How to Install SSL Certificate on WordPress Website
Installing an SSL certificate is not a difficult process. It used to be, but not anymore.
It is easy to get overwhelmed by the number of tutorials online, especially when each seems to be talking about a completely different process. Truth be told, many are outdated, and following those instructions will end up wasting a lot of your time.
Never fear. In this article, we’ll show you exactly how to add an SSL to a WordPress website. The best part is that you don’t need to know programming.
Website security is crucial but doesn’t have to be difficult. Since you’re here, you care about security. Install the best security plugin and keep your visitors protected.
1. What is SSL?
Secure Sockets Layer, more commonly called SSL, is a security protocol used by responsible website owners to encrypt all communication to and from your website. When SSL is installed on a web server, a visitor will see a reassuring lock next to your website’s URL.
The more important question is why should you encrypt all the communication to and from my website? Simply put, it is because you want to protect your visitors from having their information stolen by hackers. Information like credit card details, usernames and passwords, and personal identification information. In short, the sensitive stuff.
There are important privacy and security angles as well. We’ll get into those in more detail below.
2. How to install an SSL certificate in WordPress?
A few years ago, setting up SSL on your website was a seriously cumbersome affair. Fortunately, things have drastically changed ever since Let’s Encrypt came into existence.
Let’s Encrypt made it possible for every website to have an SSL certificate for free — no hidden costs. The best part is that most major web hosts support Let’s Encrypt SSLs. They do all the hard lifting of setting up the certificate and literally all you need to do is click a button.
Note: There are different types of certificates to choose from: a Domain certificate, or an Organizational or Extended Validation certificate. If you don’t know what they are, we have covered the different types of SSL certificates here.
We’re going to show you how to set up SSL on the 5 most popular web hosts:
Important: Before you make any changes, take a complete backup of your site. The tiniest thing can make your site inaccessible, and the idea is to make your website safer for visitors; not take it away from them entirely.
If you’re subscribed to GoDaddy’s managed hosting plans, an SSL certificate is automatically installed on your site. But if you are subscribed to other plans, you will need to purchase a certificate and install it.
Step 1: Request a certificate: After purchase, you need to request a certificate for your domain from here.
Step 2: Verify domain ownership: If you want to install a simple domain certificate, GoDaddy will send a link to your email address.
For other types of certificates, GoDaddy will verify your identity. You will need to send over documents, and members of the GoDaddy team will reach out to you for verification. More on that here.
Step 3: Download SSL certificate: Go to your GoDaddy product page and navigate to SSL Certificates > Manage and then click on Download Certificate.
Step 4: Install SSL certificate: To install the certificate you need to figure out what type of server is your site hosted on. Go to your product page and navigate to Web Hosting.
The steps to add an SSL to WordPress will differ from one server to another. Refer to this guide to identify and get the right instructions for your server.
Side note: If you want to install a third-party SSL certificate, download the certificate from whichever authority you choose, and then follow step 3, as it is.
Bluehost offers a free domain certificate to all it’s hosting providers. In most cases, it’s enabled automatically. If not, then it is simple to do so manually:
Step 1: Log into your hosting account and then go to My Sites.
Step 2: Select your domain and click on Manage Site.
Step 3: Go to Security and toggle the Free SSL Certificate on.
If you want an Organizational or Extended Validation certificate, that will set you back $49.99 a year. In that case, Bluehost’s SSL security team will help you install the certificate. We’ve got a section below to explain when you should choose what.
You may want to install a third-party certificate, and you can do so manually. Let’s walk you through the steps:
Step 1: Download the certificate from a third-party SSL authority.
Step 2: Open your hosting account, go to cPanel.
Step 3: Open SSL/TLS and click on Generate, view, upload, or delete SSL certificates.
Step 4: Under the Upload a New Certificate section, upload the certificate.
Step 5: Now, go back to the SSL/TLS page and open Manage SSL Sites.
Step 6: Click on Browse Certificate. All installed certificates appear here. Select the certificate you just installed. This will autofill the fields for the certificate.
Step 7: Scroll down to the bottom of the page and click Install Certificate. You’ll get a popup telling you that the certificate has been successfully installed.
It’ll take a few hours for the certificate to reflect on your site.
SiteGround offers free Domain certificates for all their hosting plans. To enable it you need to:
Step 1: Go to Website on your SiteGround dashboard.
Step 2: Navigate to Site Tool > Security > SSL Manager.
Step 3: Select domain and click on Select SSL.
Step 4: From the drop-down menu, select Let’s Encrypt. Click on Get.
Unfortunately, you don’t have the option to upgrade to Organizational or Extended Validation certificates but you can import them from third-party SSL authorities. We talk about wildcard certificates, and the other types too, in a section below.
You get a free SSL certificate with all Hostgator plans. But you have the option to upgrade to an Extended Validated certificate or a Wildcard or a multi-domain certificate.
Step 1: To enable the certificate, you need to go to your cPanel > SSL Certificates.
Step 2: Select the domain to want to secure.
Step 3: Select the type of certificate: Domain or Extended Validation or Wildcard or Multi-domain Certificate.
Regardless of which Cloudways’ hosting plan you are on, you will get a free SSL certificate. You have to manually enable it though.
Step 1: Log into your dashboard and go to Servers.
Step 2: Navigate to www > application > Application Management > SSL Certificates.
Step 3: Select Let’s Encrypt, then enter your email address and domain name. Click on Install Certificate.
But let’s say, you want to use a third-party certificate. Here’s a guide on how to install it.
Important: In case your website isn’t on any of the web hosts above, use the cPanel guide below to install an SSL certificate. If your web host doesn’t offer cPanel to help you manage your website, contact them for a guide on the installation process.
Below is a guide on how to add SSL to WordPress cPanel.
To add an SSL certificate via cPanel, you need to first have purchased it. Make sure that you have the certificate downloaded on your local computer before you begin the installation.
Step 1: Log into your web host account and navigate to cPanel > SSL/TLS > Generate, view, upload, or delete SSL certificates.
Step 2: On the next page, you’ll find a section called Upload a New Certificate. This is where you need to upload your new certificate.
You can upload the entire file or paste the content of the certificate.
Step 4: Now, go back to the previous page and open Manage SSL Sites. Then select Browse Certificate.
It’ll show you all the certificates installed on the server, including the one you just uploaded.
Step 5: Select the certificate you just installed. And then click on Use Certificate.
Step 6: Now, simply scroll down and click on Install Certificate.
Within a few seconds, you’ll receive a popup notification telling you that your certificate has been successfully installed.
3. Different types of SSL certificates
SSL certificates can be classified based on the number of sites and the validations they offer.
More often than not, a domain validation certificate will suffice, but it is worthwhile to be aware of all the options available, and then choose the most appropriate SSL certificate for your website.
→ Classification based on validation
We’ve established that an SSL certificate is used to validate that your site is legitimate and that you are the proper owner of the site.
There are 3 different types of validations that SSL certificates can offer, and it ties in directly to the level of verification required of you:
i. Domain Validation (DV): Here, you just need to demonstrate that you control the website. An email verification is enough.
ii. Organizational Validation (OV): To get this certificate, you need to validate that you are the owner of the website. The certificate authority will contact you via the information provided when requesting an SSL certificate.
iii. Extended Validation (EV): Issuing authorities will go to great lengths before issuing this certificate. They first ensure that the organization your website represents is legitimate. Then, they verify ownership and finally contact the business owner to confirm that an SSL certificate has been requested in their name.
→ Classification based on number of websites
i. Single: Speaks for itself; this type of certificate is used for a single domain.
ii. Wildcard: Less obviously, this certificate is used for websites with multiple sub-domains.
iii. Multidomain: Also known as Unified Certificate or Subject Alternative Name (SAN), this type of certificate is purchased for up to 100 domains. The point is to save money and time by buying multiple certificates in one go. That said, the domains have to be located on a single server.
If you have multiple websites to manage, tracking every update and renewal can be incredibly tedious, not to mention stressful. Give WPRemote a whirl, and localize all website management tasks into one convenient dashboard.
4. What type of certificate is best for your website?
Figure out which certificate you need may seem hard but trust us, it’s not as difficult as you think.
To make things easier, we’ll tell you which is best for what type of business.
- For banks, financial institutions, and large international retail or eCommerce brands, Enterprise Verification certificates are the best option. These certificates focus on visibility encouraging trust among visitors.
- For mid-size retail brands that collect personal information for marketing, Organizational Validation is the best option.
- For small businesses that only collect browsing habits and email information, Domain Verification works just fine.
While the organizational and enterprise validation requires more verification than domain, on the surface, they look the same.
Regardless of which SSL certificate you choose, website security doesn’t end there. Encryption is a good start, but it is just a start. To give your visitors the safest experience, you need a full-featured security suite.
Getting a third-party certificate
You can get a free domain validation SSL certificate independently from your web host. There are two main ways to do this.
1. Create an account on Cloudflare.
2. Then, add the website you want to install the certificate on.
3. In the next step, ensure that you select the Free plan.
4. At this point you will be asked to update your NameServers. Cloudflare will give you a set of new nameservers. You need to log into your hosting account and replace your old nameservers with the new one.
5. Switch back to your Cloudflare account, and click on Continue.
That’s it! The free SSL certificate will have been added to your website. However, it’ll take up to 24 hours for the certificate to start reflecting on your site.
> Let’s Encrypt
If you are technically-inclined, then you opt for Let’s Encrypt. To follow the guide, you will need to be comfortable with using the command line.
Note: Bear in mind that you will only get a domain validation level SSL certificate for free. In most cases, that is sufficient for your purposes.
If you do need something other than a basic SSL certificate, you can purchase one from a trusted authority. This is much like any other digital product, in that the authority will provide regular renewals and support. Here are some trusted authorities:
There are many reasons to choose a solution apart from the stock options provided by your web host. Think about it, if you want an SSL certificate that’s independent of your web host, then you should explore alternative security options too, like MalCare.
5. What to do after installing an SSL certificate?
Installing an SSL certificate is only half the work. You will need to ensure that the certificate is properly installed on all your posts and pages.
Hopefully, you heeded our advice and took the backup we suggested right at the top of this guide. Similarly, before proceeding with any of the steps in this section (or indeed in the articles we’ve linked to), please do take another backup. Yes, it is necessary pain, but wouldn’t you rather have that safety net?
Alternatively, install our plugin BlogVault. Automated backups every day, and 1-click additional ones that save only the changes from your previous backup.
> Force HTTPS on Your Entire Site
To force SSL on your entire site, you need to take the following steps:
- Change your site’s address on your WordPress dashboard.
- Insert a snippet of code on your hosting server.
There are plugins that’ll help you do both. Here’s a complete guide on how to force HTTPS on WordPress.
> Update Google Analytics, Google Search Console, & other web services
After installing an SSL certificate, your site’s URL changes to https://
Google Analytics and Search Console consider this to be a different URL. Google will not begin tracking your website unless you add the new URL into Analytics and Console.
SEO plugins like Yoast should automatically generate a new sitemap. But if they don’t then you’ll have to generate it manually.
In our HTTPS to HTTP WordPress article, we’ve covered all the gamut of web services where you need to update your website URL.
Important: SSL certificates are issued for anywhere between 12 to 36 months. When the one you have expires, you’ll need to renew it. Your web host or certificate authority may provide you options to automatically renew the certificate, but it is important to maintain its validity.
6. Why do you need to install an SSL certificate?
If you are running an eCommerce store, information security is more obvious; and often more expected. People are conducting transactions on your website, and you want to ensure that your customers have the safest experience possible. You do not want their personal information to be compromised by a hacker.
But let’s say you are not running an eCommerce site. You’re running a regular site without any transactional activities. Is there a need for SSL for this type of website?
Yes. Yes, there is.
The need for encryption in these cases and in turn SSL is more nuanced though. There are two aspects to think about here: security and the other with privacy.
Also, the best security possible should always be your rule of thumb for your website. After analyzing 1000s of websites, we know the surprising and unexpected ways that hackers gain control of your website. Sign up for MalCare, and along with security, sign up for peace of mind.
Let us cover security first.
Every time you log in to your WordPress site to post an article or review a comment, you are sending your username and password to the website. This information is passing through the internet openly, and anyone spying on the traffic can read this information. While it is not straightforward to snoop, it is extremely simple when you use public wifi, such as one in a coffee shop.
By using SSL or encrypting the data you are ensuring that your password is not compromised.
Alright, what about privacy then?
Encrypting communication to protect passwords is fairly easy to understand, especially in this day and age. Privacy is getting a lot of prominence of late and for good reason.
Whenever anyone accesses a page on your website, they are sharing an aspect of their life. If your website is about a health-related topic, this information is extremely sensitive. There are lots of similar use cases, which span different industries.
Perhaps our websites may not appear so critical and this information may seem trivial—at least on the surface. But this is certainly not the case. When viewed in isolation, information may be trivial, but combined with other tracking factors, every bit of information can be very revealing of an individual.
Hence by using SSL, you are ensuring the privacy of all the visitors to your site.
Google wants you to use SSL
On a less altruistic note, it is important to consider that Google has been actively promoting SSL for the past few years. Back in July 2018, they announced that they want to make the web a safer space for their users. With this end in mind, they made it mandatory to use an SSL certificate. Thus they show warnings to indicate when a site isn’t secured with SSL.
Google has also added SSL as a signal in its ranking algorithm. Hence an insecure site will be penalized by Google for not ranking in the search results.
Bottom line is that you need an SSL certificate. There is no good reason not to get one.
7. What next?
Congratulations on successfully installing a new SSL certificate. That said, an SSL certificate is a starting point for website security.
There are plenty of ways in which hackers can gain access to your WordPress website and end up destroying it, along with your brand reputation and other critical assets.
MalCare places a firewall between your website and the incoming traffic to prevent hackers and bots from accessing your site. It also scans and monitors your website on a daily basis.
To make sure your visitors are protected 24×7, you need a comprehensive security suite like MalCare. Talk to an expert to learn more!
1. What if your web host does not offer an SSL certificate?
If your web host does not offer an SSL certificate, you can purchase one from SSL authorities like Comodo, DigiCert, GeoTrust, GlobalSign, and RapidSSL; or get one for free from Let’s Encrypt.
You will have to manually install the certificate. Follow our guide on How To Install An SSL Certificate in WordPress.
2. How to install SSL without cPanel?
You can install an SSL certificate without cPanel access by using your web host’s in-house control panel. Not all web hosts offer cPanel to help customers manage their sites. Instead, they use their own custom hosting dashboard. You can use that to install your SSL certificate.
3. SSL not appearing on the login and admin pages
If your SSL does not appear on your login and admin pages, you will need to enforce it. Here’s a guide that’ll help you do just that – How to Force Redirect HTTP to HTTPS in WordPress
4. How to handle SSL when changing web host?
When you change your web host, you will have to migrate your SSL certificate too. If you were using your original web host’s free SSL certificate, it will be removed during migration to the new one. Ideally, the new web host will install their own free SSL certificate.
However, if you’ve got a paid SSL certificate, the same certificate can be configured on the new host’s servers, the same way you would install a third-party certificate.
Your new web host is a good place to get help since they will be invested in a smooth transition to their services.
5. How to remove the mixed content warning?
6. How to install SSL certificate on WordPress?
To install an SSL certificate on WordPress, you need to take the steps we have listed here. The steps are fairly easy to follow. But if you are having trouble installing the certificate, you can ask your hosting provider for help.
7. How to install SSL certificate in a WordPress GoDaddy site?
To install an SSL certificate on your WordPress GoDaddy site, you need to follow these guidelines. Don’t worry, if you need any assistance, ask a GoDaddy tech support team to help you out.
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.