Guide

How to Install an SSL Certificate on Your Website

An SSL certificate is no longer optional for any website. It encrypts the connection between your server and your visitors’ browsers, protecting data in transit from interception. Without one, browsers display a “Not Secure” warning in the address bar, which erodes visitor trust and can affect your search rankings. Google has used HTTPS as a ranking signal since 2014.

The good news is that SSL certificates are now free for most websites, thanks to Let’s Encrypt — a non-profit certificate authority backed by major tech companies. This guide explains the different types of SSL certificate, how to install one, and how to configure WordPress to use HTTPS correctly after installation.

Types of SSL certificate: DV, OV and EV

SSL certificates come in three validation levels. Domain Validation (DV) certificates — which Let’s Encrypt issues for free — verify that you control the domain and issue within minutes. They display the padlock in the browser address bar and encrypt the connection. For the vast majority of websites, DV certificates provide all the security benefit visitors need.

Organisation Validation (OV) certificates verify the legal identity of the organisation behind the website in addition to domain control. Extended Validation (EV) certificates require the most rigorous identity verification. OV and EV certificates cost between £50 and several hundred pounds per year. They do not offer stronger encryption than DV certificates — the same TLS protocol is used — but they provide a higher level of identity assurance, which matters for banks, financial services and organisations where trust signals are critical.

Installing a free SSL certificate via Let’s Encrypt

If your hosting uses cPanel, look for the “SSL/TLS” or “Let’s Encrypt” section in your control panel. Most cPanel hosts now include AutoSSL, which automatically issues and renews a Let’s Encrypt certificate for all domains on your account. Enable it and your SSL certificate is installed within minutes, with automatic renewal every 90 days — you never need to think about it expiring.

If your host uses Plesk, the Let’s Encrypt extension is available from the Plesk marketplace and can be installed by your hosting administrator. For servers you manage yourself, the Certbot tool from the Electronic Frontier Foundation automates Let’s Encrypt certificate issuance and renewal via the command line. Cloudflare also provides a free SSL certificate at the network edge if you proxy your site through their service.

Configuring WordPress to use HTTPS

Installing the SSL certificate is only half the job. You also need to ensure WordPress serves all its content over HTTPS. In Settings > General in the WordPress dashboard, update both the WordPress Address and Site Address fields to start with https:// rather than http://. This tells WordPress to generate HTTPS links throughout your site.

Next, set up a 301 redirect from HTTP to HTTPS so that anyone visiting the old HTTP version of your site is automatically redirected to the secure version. In cPanel hosting, you can do this via the Redirects tool or by adding redirect rules to your .htaccess file. Also run a search-and-replace in your database to update any hardcoded http:// URLs in your content to https:// — the Better Search Replace plugin handles this easily. Finally, check your site for mixed content warnings (HTTPS pages loading HTTP resources) using a browser developer tool or a plugin such as SSL Insecure Content Fixer.

FAQs

Common questions.

Do I need to renew my SSL certificate every year?
Let’s Encrypt certificates expire after 90 days but renew automatically if your server is configured correctly. Paid SSL certificates from commercial certificate authorities typically expire after one or two years and require manual or automated renewal. Most quality hosting providers handle automatic renewal for you regardless of which type you use — check your host’s documentation to confirm.
Will installing an SSL certificate slow down my website?
The overhead of TLS handshake negotiation adds a small amount of latency to the first connection from a visitor’s browser, typically a few milliseconds. Subsequent requests on the same connection reuse the established session and incur no additional overhead. In practice, for the vast majority of visitors, installing SSL has no perceptible impact on page load speed.
My site shows “Not Secure” even after installing SSL — what’s wrong?
This is almost always a mixed content issue: your page is loaded over HTTPS but references at least one resource (an image, script or stylesheet) over HTTP. The browser degrades the security indicator to warn about the unencrypted resource. Use the browser developer tools (F12 > Console) to identify the specific HTTP resources and either update the URLs to HTTPS or remove the resources.
Related guides

More on web design & ux.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation