All Guides
Security + Infrastructure

Set Up SSL Certificates

By TC Timebomb, Moonvine

Fix “Not Secure” browser warnings and ensure every page loads over HTTPS.

What this covers: Fix “Not Secure” browser warnings and ensure every page loads over HTTPS, including quick diagnosis, enable ssl (if somehow missing).

Who it’s for: WordPress site owners and administrators who need to secure their site against common threats.

Key outcome: You’ll have all pages load over https with no mixed content warnings in the browser console, and http requests 301 redirect to https (not 302) across all urls including www/non-www variants.

Time to read: 5 minutes

Part of: Security + Infrastructure series

Jump to Quick Questions ↓

In 2026, every reputable host includes SSL automatically. If you’re seeing “Not Secure” warnings, the issue is almost always mixed content—not a missing certificate.

Quick Diagnosis

Visit your site and look at the address bar:

  • Padlock + HTTPS: You have SSL. Skip to “Fix Mixed Content” if you see warnings.
  • “Not Secure” + HTTP: Check your hosting dashboard—SSL is probably available but not enabled.
  • Broken padlock or exclamation mark: You have SSL but mixed content. See below.

Enable SSL (If Somehow Missing)

This is rare in 2026, but if your host shows SSL isn’t enabled:

Managed WordPress hosts:

  • WP Engine – Auto-enabled on all sites
  • Kinsta – MyKinsta → Sites → Tools → Enable HTTPS
  • SiteGround – Site Tools → Security → SSL Manager
  • Bluehost – My Sites → Security → SSL

If your host doesn’t offer free SSL: Switch hosts. This is table stakes in 2026.

WordPress: Force HTTPS

After confirming SSL is active, make WordPress use it:

  1. Go to Settings → General
  2. Change both URLs to https://:
    • WordPress Address (URL): https://yoursite.com
    • Site Address (URL): https://yoursite.com
  3. Save

Or use Really Simple SSL – it handles redirects and URL updates automatically.

Fix Mixed Content Warnings

This is the actual common problem. You have SSL, but some resources load over HTTP, breaking the padlock.

Find the culprits:

  1. Open your site in Chrome
  2. Press F12 → Console tab
  3. Look for “Mixed Content” errors
  4. They show exactly which URLs are loading over HTTP

Common causes:

  • Old images: Uploaded before SSL, still reference http://
  • Theme/plugin hardcoded URLs: Bad code with http:// baked in
  • External scripts: Google Fonts, CDNs, embeds using http://
  • iframes: Embedded content from sites without SSL

Fix with search-replace:

  1. Install Better Search Replace
  2. Search: http://yoursite.com
  3. Replace: https://yoursite.com
  4. Run on all tables

For external resources: Update to https:// in theme files or plugin settings. Most major services (Google Fonts, jQuery CDN, etc.) support HTTPS.

See our Fix Mixed Content Warnings Guide for edge cases.

Common SSL Errors and What Causes Them

When SSL breaks, the browser error message tells you exactly what went wrong—if you know how to read it.

ERR_CERT_DATE_INVALID: Your certificate expired. Let’s Encrypt certs last 90 days and should auto-renew. If renewal failed, check that your server’s cron job or certbot timer is running. Hosting dashboards usually show the expiry date.

ERR_CERT_COMMON_NAME_INVALID: The certificate was issued for a different domain. Common when you add a subdomain (like app.yoursite.com) but your cert only covers yoursite.com and www.yoursite.com. Get a wildcard certificate or add the subdomain to your cert.

ERR_SSL_PROTOCOL_ERROR: Usually a server misconfiguration—TLS 1.0/1.1 is disabled (correctly) but your server is not offering TLS 1.2+. Check your hosting provider’s SSL/TLS settings.

Redirect loops (ERR_TOO_MANY_REDIRECTS): Happens when both your host and a plugin (like Really Simple SSL) try to force HTTPS, or when Cloudflare’s SSL mode is set to “Flexible” instead of “Full (Strict).” Disable one redirect layer or fix the Cloudflare setting.

Risk warning: Do not ignore mixed content on pages that handle payments, logins, or personal data. Active mixed content (scripts loading over HTTP) can be intercepted and modified in transit—an attacker could replace your checkout script. Passive mixed content (images) is lower risk but still erodes user trust and affects SEO.

Cloudflare (Optional But Recommended)

Cloudflare’s free tier adds SSL plus CDN, DDoS protection, and performance. Worth setting up even if your host provides SSL:

  1. Add your domain to Cloudflare
  2. Update nameservers at your registrar
  3. Set SSL mode to “Full (Strict)”
  4. Enable “Always Use HTTPS”

Verify Everything Works

The SSL Verification Checklist

  • Browser shows clean padlock (no warnings)
  • http:// redirects to https://
  • No mixed content errors in console
  • www and non-www both redirect to HTTPS

Sources

SSL Certificate Questions Answered

Is a free SSL certificate as secure as a paid one?

Yes. Free certificates from Let”s Encrypt use the same TLS encryption as paid certificates. Paid certificates add organization validation (showing your company name in the certificate) and warranty coverage, but the encryption strength is identical.

How do I know if my SSL certificate is working?

Look for the padlock icon in the browser address bar and confirm your URL starts with https://. Run your site through SSL Labs (ssllabs.com/ssltest) for a detailed grade. An A or A+ rating means your SSL is properly configured.

What happens when an SSL certificate expires?

Browsers display a full-page security warning that blocks visitors from accessing your site. Most visitors will leave immediately. Let”s Encrypt certificates expire every 90 days but auto-renew. Set calendar reminders 2 weeks before expiry as a backup.

Do I need SSL if I don”t collect payments?

Yes. Google uses HTTPS as a ranking signal, and Chrome marks all HTTP sites as “Not Secure.” Even a simple blog needs SSL. Every major browser now warns users about non-HTTPS sites, which destroys trust and increases bounce rates.

✓ Your SSL/TLS Configuration Is Secure and Complete

  • All pages load over HTTPS with no mixed content warnings in the browser console
  • HTTP requests 301 redirect to HTTPS (not 302) across all URLs including www/non-www variants
  • SSL certificate covers all subdomains in use and has at least 30 days before expiration
  • TLS 1.2 or higher is enforced — TLS 1.0 and 1.1 are disabled on the server
  • HSTS header is present to prevent protocol downgrade attacks

Test it: Run your domain through SSL Labs (ssllabs.com/ssltest) and confirm you receive an A grade or higher with no certificate chain errors.

Related Guides

Security + Infrastructure

Security Headers

Protect your website from attacks while building trust through systematic security implementation that prevents vulnerabilities and demonstrates professional website management

Read guide → Security + Infrastructure

Set Up Website Backup & Recovery

Protect your business from catastrophic data loss through systematic backup strategies that ensure rapid recovery and minimize downtime costs

Read guide → Security + Infrastructure

Recover a Hacked WordPress Site

Step-by-step recovery for business owners whose self-hosted WordPress sites have been compromised

Read guide →