Sign up
For Partners
Conditions
Infrastructure
About Serverspace
Cloud VPS server
Solutions
Products
Tutorials
18.08.2025

WordPress HTTPS Setup Guide

In 2025, HTTPS has become the standard for websites. According to W3Techs, 95.8% of top-1000 sites use HTTPS by default, highlighting its importance for security, SEO, and user trust. Without HTTPS, your site risks losing visitors, dropping search rankings, and becoming vulnerable to attacks.

Why is HTTPS Important?

Reason Description
Security HTTPS encrypts data between the server and user, protecting against man-in-the-middle (MITM) attacks. This is especially critical for sites handling personal data, such as WooCommerce stores.
SEO Google has used HTTPS as a ranking factor since 2014, and its impact continues to grow. HTTPS sites gain an advantage in search results.
Trust The padlock icon in browsers boosts user trust. A GlobalSign study showed that 84% of users abandon purchases on non-HTTPS sites, and having a certificate can significantly increase conversions.

This guide will help you set up HTTPS on your WordPress site step by step, avoid common pitfalls, and optimize performance as described in our Performance Optimization Guide.

Types of SSL/TLS Certificates

SSL/TLS certificates vary by validation level and coverage. Your choice depends on site type and budget.

By Validation Level

Type Description Use Case
DV (Domain Validation) Validates domain ownership only. Issued quickly; ideal for most sites. Blogs, personal sites, small projects.
OV (Organization Validation) Verifies organizational details. Boosts trust. Business sites, e-commerce stores.
EV (Extended Validation) Requires rigorous company checks; displays company name in the browser bar. Banks, large e-commerce platforms.

By Coverage

Type Description Use Case
Single Domain Covers one domain (e.g., www.example.com). Single-domain sites.
Wildcard Covers a domain and all subdomains (*.example.com). Sites with multiple subdomains.
Multi-Domain (SAN) Secures multiple domains under one certificate. Companies with several sites.

Where to Get Certificates?

Source Description Examples
Free Let’s Encrypt provides free DV certificates with auto-renewal. Cloudflare offers free certificates, including wildcards. Let’s Encrypt, Cloudflare.
Paid Offer warranties and support. Ideal for OV/EV certificates. Sectigo, DigiCert, GeoTrust.

Recommendation: For most WordPress sites, a free Let’s Encrypt certificate integrated via your hosting panel suffices.

Preparing for HTTPS Migration

Ensure your site is ready to avoid errors:

  1. Backup: Create full site/database backups using UpdraftPlus (see our critical plugins guide).
  2. Compatibility Check:
    • Confirm hosting supports SNI (Server Name Indication) for shared plans.
    • Verify TLS 1.2/1.3 support. Legacy versions (SSLv3, TLS 1.0/1.1) are vulnerable.
  3. Tools:
    • Really Simple SSL: Simplifies HTTPS migration, auto-configures redirects, fixes mixed content.
    • Better Search Replace: Updates URLs in the database.
    • Access to hosting panel (cPanel/Plesk) or Cloudflare.

Certificate Installation Scenarios

Via Hosting Panel (cPanel/Plesk)

  1. Log into your hosting control panel.
  2. Navigate to SSL/TLS.
  3. Select Let’s Encrypt (if available) or upload a purchased certificate.
  4. Install the certificate for your domain.
  5. Enable HTTPS in domain settings.

Note: Hosts like SiteGround offer one-click Let’s Encrypt setup.

Via Cloudflare

  1. Sign up for Cloudflare and add your site.
  2. Under SSL/TLS → Overview, select Full (Strict) mode.
  3. Cloudflare auto-issues a free wildcard certificate.
  4. Ensure DNS records are correct.

Manual Installation

  1. Obtain certificate files (.crt, .key, CA-bundle) from your CA.
  2. Upload files via FTP (e.g., FileZilla).
  3. Configure the web server (Apache):
    <VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    SSLCertificateChainFile /path/to/ca-bundle.crt
    </VirtualHost>
  4. Restart the server.

Recommendation: Use hosting panels/Cloudflare for simplicity; reserve manual setup for edge cases.

WordPress HTTPS Configuration

After installing the certificate:

  1. Update Base URLs:
    • Go to Settings → General.
    • Replace http:// with https:// in "WordPress Address (URL)" and "Site Address (URL)".
  2. Really Simple SSL Plugin:
    • Install/activate v9.4.2 (as of July 2025).
    • The plugin auto-configures redirects and fixes mixed content.
  3. Update Internal Links:
    • Install Better Search Replace v1.4.10 (as of April 2025).
    • Search/replace http://yoursite.comhttps://yoursite.com in the database.
    • Important: Exclude external links/media lacking HTTPS.
  4. Update .htaccess:
    Add this code for forced redirects:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Fixing Mixed Content

Mixed content occurs when HTTPS pages load HTTP resources (images, scripts). Browsers block or mark these as insecure.

How to Find?

  1. Open the site in a browser.
  2. Press F12 → Console tab.
  3. Look for errors like:
    Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure resource 'http://example.com/image.jpg'.

How to Fix?

Advanced Security Settings

Optimize security and performance:

  1. HTTP Strict Transport Security (HSTS):
    • Force browsers to use HTTPS only. Add to .htaccess:
      Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    • Warning: Enable HSTS only after full HTTPS verification.
  2. Cipher Suites Configuration:
    • Disable legacy protocols (SSLv3, TLS 1.0/1.1). For Apache:
      SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
      SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
  3. OCSP Stapling:
    • Speeds up certificate revocation checks. For Apache:
      SSLUseStapling on
      SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

CDN and Cloudflare Integration

Cloudflare enhances HTTPS security/performance:

  1. Under SSL/TLS → Overview, select Full (Strict).
  2. Set up Origin Certificates for Cloudflare-server encryption.
  3. Update CDN URLs from http:// to https://.

Testing and Validation

Post-setup checks:

  1. SSL Check:
  2. Redirect Check:
  3. Search Engines:
    • Resubmit sitemap.xml in Google Search Console.
    • Ensure canonical URLs use HTTPS.

Common Errors & Solutions

Error Cause Solution
ERR_SSL_PROTOCOL_ERROR Incorrect TLS version/certificate issues. Verify server config; upgrade to TLS 1.2/1.3.
"Not Secure" in Browser Mixed content/expired certificate. Fix mixed content; renew certificate.
Infinite Redirects Conflicting .htaccess/plugin settings. Audit redirect rules; disable duplicates.
Speed Loss HTTPS overhead. Enable HTTP/2 and Brotli (see performance guide).

Additional Optimizations

Conclusion & Next Steps

HTTPS is mandatory for WordPress sites in 2025. It ensures security, boosts SEO, and builds trust. Follow this guide to deploy HTTPS, avoid errors, and optimize performance.

Post-Setup Checklist:

  1. Test certificates via SSL Labs (A+ rating).
  2. Confirm HTTP→HTTPS 301 redirects.
  3. Update sitemap.xml in Google Search Console.
  4. Eliminate mixed content.
  5. Configure HSTS and HTTP/2.
  6. Monitor certificate expiry with UptimeRobot.

Case Study: After switching to HTTPS, a WooCommerce store increased organic traffic by 18% via improved SEO/user trust (Google Analytics data).

For further optimization:

See also
Complete WordPress Performance Optimization Guide
How to increase disk space on Windows Server 2022