How To Install An SSL Certificate On Your WordPress Website

Before going through the process of installing an SSL certificate on a WordPress site it is important to consider why the change is being made.

People generally add an SSL certificate to their site because it creates a much more secure platform for the data traveling between two different parties (that would be Web server and browser).

Sites requiring credit card information or any other type of sensitive and personal information should be secured with the SSL encryption.

The Internet can be a very unsafe place for website owners and if they are experiencing security-related issues, the users of the site are almost always put at a higher risk of fraudulent activity.

In most cases, SSL is not even an option these days. Not only do search engines like Google rate pages lower when they are not secured, but most services which deal in commerce are required to pass very strict PCI-DSS testing which require sites to be completely secure.

Shared SSL Using a Plugin

Using a shared solution for SSL certificate installation can be a good option for those managing smaller sites.

The costs of using a shared solution for your SSL needs tends to be low and almost the whole set-up process is handled by plugins and other built-in tools making this option extremely popular.

We will cover this process in detail before outlining the basic steps required for installing a private certificate.

What You’ll Need

To get started, create either a premium or free Cloudflare account (either one works fine). Once the Cloudflare account is created and you are logged in, there is an option to “add a website”.

To add a website the URL can simply be pasted into the dialog box that comes up.

The Cloudflare service will advise you to change your nameservers and when you agree, steps are clearly described to accomplish this.

Changing your nameservers puts your website’s DNS through Cloudflare and sends all requests over secure CloudFlare networks. Once the confirmation email is sent, you will know that all traffic is going through Cloudflare’s secure servers.

Once the Cloudflare step is finished, it is time to visit the admin page of the WordPress site where access to the plugins and other site settings can be found.

From the plugins menu, search for and install the Cloudflare plugin. Once installed, the plugin needs to be activated as is the case with almost all WordPress plugins.

Once active, the plugin will ask for the same email that you used for your Cloudflare account and when you enter it, you will be given a choice to add an API. Choosing this takes you to Cloudflare’s site where you will need to add the API reference in the field provided. Once that is completed, all changes should be saved.

The next step is to install a plugin called “Really Simple SSL”. It should not be activated until later, however. Once the plugin is installed, you will need to go back to Cloudflare where you will create a new page rule.

After selecting the site that you registered with Cloudflare, there is an option called “Page Rules” that needs to be selected. In Page Rules you will need to enter the new rule, http://** (“” must be replaced with the name of the site you are working with). The settings for the new page rule should be set to “Always Use HTTPS” and then the rule should be saved as a draft.

Now it is time to go back to WordPress to activate the Really Simple SSL plugin. Once that is activated, you have to open the settings menu for the Cloudflare plugin again to turn on the “Automatic HTTPS Rewrites”.

Finally, you will need to go back to the CloudFlare site where you saved your page rule as a draft. The draft now needs to be deployed to finalise the process. Completing this step means that your SSL certificate installationhas been completed.

Immediately following this procedure, the site may experience a short period of down time. It takes a bit of time for the Cloudflare service to rewrite and re-sign all of the web pages, but once the site comes back up, all you will need to do to see the changes is to sign out and log back in via the new HTTPS address.

Before logging back in it is also advisable to clear all browser cookies associated with the site, as well as the browser cache as this is where a lot of stored information can be found that may cause issues with getting the desired page to load.

Independent Certificate Installation

There are some benefits to using a private SSL certificate for your site. The biggest difference between them is that when you go with the private option, the certificate is signed only to your domain name. Nobody else uses it, and as a result, it is much easier for browsers to validate.

The types of websites that would want to use a private SSL are those who both do not mind the extra cost of purchasing a dedicated certificate and need the control and versatility that the private option brings.

Online banks, online casinos, shopping websites like Amazon and EBay, large corporate websites such as Home Depot and Sears, would all opt for the private option.

Small businesses, blogs, forums, and sites requiring less personal information from visitors can choose the shared version but to get relentless performance the third-party SSL would be the best choice.

The process of setting up and deploying a private SSL certificate on a site is not complicated but the rules differ from host to host for configuration. Some hosts make it easier for you to go through the process, and even help by setting the private SSL certificate up for you, while others leave the heavy lifting to you.

The process of setting up a private SSL is as follows: You must create a CSR first, generate a private security key, then you have to purchase an SSL from a trusted source like, install the certificate onto the desired server, and then redirect all of the existing URLs from HTTP to HTTPS using your website’s .htaccess file. You should also go to the WordPress General Setting page and change the website URL from HTTP to HTTPS.

After successful migration to HTTPS the only step needed to be taken is to check the SSL certificate for any errors.

SSL checker from Symantec or SSL Labs can work the best for this inspection.

You should also check your website for mixed content warning on Why No Padlock where you will get brief idea if something is going wrong with secure padlock.

To ensure that your website has no mixed content you can use Better Search Replace to search for http:// references and replace them with https://.

You can also use a text editor such as Sublime Text to search and replace http:// instances for https:// within your websites theme. You’ll need to do this locally and upload your changes via FTP. This alongside the database search and replace should ensure that your website is fully moved over to https and therefore get the full green padlock every time.

Exclusive 7 Day Course

Defend your site from hackers, improve your website speed, get free uptime monitoring and learn tactics used by WordPress experts

Many thanks for subscribing.

Something's not right.

About Steven Watts

Steven WattsSteven is the founder of Newt Labs. He's a WordPress specialist with an interest in building the most effective websites possible. Since 2010, he's been helping businesses with their online goals.

Exclusive 7 Day Course

Defend your site from hackers, improve your website speed, get free uptime monitoring and learn tactics used by WordPress experts

Many thanks for subscribing.

Something's not right.