How to Enable SSL Certificates in WordPress — Secure Your Site in 5 Easy Steps

Introduction

Securing a WordPress site with SSL/TLS certificates is no longer optional—search engines, browsers, and users expect encrypted connections. This guide walks you through the entire process of enabling SSL for WordPress in five practical steps, with technical details suitable for site owners, developers, and IT managers. You’ll learn how certificates work, different deployment scenarios, security hardening, and best practices for maintaining a secure, performant site on a VPS.

How SSL/TLS Works: Key Concepts for WordPress Hosts

Before configuring SSL on a server, it helps to understand the core concepts:

• TLS handshake: The protocol that initiates a secure connection, negotiating cipher suites, exchanging asymmetric keys, and establishing a symmetric session key for data encryption.
• Certificate Authorities (CAs): Trusted entities that issue certificates. Browsers trust a chain of certificates from a root CA through intermediates to the server certificate.
• Server certificate: Contains the site’s public key, domain names (CN and SAN fields), validity period, and issuer details. It must be paired with the server’s private key.
• Certificate Signing Request (CSR): A file generated on the server containing the public key and identity info used by a CA to create a certificate.
• OCSP and certificate revocation: Mechanisms to check whether a certificate has been revoked. OCSP stapling improves privacy and performance by allowing the server to present a signed OCSP response.

Certificate Types and When to Use Them

• Domain Validated (DV): Fast, automated (e.g., Let’s Encrypt). Suitable for most blogs and business sites.
• Organization Validated (OV): Provides organizational verification; useful for businesses wanting more visible trust signals.
• Extended Validation (EV): Highest level of vetting; gives the strongest identity assurance but less useful now visually in many browsers.
• Wildcard certificates: Cover all subdomains under a domain (e.g., .example.com). Ideal when you have many subdomains.
• Multi-domain (SAN) certificates: Cover multiple unique domain names in a single certificate.

Step 1 — Prepare Your VPS and Hosting Environment

Before requesting a certificate, ensure your VPS is configured to serve your WordPress site. This includes domain DNS, web server configuration, and firewall rules.

• Ensure DNS A (and AAAA if using IPv6) records point to your VPS IP address.
• Open ports 80 and 443 on the VPS firewall (iptables, ufw, or cloud firewall):

Example ufw commands:

• ufw allow 80/tcp
• ufw allow 443/tcp

Install and configure a web server. The two common choices are:

• Apache: Uses mod_ssl and can leverage certbot’s Apache plugin for automatic virtual host adjustments.
• Nginx: High-performance, often used with php-fpm. Certbot’s Nginx plugin can modify configurations automatically.

Server considerations

• Ensure time synchronization (chrony or ntp). Certificate validation is time-sensitive.
• Verify PHP and WordPress are working over HTTP before enabling HTTPS to isolate any issues.
• Back up your web server configuration and WordPress files.

Step 2 — Obtain an SSL Certificate

There are multiple ways to get a certificate. For most WordPress sites, Let’s Encrypt via certbot is the simplest and free. For enterprise environments you might purchase a certificate from a commercial CA.

Using Certbot (Let’s Encrypt)

Install certbot and the appropriate plugin:

• On Debian/Ubuntu for nginx: apt-get install certbot python3-certbot-nginx
• For Apache: apt-get install certbot python3-certbot-apache

Then request a certificate:

• certbot –nginx -d example.com -d www.example.com
• certbot –apache -d example.com -d www.example.com

Certbot will validate domain ownership via HTTP-01 challenges and, if successful, install the certificate into your web server configuration. Certbot also creates renewal tasks in cron or systemd timers.

Manual CSR / Commercial CA

• Generate a private key and CSR: openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr
• Submit the CSR to the CA, receive the certificate and the intermediate chain. Install both the certificate and the CA bundle on the server.

When using a commercial CA, ensure you also install the intermediate chain (often named chain.pem or ca-bundle) to avoid missing-chain errors in browsers.

Step 3 — Configure Web Server to Serve HTTPS

After obtaining certificate files (fullchain.pem and privkey.pem for Let’s Encrypt), configure your web server to use them.

Nginx example

In your server block:

• listen 443 ssl http2;
• ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
• ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
• ssl_protocols TLSv1.2 TLSv1.3;
• ssl_prefer_server_ciphers on;
• ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-…’; (use a modern recommended list)
• add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always;

Enable OCSP stapling and session resumption to improve latency:

• ssl_stapling on;
• ssl_stapling_verify on;
• resolver 1.1.1.1 8.8.8.8 valid=300s;

Apache example

• Enable mod_ssl and mod_headers: a2enmod ssl headers
• In the VirtualHost :443:
• SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
• SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
• SSLProtocol -all +TLSv1.2 +TLSv1.3
• Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

Always test configuration changes:

• nginx -t
• apachectl configtest
• systemctl reload nginx
• systemctl reload apache2

Step 4 — Configure WordPress to Use HTTPS

Once the web server serves HTTPS, update WordPress settings and harden the application to avoid mixed content and maintain SEO and cookie security.

Update WordPress settings

• In wp-admin → Settings → General, set WordPress Address (URL) and Site Address (URL) to https://yourdomain.com.
• If you cannot access wp-admin, update the database via wp-cli or directly in the options table:

Using wp-cli:

• wp option update home ‘https://example.com’
• wp option update siteurl ‘https://example.com’

Force HTTPS and handle redirects

Ensure all HTTP requests are redirected to HTTPS with a 301 redirect. For Nginx:

server { listen 80; server_name example.com www.example.com; return 301 https://$host$request_uri; }

For Apache, use a VirtualHost for port 80 with a Redirect or rewrite rule.

Fix mixed content

• Scan the site for HTTP resources (images, scripts, styles). Use browser dev tools or tools like Qualys SSL Labs and site scanners.
• Replace hard-coded http:// URLs in the database using wp-cli search-replace or plugins designed for safe serialized replacements: wp search-replace ‘http://example.com’ ‘https://example.com’ –skip-columns=guid
• Update theme and plugin references to use protocol-relative URLs or https:// explicitly.

Security headers and cookies

• Set Secure and HttpOnly flags on cookies so they are only sent over HTTPS. WordPress core sets Secure cookies when siteurl is HTTPS, but double-check custom code.
• Implement Content Security Policy (CSP) cautiously to mitigate mixed content and injection risks.

Step 5 — Maintain and Harden Your TLS Deployment

SSL isn’t a one-time setup. Maintain certificate renewal, monitor vulnerabilities, and apply best practices:

• Automatic renewal: Certbot sets up automatic renewals; test it with certbot renew –dry-run. Ensure web server reload works post-renewal.
• Monitor expiration: Add monitoring alerts for certificate expiry using uptime monitors or monitoring stacks (Prometheus + alertmanager, etc.).
• TLS versions and cipher suites: Disable legacy protocols (TLS 1.0, 1.1). Prefer TLS 1.2 and 1.3 with strong cipher lists that favor forward secrecy (ECDHE) and AEAD ciphers (GCM, ChaCha20-Poly1305).
• OCSP stapling: Ensures clients get revocation status quickly and efficiently; configure correctly and monitor for stapling failures.
• HSTS and preload: HSTS protects users after initial visit. Use a long max-age and includeSubDomains only after you’re confident all subdomains are HTTPS. Consider submitting to the HSTS preload list once ready.
• HTTP/2 and HTTP/3: Enable HTTP/2 with TLS for multiplexing and performance. HTTP/3 requires QUIC support and is increasingly supported by browsers and servers.
• Regularly test: Use Qualys SSL Labs to test configuration and score, then address issues like missing intermediate certificates, weak ciphers, or poor protocol support.

Choosing the Right Certificate and VPS Plan

When deciding between certificate types and VPS offerings, consider the following:

• Scale and complexity: Small businesses and blogs usually use Let’s Encrypt (free) DV certificates with auto-renew. Large organizations with compliance needs may require OV/EV certificates.
• Multiple subdomains: Use a wildcard or SAN certificate. Wildcards simplify management for subdomains but require DNS validation for issuance with Let’s Encrypt.
• VPS resources: TLS termination has CPU overhead for the initial handshake. Choose a VPS with sufficient CPU and RAM for your expected traffic. For high traffic, consider offloading TLS to a load balancer or using HTTP/2 + TLS session reuse strategies.
• Deployment workflow: If you manage multiple sites or have CI/CD, integrate certificate request and deployment into automation tooling (Ansible, Terraform, or custom scripts) and secure private keys via secret management (Vault, AWS KMS, etc.).

Advantages of Enabling SSL on WordPress

• Privacy and integrity: TLS encrypts data in transit, preventing eavesdropping and tampering.
• SEO and browser trust: HTTPS is a ranking factor, and browsers flag insecure sites, which harms conversions.
• Improved performance: TLS combined with HTTP/2 increases page load efficiency through multiplexing and header compression.
• Modern security features: Enables powerful mechanisms like HSTS, secure cookies, and enhanced CSPs.

Summary

Enabling SSL for WordPress is achievable in five systematic steps: prepare the VPS, obtain a certificate, configure the web server, update WordPress and fix mixed content, and maintain/harden the setup. Focus on automation (automatic renewal), current TLS best practices (disable old protocols, prefer TLS 1.3), and ongoing monitoring. For most users, Let’s Encrypt with certbot provides an excellent balance of security, automation, and cost-effectiveness. Enterprises should weigh the value of OV/EV certificates and key management practices.

If you host WordPress on a VPS, choose a plan with adequate CPU and memory to handle TLS handshakes and traffic. For reliable infrastructure in the United States, consider exploring VPS.DO’s offerings, including their USA VPS plans that provide scalable resources well-suited for secure WordPress deployments. Learn more about the provider at VPS.DO.