Buying an SSL/TLS certificate (or using a free one) is just one of a few steps to secure your WordPress website over HTTPS. Learn how to activate SSL on WordPress and benefit from serving a secure website to visitors. In this article, the process of activating SSL/TLS is broken down into three steps, including how to fix mixed content warnings in WordPress and showing the green lock icon in your browser.

1. Buy and Install Your SSL/TLS Certificate

Before you begin any other step, you need to have a valid certificate installed on your web host, whether it's free or one you bought from a certificate authority (CA) like Comodo SSL. Without a valid CA-signed certificate installed (self-signed certificates aren't considered secure in production), visitors will get the red lock icon and/or see a security warning in their browser.

how to activate ssl on wordpress plesk

Cyberia Technologies web hosting integrates with Let's Encrypt SSL, a free certificate authority (CA) with backing by major companies like Google, Mozilla, and Cisco. The installation is simple and can be done in a matter of seconds. Your domain must be live (DNS records must be pointing to your host) before Let's Encrypt will issue an SSL certificate. Each web host is different and the interface will differ as a result. For example, a cPanel host might allow you to install an SSL certificate through an interface like this:

how to activate ssl on wordpress cpanel

Contact support at your hosting provider find out if they offer Let's Encrypt SSL/TLS certificates. If you are a Cyberia Technologies customer and have any questions or trouble, you can email support.

2. Navigate to WordPress Dashboard > Settings > General

The next step in how to activate SSL on WordPress is to configure or "tell" your WordPress installation to use it. This is done by adding the 's' in the URL (http:// to https://) in the fields marked 'WordPress Address' and 'Site Address'. Click 'Save' after making the changes to both fields.

how to activate ssl on wordpress general settings

WordPress will log you out automatically—this is normal. Simply log back in again with your administrator username & password, and you're for the next step!

3. Install 'Better Search Replace' Plugin & Navigate to the Settings Tab

This step ensures your WordPress site uses HTTPS consistently instead of HTTPS for only some links and HTTP for the rest. Though this step is key to fix WordPress mixed content warnings, it requires some level of technical competence. To accomplish this, we'll need to find and replace the links in the database pointing to images, attachments, or theme files that are still using the non-secure protocol.

From your WordPress Dashboard, select 'Add New Plugin' and type 'Better Search Replace' into the search box. Click 'Install' and then 'Activate'. Next, go to Dashboard > Tools and select 'Better Search Replace'.

how to fix mixed content warnings wordpress ssl

Referencing the screenshot above, the first field is for the old, non-secure domain (take note of the absence of 's' in 'http'). The second field is for the new secure domain protocol (https). The correct settings to be used are highlighted in purple.

Remember to take extreme care not to mistype or misspell anything in either field. Double check protocols, the placement of the colon, if the double forward slashes are present, etc. Making a backup of your database might not be a bad idea either, since a mistake here can potentially break your website.

Next, select all the tables (SHIFT + L Mouse click on PC) or select them one by one (CTRL + L Mouse click). Tick the GUID checkbox if your site is new or is a test site. The dry run checkbox must be unchecked in order to run the operation.

To finish, simply Click 'RUN Search/Replace' at the bottom. If successful, you will see a notice at the top of the page with the number of non-secure URLs the plugin was able to find and secure.

That's it! Now You Know How to Activate SSL on WordPress

You've learned how to activate SSL on WordPress and your site will be served to visitors with a green lock icon. If you don't see a lock icon yet, refresh the page or try another browser.

Note 1: This secures your WordPress site and everything hosted inside it. If you have external pictures, content, or third party scripts, i.e. hotlinked content or embedded iframes, they must still be secured on their own host.

Note 2: It's a good idea to review your Google Analytics and Google Search Console properties to the newly secured URL (https://).

Note 3: To be thorough, we also recommend you setup a 301 redirect from the old, non-secure URL to your secure domain. This way visitors and search engines trying to reach your site will seamlessly arrive on the secure domain. This can be done either by your host or from inside WordPress.

Note 4: Your website SEO rankings or "link juice" may take some time to settle, though this is necessary in order to activate SSL on WordPress correctly.

In this day and age, your business website needs safeguards in place to protect against cyber attacks. Though our managed WordPress hosting customers benefit from several security measures, many web hosting providers don't offer any mitigation against website hacks/data loss. No matter which web host you use, we'll share with you 5 easy steps to secure WordPress and protect from hackers. These should be easy to implement and won't involve any coding.

Only Big Companies Need to Secure WordPress and Protect from Hackers, Right?

Wrong. Indeed, the public does see headlines about their personal data being dumped on the dark web from a big corporate hack every year or so. Yahoo, Sony, and Equifax are some of the (in)famous data breaches you may have heard of. But if you think only enterprise businesses are in a hacker's crosshairs, you're being misled. Without mitigation, you may be choosing to put your business (and customers) at risk.

1. Install a WordPress Security Plugin like Wordfence

Use a security plugin for WordPress, like Wordfence or iThemes Security, to shut down the most common attack vectors without much setup. Many critically important features are included even with the free version of Wordfence. When you visit the Wordfence Options tab inside the Dashboard, you can customize the thoroughness of scans and log keeping. Within just minutes, you will enjoy significantly greater protection.

2. Take Regular Backups of Your WordPress Site

Creating backups is important, not only in the event of an infection you can't clean, but also in case your website breaks (i.e. after a bad update). We recommend a regular schedule of weekly or monthly WordPress backups by default. If you need to run a different backup schedule, you might want to factor in the following:

Luckily, there is no shortage of both free and premium backup tools, so you only need to be aware of what's needed as a minimum. A complete WordPress backup consists of two parts: the standard PHP files, images, etc.—and the database (a specially exported .SQL file). You need both parts to have a working backup—if you try to restore an old backup without the database, your backup is worthless.

We recommend UpdraftPlus or Duplicator to create a restore point or snapshot. The backups can be stored on your web host or externally in Google Drive, Dropbox, or AWS. If you're a Cyberia Technologies hosting customer, you're already benefiting from server-side automatic backups, meaning there is no need a third party solution. Server-side WordPress backups can be restored by logging into the control panel.

3. Sign Up for a Cloudflare Plan (it's FREE)

Cloudflare is a DNS (domain name service) provider built on a philosophy of security and speed. The free plan from Cloudflare even includes DDoS protection, a global content delivery network (CDN), zero-trust access protection for 5 users, & more.

4. Personalize Your WordPress Login Slug

It's well known by the WordPress community that you can visit the default login page for any WordPress site by going to Given how popular WordPress is, this means anyone can try to gain entry to your website through this very predictable login slug. Changing it to something unique enough that an outsider can't guess will remove this potential attack vector.

5. Randomize Your WordPress Database Prefix

By default all WordPress database tables start with "wp_" as a prefix, meaning any hacker can easily predict your database structure. MySQL injections and other database vulnerabilities become much easier from that point onward. Use a tool to customize your WordPress table prefixes to something completely unique/random, i.e. "w2ZbEq_". If you're a Cyberia Technologies customer, you can randomize the database prefix via the 1-click security tab in WordPress Toolkit. Otherwise you can search for a plugin in the WordPress repository to automatically do this.

In Conclusion...

Your business and your customers rely on the safety and security of your website. Although none of the above 5 steps will guarantee you won't be hacked, you'll avoid becoming low-hanging fruit for hackers. Since most small businesses don't recover from security breaches, it's worth it to review our 5 easy steps to secure WordPress and protect from hackers every so often.

Schedule a Free Call.

Deploying a successful digital strategy requires you to dive deep into the “why” behind your company. Make the decision to thrive with Cyberia Technologies. Reach out for an Online Health Audit today.
Privacy PolicyTerms & Conditions
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram