i. Single: Speaks for itself; this type of certificate is used for a single domain. 

ii. Wildcard: Less obviously, this certificate is used for websites with multiple sub-domains. 

iii. Multidomain: Also known as Unified Certificate or Subject Alternative Name (SAN), this type of certificate is purchased for up to 100 domains. The point is to save money and time by buying multiple certificates in one go. That said, the domains have to be located on a single server. 

What type of SSL certificate is best for your site

For banks, financial institutions, and large international retail or e-commerce brands, Extended Verification certificates are the best option. These certificates focus on visibly encouraging trust among visitors.

For mid-size retail brands that collect personal information for marketing, Organizational Validation is the best option.

For small businesses that only collect browsing habits and email information, Domain Verification works just fine.

While the organizational and extended validation requires more verification than domain, on the surface, they look the same.

Regardless of which SSL certificate you choose, website security doesn’t end there. Encryption is a good start, but it is just a start. To give your visitors the safest experience, you need a full-featured WordPress security suite, like MalCare. 

Step 4: Select a Certificate Authority (CA)

SSL certificates are provided by Certificate Authorities (CAs). There are a multitude of CAs to choose from. Hence, your choice of a CA should be based on its reputation, your specific SSL requirements, your budget, and your business objectives.

If you are a small site owner, getting a free SSL certificate from Let’s Encrypt should suffice. However, if you are a business site owner who wants to utilize the additional features that paid SSL certificates provide, you can select one of the most widely used CAs like:

  • Comodo
  • DigiCert
  • GeoTrust
  • Symantec
  • GoDaddy
  • GlobalSign

These CAs provide paid plans that include an SSL certificate as well as additional features like priority support, certificate warranties, etc.

Step 5: Process the Certificate Signing Request (CSR)

Now that you have selected your CA, you will have to raise a CSR so that the CA can issue a certificate for your site. This can be done on your web host and its procedure varies from host to host. We recommend that you follow the steps mentioned in your web host’s knowledge base to do so.

cPanel Certificate Signing Request (CSR)

Once you have obtained the CSR file, you must submit it to your selected CA. The CA will then validate it before issuing the certificate. The time required for validation varies based on the CA you chose, the certificate type you want, and the plan you have availed. Validation for a paid certificate might be quicker than for a free certificate, which can be provided as an additional feature in paid plans.

Step 6: Install your SSL certificate

The CA will generate a certificate once the validation process is complete. It will be sent to you either via email or you will have to download it by logging into your account on the CA website. Again, this process varies from CA to CA. Once you have the certificate with you, all that remains to be done is to install the SSL certificate.

How to test and maintain your SSL certificate

Congratulations on installing an SSL certificate for your WordPress site! You have successfully taken the first step to making your site secure and trustworthy.

However, the process isn’t over yet!

You need to test your website to see if the SSL certificate has been properly installed and is functioning across the site.

  • Check your website URL on the Qualys SSL Labs site for your SSL certificate’s rating. Ideally, it should rank as A or A+ and use the RSA 2048-bit encryption method.
Qualys SSL checker tool
  • Check your website URL on the IONOS SSL Checker site to ensure a proper SSL configuration.
  • Check WhyNoPadlock? to see if installing the SSL certificate has led to any mixed content errors.
WhyNoPadlock? results screen
  • Visit each page on your site and try out every widget and form meticulously to ensure they are all served over secure HTTPS and functioning properly.
  • Finally, keep track of your SSL certificate’s expiration date. With Google moving towards 90-day certificates, certificates will expire sooner, leading to issues like your site showing up as not secure or having mixed content. Renew expiring certificates at the earliest and install them on your site.

An SSL certificate is not enough

Although an SSL certificate goes a long way in protecting the communications going to and from your WordPress website, it is only the first step toward securing your site. There are more ways in which you can strengthen your site’s defenses, like:

  • Install a security plugin like MalCare, that comes with a built-in firewall, malware scanning and removal features, bot protection, etc. All these features come together to protect your site against any malicious attacks.
  • Use strong login security, like complex passwords, two-factor authentication, etc. This helps keep unauthorized users away from your site.
  • Regularly update WordPress core, plugins, and themes to ensure that vulnerabilities are addressed and fixed at the earliest.
  • Monitor your site for suspicious activity to keep a check on possible hackers and any file change actions. MalCare’s activity and firewall logs can be very helpful in this regard.
  • Regularly backup your site using a plugin like BlogVault that provides easy and quick backups as well as restores. This acts like a safety net in case something happens to your site, either through attacks or problematic plugins/themes.

Final thoughts

Setting up your WordPress website with an SSL certificate has become essential today, as it not only improves your site’s security and trustworthiness but also aids in its search rankings. And getting a properly curated SSL certificate is the first step towards achieving that.

While an SSL certificate can form a protective layer around the information traveling to and from your website, it cannot secure the website in itself. Hence, securing your site from attacks must be your next step. For this, we recommend installing MalCare as it boasts a robust firewall, strong malware identification and removal capabilities, as well as hardened bot protection. Together with a properly configured SSL certificate, MalCare can form the security regimen your site needs.


How much does an SSL certificate cost for WordPress?

SSL certificate prices range from $70/year to $1700/year. Higher-priced SSL certificates could carry additional features like the ability to use the same certificate over unlimited sub-domains, the option to display the company name on the browser address bar, and much more. However, if you do not wish to go the paid route, you will also find free SSL certificates issued by trusted CAs like Let’s Encrypt, SSL For Free, etc.

Is SSL free on WordPress? provides free SSL certification from Let’s Encrypt to all websites. It also provides the 301 redirect for delivering all HTTP requests over HTTPS as well as the ability to install your own SSL certificate. However, for sites, users will have to choose a web host that bundles SSL certificates with their hosting plans.

Does my web hosting provider offer SSL certificates?

Most web hosting providers offer SSL certificates bundled with their hosting plans. These plans may also contain additional features that you may or may not require depending on your business requirements. This is why it is essential to properly check and decide on a hosting plan before buying one. Ensure that your host provides good technical support along with an SSL certificate. If your host does not provide these features, you might want to consider switching to another host that offers them.



You may also like

Website logs
What are the Different Types of Website Logs?

Imagine driving a car without knowing your speed, engine temperature, or fuel levels. Sounds terrifying, right? Well, managing a website without understanding website logs is a bit like that. You…

What is Cross-Site Scripting (XSS) and How to Prevent It?

Websites can sometimes act strangely, showing unexpected pop-ups or exposing personal information. This isn’t just a glitch—it’s often due to a sneaky trick called Cross-Site Scripting (XSS). You might be…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.