How to Enable SSL on WordPress — Quick Step-by-Step Guide to Secure Your Site

Securing a WordPress site with SSL/TLS is no longer optional. Beyond SEO and browser trust indicators, SSL protects user data, prevents session hijacking, and is required for many modern web features. This guide walks site owners, developers, and administrators through a practical, technical, step-by-step process to enable SSL on WordPress—covering certificate selection, server configuration, WordPress settings, automated renewal, and hardening recommendations.

How SSL/TLS works — core principles

At a high level, SSL/TLS provides three guarantees: confidentiality (encryption of traffic), integrity (detection of tampering), and authentication (server identity via certificates). When a client connects to your site over HTTPS, the server presents an X.509 certificate issued by a Certificate Authority (CA). The client verifies the certificate chain, checks valid dates and domain match, and negotiates an encrypted session using asymmetric and symmetric cryptography.

Important technical terms to know:

• Certificate Authority (CA) — entity that issues and signs certificates.
• CSR (Certificate Signing Request) — generated on the server, contains public key and metadata used to request a certificate.
• SAN (Subject Alternative Name) — allows one certificate to cover multiple domains or subdomains.
• Wildcard certificate — covers subdomains (e.g., .example.com).
• OCSP stapling — improves revocation checking performance and privacy.
• HTTP/2, TLS 1.2/1.3 — modern protocols that improve performance and security.

Choose the right certificate for your WordPress site

There are multiple certificate options depending on budget and needs:

• Let’s Encrypt (free) — automated, ideal for most websites, issues domain-validated (DV) certificates with 90-day validity and supports automation via Certbot.
• Paid DV/OV/EV certificates — offer organization validation (OV) or extended validation (EV) and longer lifetimes; useful for enterprises that require verified organizational identity.
• Wildcard certificates — simplify management when many subdomains exist; available from both free (Let’s Encrypt with DNS challenge) and paid CAs.
• Multi-domain/SAN certificates — cover multiple distinct hostnames in one certificate.

Server prerequisites and typical environments

Before installing a certificate, ensure you have:

• Root or sudo access to the VPS or web server.
• Web server software: Apache or Nginx (or a reverse proxy/load balancer in front).
• Open ports 80 and 443 reachable for validation and client traffic.
• SSH access for Certbot or manual certificate installation.

Step-by-step: Obtain and install a certificate (Certbot / Let’s Encrypt)

The following steps give concrete commands for a typical Ubuntu VPS running Nginx. For Apache, Certbot supports an Apache plugin with similar flow.

1. Install Certbot

On Ubuntu/Debian:

sudo apt update && sudo apt install certbot python3-certbot-nginx -y

2. Allow HTTP/HTTPS in firewall

With UFW:

sudo ufw allow 80,443/tcp

3. Obtain the certificate

For Nginx automatic configuration:

sudo certbot –nginx -d example.com -d www.example.com

Certbot will perform an ACME HTTP validation using port 80 and can automatically update Nginx configuration to use the issued certificate. For wildcard certificates use DNS validation:

sudo certbot certonly –manual –preferred-challenges=dns -d ‘.example.com’ -d example.com

(DNS challenge requires adding TXT records to your DNS provider.)

4. Configure Nginx for HTTPS

If not using –nginx auto-config, edit your server block:

server {
  listen 80; server_name example.com www.example.com;
  return 301 https://$host$request_uri;
}

HTTPS block:

server {
  listen 443 ssl http2; server_name example.com www.example.com;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  # Strong cipher suite example (update as needed)
  ssl_ciphers ‘ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384’;
  add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” always;
  # root, index, php-fpm proxy_pass etc.
}

5. Test and automate renewal

Check certificate: sudo certbot certificates

Dry-run renewal: sudo certbot renew –dry-run

Certbot installs a systemd timer or cron job to renew automatically. Confirm renewal creates a post-hook to reload Nginx:

Certbot usually calls systemctl reload nginx after renewal. Verify by checking /etc/letsencrypt/renewal/example.com.conf for the assign hooks.

WordPress-specific configuration changes

After the server serves HTTPS correctly, update WordPress to use the secure URLs and avoid mixed content.

1. Update Site URL

In wp-admin, go to Settings → General and change the WordPress Address (URL) and Site Address (URL) from http:// to https://. If you cannot access wp-admin, update via wp-config.php:

define(‘WP_HOME’,’https://example.com’);
define(‘WP_SITEURL’,’https://example.com’);

2. Force HTTPS and fix mixed content

Options to force HTTPS:

• Use server-level 301 redirect (preferred) — see Nginx/Apache snippets above.
• Use .htaccess redirect for Apache:
  <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </IfModule>
• Use a plugin like Really Simple SSL if you prefer plugin-based migration (good for non-technical users).

Fix mixed content by ensuring theme and plugin assets load over HTTPS. Tools and strategies:

• Use browser DevTools console to list insecure requests.
• Run a search/replace in the database to change hard-coded http:// references to https:// (use WP-CLI or plugins like Better Search Replace). Always backup DB first.
• Use Content Security Policy (CSP) progressively to block insecure sources.

3. Cookies and admin area

Set secure cookie flags in wp-config.php to prevent session cookies being sent over HTTP:

define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);

These settings force the admin and login pages to use SSL, improving security for credentials.

Advanced hardening and performance features

After baseline HTTPS is working, consider these advanced configurations:

OCSP stapling and session resumption

Enable OCSP stapling and TLS session tickets/resumption to reduce latency and improve revocation checking. For Nginx, add:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;

HTTP/2 and TLS 1.3

Enable HTTP/2 in the server listen directive (listen 443 ssl http2;) and prefer TLS 1.3 and 1.2 while disabling older versions (TLS 1.0/1.1). This gives performance gains and better cipher negotiation.

HSTS and preload

Set HSTS header after thorough testing. Use add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” always; only if you are sure every subdomain supports HTTPS; submitting to hstspreload.org adds your domain to browser preload lists.

Load balancers and reverse proxies

If your architecture uses a load balancer or CDN (e.g., AWS ELB, Cloudflare), terminate SSL at the edge or LB and ensure the backend connection is secured or proxied correctly. Set $_SERVER[‘HTTPS’] = ‘on’ or use the X-Forwarded-Proto header and configure WordPress to detect SSL by adding:

if (isset($_SERVER[‘HTTP_X_FORWARDED_PROTO’]) && $_SERVER[‘HTTP_X_FORWARDED_PROTO’] == ‘https’) {
  $_SERVER[‘HTTPS’] = ‘on’;
}

Testing and validation

After enabling SSL, validate the configuration:

• Use SSL Labs SSL Test to analyze certificate chain, protocol support, cipher strength, and vulnerabilities—aim for A/A+ scores.
• Check for mixed content in browser DevTools and with online scanners.
• Test OCSP stapling and stapled responses using OpenSSL: openssl s_client -connect example.com:443 -status
• Verify automated renewal by simulating renewal or checking cron/systemd timers.

Advantages, trade-offs, and best practices

Advantages of enabling SSL include improved security, SEO benefits, and compatibility with modern browser features and service APIs. The main trade-offs are operational: certificate management and occasional renewal issues. Automation (Certbot, ACME clients or commercial CA automation) eliminates most maintenance pain.

Best practices summary:

• Use automated issuance and renewal (Let’s Encrypt + Certbot) where possible.
• Prefer server-level redirects and HSTS for robust enforcement.
• Test configuration with SSL Labs and browser tools.
• Harden TLS configuration and disable weak protocols/ciphers.
• Backup your private keys and document certificate lifecycles for team operations.

Choosing hosting and VPS considerations

When self-managing SSL on a VPS, choose a provider that gives reliable network, easy SSH access, and predictable performance. For sites targeting US audiences, consider low-latency hosting in the region. If you need scalability or advanced networking features, check whether your VPS provider supports load balancing, private networking, and snapshot-based backups.

For example, VPS.DO provides easy-to-configure USA VPS plans with root access, so you can install Certbot, configure Nginx/Apache, and automate SSL/TLS renewals directly on your instance. See available options at USA VPS and visit the provider site at VPS.DO for more details.

Enabling SSL correctly requires a mix of certificate management, server configuration, WordPress adjustments, and ongoing monitoring. With modern tools like Let’s Encrypt and Certbot, the process is straightforward for most sites. If you operate multiple domains or need higher assurance levels, consider wildcard or paid certificates and integrate certificate lifecycle management into your deployment workflow.

Securing your WordPress site is an essential step toward professional operations. If you host on a VPS and prefer full control over SSL/TLS stack and performance tuning, a reliable provider like USA VPS from VPS.DO offers the infrastructure to implement these best practices effectively.