Skip to content
WordPress

Adding SSL to WordPress Without Breaking Anything

How to add ssl to wordpress safely using a proven secure method that protects data, avoids mixed content errors, and ensures site stability.

Adding SSL to WordPress Without Breaking Anything

When you add SSL to WordPress, you are doing two things simultaneously: encrypting the connection between the visitor’s browser and the server, and changing the site’s fundamental URL from http:// to https://. The encryption part is handled entirely by the SSL certificate and the server configuration. The URL change is where most of the work happens in a WordPress context — because WordPress stores its own URL in the database, references its own URL in every piece of content, and has plugins and themes that may have hardcoded http:// references throughout their settings and files. A correct process to add SSL to WordPress addresses all of these layers in the right sequence. A careless process — installing the certificate but not updating WordPress’s URL settings, or updating the settings but not running a database search-and-replace — produces mixed content errors, broken images, redirect loops, or an inaccessible admin panel. I have guided many sites through SSL migrations and the ones that go smoothly are the ones that follow a documented sequence. This guide is that sequence. If you want the full context, see our Complete Guide to WordPress How.

Get Your SSL Certificate Before You Add SSL to WordPress

The SSL certificate must be installed on the server before any WordPress configuration changes are made. Changing WordPress’s URL settings to https:// before the certificate is in place makes the site inaccessible — WordPress redirects all requests to https:// but the server has no certificate to serve the HTTPS connection, resulting in browser security errors for all visitors. The sequence matters: certificate first, WordPress configuration second.

Certificate TypeCostBest ForHow to Get It
Let’s Encrypt (free)Free — auto-renews every 90 daysMost WordPress sites; all use casescPanel → SSL/TLS → Let’s Encrypt, or hosting dashboard one-click
Hosting provider-included SSLIncluded in hosting planSites on plans that include SSLEnable in hosting dashboard — typically one click
Paid DV certificate$10–$100/yearSame security as Let’s Encrypt — rarely necessaryPurchase from Namecheap, DigiCert, Sectigo
Paid EV certificate$100–$500/yearHigh-assurance sites where organisation identity is displayedPurchase from DigiCert, Sectigo — requires organisation vetting

For most WordPress sites, Let’s Encrypt is the correct choice. It is free, browser-trusted, auto-renewing, and provides identical encryption to expensive paid certificates. The only scenario where a paid certificate adds genuine value is the Extended Validation (EV) type, which displays organisation name in the browser — but even this benefit has diminished as browsers have reduced the visual prominence of EV indicators. Install Let’s Encrypt through cPanel → SSL/TLS → Let’s Encrypt SSL (available on most cPanel hosting), through your hosting provider’s one-click SSL activation (common on managed WordPress hosts), or through Certbot on VPS environments. After installation, verify the certificate is active by visiting https://yoursite.com in a browser — if the padlock appears and the certificate details show a valid expiry date, you are ready to add SSL to WordPress at the application level.

Configure WordPress to Use HTTPS After Installing the Certificate

With a valid SSL certificate installed and confirmed working, the WordPress configuration changes to add SSL to WordPress properly involve updating two core URL settings and then running a database search-and-replace to update all stored http:// references. These steps must be done in sequence — updating the URL settings first, then the database, then verifying the result.

  1. Log in to the WordPress admin panel (still using http:// for now — do not force HTTPS yet)
  2. Navigate to Settings → General
  3. Update the WordPress Address (URL) field from http://yoursite.com to https://yoursite.com
  4. Update the Site Address (URL) field to the same https://yoursite.com value
  5. Click Save Changes — WordPress redirects you to the HTTPS login page. This is expected. Log in again via the HTTPS admin URL.
  6. Verify the admin panel loads correctly over HTTPS (padlock visible in browser address bar)
  7. Install and activate the Better Search Replace plugin (free; WordPress Plugin Directory)
  8. Navigate to Tools → Better Search Replace → Search for: http://yoursite.com → Replace with: https://yoursite.com → select all database tables → run Dry Run first to see how many replacements will be made
  9. If the dry run count looks reasonable (hundreds to thousands of replacements is normal for an established site), run the live replacement — this updates all content, widget settings, theme options, and plugin settings stored in the database that reference the old http:// URL
  10. Load the site’s front end and check the browser console (F12 → Console) for any mixed content warnings — these indicate http:// resources that were not caught by the search-and-replace

The Better Search Replace plugin handles serialised PHP data correctly — a critical requirement, since WordPress and plugins frequently store settings as serialised PHP arrays that a simple text search-and-replace corrupts. After running the replacement to add SSL to WordPress database references, navigate to Settings → Permalinks and click Save Changes to regenerate the .htaccess rewrite rules for the HTTPS environment.

Fix Mixed Content After You Add SSL to WordPress

Mixed content is the most common problem encountered after completing the initial steps to add SSL to WordPress. It occurs when a page served over HTTPS loads resources — images, scripts, stylesheets, iframes — over http://. Browsers flag this as a security issue because the HTTPS encryption is undermined by unencrypted resource requests within the same page. Active mixed content (scripts, stylesheets) is blocked by modern browsers; passive mixed content (images) triggers a padlock warning without blocking the resource.

The browser developer console (F12 → Console tab) shows every mixed content warning with the specific resource URL causing it. Common sources of mixed content after you add SSL to WordPress:

<img src="http://yoursite.com/wp-content/uploads/2024/image.jpg">


<img src="https://yoursite.com/wp-content/uploads/2024/image.jpg">

Theme files that hardcode http:// URLs in template files, plugin settings that store absolute URLs in their own database tables not covered by wp_options search-and-replace, and external resources (Google Fonts, social media embeds, CDN resources) loaded over http:// are the main sources that Better Search Replace does not catch. For external resources, simply updating the URL from http:// to https:// in the plugin or theme settings resolves the mixed content. For theme files with hardcoded URLs, edit the file directly (or use a child theme to override it) and replace http:// references with https:// or protocol-relative (//domain.com) references that work over both protocols.

Force HTTPS Sitewide in .htaccess

After the WordPress URL settings and database references are updated, adding an HTTPS redirect rule to .htaccess ensures all http:// requests are permanently redirected to https://, regardless of how they are initiated. This is the final layer to add SSL to WordPress correctly — it handles direct http:// URL access, old bookmarks, and links from other sites that still use the old http:// URL.

Open .htaccess in the WordPress root via FTP (enable hidden files first). Add these lines above the WordPress default rewrite block (the block that begins with # BEGIN WordPress):

# Force HTTPS redirect — add SSL to WordPress
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Save the file and test by navigating to http://yoursite.com in a browser — it should redirect immediately to https://yoursite.com with a 301 status (permanent redirect). Verify with a tool like Redirect Checker (redirect-checker.org) to confirm the 301 status and that the redirect destination is the correct https:// URL. The 301 status tells search engines that the http:// URL has permanently moved to https://, which consolidates search ranking signals to the HTTPS version rather than splitting them between two URL variants.

On servers where SSL is terminated upstream — at a Cloudflare proxy, a load balancer, or an NGINX reverse proxy in front of an Apache WordPress server — the standard %{HTTPS} off condition may not work because the upstream termination means the connection to Apache appears as HTTP internally even when the visitor accessed it via HTTPS. In this case, use the X-Forwarded-Proto header check instead: RewriteCond %{HTTP:X-Forwarded-Proto} !https. Confirm with your hosting provider which condition is appropriate for your infrastructure when using this redirect after you add SSL to WordPress through a proxied setup.

Post-SSL Verification — What to Check After You Add SSL to WordPress

A systematic post-SSL verification confirms the migration is complete and catches any remaining issues before they create problems for visitors or search engine indexing. The following checks cover the most important aspects after you add SSL to WordPress successfully.

  • Padlock status: Load the homepage, a blog post, and a page with images in a fresh browser. All should show a clean padlock without any warning triangle. A padlock with a warning indicates remaining mixed content.
  • Admin panel: Confirm the WordPress admin is accessible at the https:// URL and that all admin functions — plugin installation, media upload, settings saves — work correctly
  • Redirect verification: Test http://yoursite.com, http://www.yoursite.com, and https://www.yoursite.com all redirect to the canonical https://yoursite.com (or https://www.yoursite.com if www is the canonical) with 301 status codes
  • Google Search Console: Add the https:// version of the site as a new property in Search Console. Submit the updated sitemap (Settings → General in most SEO plugins → Sitemaps → the sitemap URL, now using https://). Monitor for crawl errors in the weeks after the migration.
  • Certificate expiry monitoring: Let’s Encrypt certificates auto-renew every 90 days when configured correctly. Verify auto-renewal is set up (cPanel → SSL/TLS → Let’s Encrypt shows next renewal date) or configure a monitoring alert for certificate expiry
  • Plugin API keys and webhook URLs: Payment gateway webhooks, email service confirmations, and external API integrations often require updating the callback URL from http:// to https:// in the external service’s settings dashboard

Common Problems When Adding SSL to WordPress

The most frequent problems encountered when you add SSL to WordPress are redirect loops (covered in depth in our redirect loop guide), mixed content warnings (covered above), and an inaccessible admin panel caused by updating URL settings before the certificate was properly installed.

A redirect loop after adding SSL almost always means there are conflicting redirect rules — the .htaccess rule redirecting to HTTPS conflicting with a WordPress security plugin’s own HTTPS enforcement, or the Cloudflare “Always Use HTTPS” setting conflicting with a server-level redirect when Cloudflare terminates SSL upstream. The fix is identifying and removing the redundant redirect rule — keeping only one layer of HTTPS enforcement active at a time.

An inaccessible admin panel immediately after changing WordPress URL settings is usually caused by the wrong URL being entered — a typo, a www vs non-www mismatch, or http vs https mismatch. Recovery is via wp-config.php constants: add define('WP_HOME', 'https://correcturl.com'); and define('WP_SITEURL', 'https://correcturl.com'); to wp-config.php to override the incorrect database values and regain admin access, then correct the database values through Settings → General.

Our guide on fixing the WordPress too many redirects error covers the redirect loop that is the most common complication when you add SSL to WordPress — the specific causes and resolution for when the HTTPS redirect itself creates a loop. Our guide on fixing the WordPress mixed content error covers the browser security warning that appears after an SSL migration in much greater depth, including the approach for finding and fixing mixed content in theme files. The Let’s Encrypt documentation covers the certificate installation process across different server types and control panels — the authoritative guide for the certificate step that must precede the WordPress-level changes to add SSL to WordPress. You might also run into How to Change WordPress Admin Email Safely With a Proven Secure Method.

Nikolas Lamprou

Nikolas Lamprou (MSc; GCFR, SC-200, Security+) has been working with computers professionally since 2009 — starting with web development and e-commerce, and moving into cybersecurity over the years. Based in Greece, he brings over 15 years of real-world IT experience to SolveTechToday, where he writes about Windows fixes, software reviews, security tools, and AI applications. His goal is straightforward: cut through the noise and give readers clear, honest guidance on the tech decisions that matter.

Stay Ahead

Fix your next problem before it starts

Get the week's best Windows fixes, software picks, and security guides delivered straight to your inbox. No noise, just solutions.

Press ESC to close · Try "Windows 11" or "Chrome"