How to Enable SSL Certificates in WordPress: A Quick, Step-by-Step Guide

Securing a WordPress site with SSL/TLS is no longer optional: it’s essential for privacy, SEO, and user trust. This guide walks you through the technical details and practical steps to enable SSL certificates for WordPress on a VPS hosting environment. It covers the underlying concepts, recommended certificate types, installation on common web servers, WordPress-specific configuration, and best practices for ongoing maintenance. The audience: site owners, developers, and IT teams who run or manage WordPress on VPS instances.

Why SSL/TLS matters for WordPress

SSL/TLS encrypts data between a client (browser) and your WordPress server, preventing eavesdropping and man-in-the-middle attacks. Modern browsers and search engines treat HTTPS as a baseline expectation: sites without HTTPS can display “Not secure” warnings and receive SEO penalties. For sites handling logins, forms, or payments, SSL is essential to protect credentials and sensitive data.

Underlying concepts: certificates, private keys, and trust

Before configuring anything, understand these core components:

• Private key: A cryptographic key stored on your server; never share it. It proves ownership of the certificate.
• Public certificate: Issued by a Certificate Authority (CA), binds a domain (or domains) to the public key.
• Certificate Signing Request (CSR): Generated on the server and used to request a certificate from a CA.
• CA chain (intermediate certificates): Chain of trust from your certificate to a root CA recognized by browsers.
• Key types: RSA and ECC are common. ECC offers shorter keys for comparable security but requires CA support.

Which certificate type should you choose?

Certificate choice depends on requirements:

• Free domain-validated (DV) certificates: Provided by Let’s Encrypt and others. Fast issuance, automated renewal via ACME. Suitable for most WordPress sites.
• Wildcard certificates: Cover .example.com. Useful if you run many subdomains. Available from Let’s Encrypt (with DNS validation) and commercial CAs.
• Organization-validated (OV) and Extended Validation (EV): Include organizational identity verification. Useful for e-commerce and enterprise-level trust signals, though EV’s visual cues are less emphasized by browsers now.
• Self-signed: Not trusted by browsers. Useful for local development or internal services only.

Typical deployment scenarios

Common patterns when hosting WordPress on a VPS:

• Single-site WordPress on one VPS: Install cert on the web server (Apache/Nginx) serving that site.
• Multiple WordPress sites on a single VPS: Use multiple virtual hosts with individual certificates or a wildcard cert for subdomains.
• Reverse proxy or load balancer in front of WordPress: Terminate SSL at the proxy and use HTTP between proxy and backend, or use end-to-end TLS for extra security.

Preparing your VPS

Before requesting a certificate, ensure:

• Your domain DNS A/AAAA record points to your VPS public IP.
• You have shell access (SSH) with sudo or root privileges.
• Your web server (Apache or Nginx) is installed and serving the domain.
• Ports 80 and 443 are open in the firewall for HTTP and HTTPS validation.

Step-by-step: Getting and installing a certificate with Let’s Encrypt (Certbot)

Let’s Encrypt is the most common approach because it is free and supports automation. The ACME client “Certbot” simplifies issuance and renewal.

1) Install Certbot

On Debian/Ubuntu:

sudo apt update && sudo apt install certbot python3-certbot-nginx

For Apache: replace nginx package with python3-certbot-apache. On other distributions use the OS package manager or snap package for the latest Certbot.

2) Obtain a certificate

For Nginx (automated):

sudo certbot –nginx -d example.com -d www.example.com

For Apache (automated):

sudo certbot –apache -d example.com -d www.example.com

Certbot will perform Challenge verification (HTTP-01) by creating a temporary file accessible via HTTP. If you use DNS-01 (required for wildcard), you’ll need to create TXT records; many DNS providers offer APIs Certbot plugins can use.

3) Verify certificate files and server configuration

Certbot installs cert and key files typically under /etc/letsencrypt/live/example.com/. Confirm presence of:

• privkey.pem — private key
• fullchain.pem — certificate plus intermediate chain (useful for many web servers)
• cert.pem — server certificate

Check your web server config references these files. Example Nginx server block:

listen 443 ssl; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Configuring WordPress to use HTTPS

After installing the certificate and enabling HTTPS on the web server, update WordPress settings and resolve mixed content issues.

Update site URLs

In WordPress Admin, go to Settings → General and set WordPress Address (URL) and Site Address (URL) to https://yourdomain.com. If you cannot access the admin, update wp-config.php with:

define(‘WP_HOME’,’https://example.com’); define(‘WP_SITEURL’,’https://example.com’);

Force HTTPS and handle redirects

Implement a 301 redirect from HTTP to HTTPS at the web server level. Examples:

Nginx:

server { listen 80; server_name example.com www.example.com; return 301 https://$host$request_uri; }

Apache (.htaccess for classic setups):

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Avoid plugin-based redirects when the web server can handle them; server-level redirects are faster and reduce complexity.

Fix mixed content

Mixed content happens when pages include resources (images, scripts, styles) loaded over HTTP. Use these approaches:

• Search and replace HTTP URLs in the database (recommend using a serialized-safe tool like WP-CLI search-replace or the “Better Search Replace” plugin).
• Serve static assets from protocol-relative URLs or always use https://.
• Inspect pages in browser DevTools for mixed content warnings and update source links accordingly.

Hardening TLS on the web server

After your site is serving HTTPS, improve the TLS configuration for security and compatibility.

Cipher suites and protocol versions

Disable SSLv3 and TLS 1.0/1.1. Prefer TLS 1.2 and 1.3. Example Nginx tls config:

ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM’; ssl_prefer_server_ciphers on;

Be mindful of client compatibility; TLS 1.3 support is widespread on modern clients.

Enable HSTS

HTTP Strict Transport Security (HSTS) instructs browsers to always use HTTPS for your domain. Add a header:

add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” always;

Only enable ‘preload’ if you understand the permanence and have submitted your site to the HSTS preload list.

OCSP stapling

OCSP stapling reduces certificate revocation latency. Configure the web server to request and serve stapled responses from the CA. For Nginx, ensure ssl_stapling on; ssl_stapling_verify on; and configure resolver settings.

Verification and monitoring

After deployment, perform checks:

• Use openssl to inspect the certificate: openssl s_client -connect example.com:443 -servername example.com
• External scans: use Qualys SSL Labs to get a grade and configuration suggestions.
• Test mixed content and browser console for warnings.
• Ensure automatic renewals: Certbot installs a cron or systemd timer. Test renewal with sudo certbot renew –dry-run.

Backup and disaster recovery

Keep secure backups of your private keys and web server configurations, but never store private keys in public or insecure locations. Document renewal procedures and emergency replacement steps in your runbooks. For high-availability setups, synchronize certificates across nodes or use a centralized certificate management solution.

When to use a commercial CA or a managed certificate service

Consider paid CAs or managed certificate services if:

• You need OV/EV validation for legal or compliance reasons.
• You require extended support, warranty, or multi-year contracts.
• Your environment has legacy clients that require specific compatibility guarantees.
• You prefer a managed service that automates distribution across fleets or load balancers.

Performance and SEO benefits

Beyond security, HTTPS enables HTTP/2 and HTTP/3, which improve loading performance by multiplexing and reducing latency. Search engines favor HTTPS pages, so enabling SSL/TLS can have positive SEO effects. Combined with proper caching and optimized TLS configuration, you can improve both security and speed.

Summary

Enabling SSL certificates in WordPress on a VPS involves understanding certificate types, obtaining and installing a cert (commonly via Let’s Encrypt + Certbot), updating WordPress configuration, fixing mixed content, and hardening the TLS configuration on your web server. Regular monitoring and automated renewal are crucial to avoid downtime. For most WordPress sites, a DV certificate from Let’s Encrypt provides an excellent balance of security and automation; for enterprise use cases, evaluate OV/EV or managed solutions.

If you host WordPress on a VPS and need reliable, low-latency infrastructure in the United States, consider the hosting options at USA VPS from VPS.DO. Their VPS plans provide the control required for custom SSL deployments and server-level optimizations described above.