Answers · Tampa Bay

How Do I Add SSL to My WordPress Site?

How to add SSL (HTTPS) to a Tampa WordPress site for free — using Let’s Encrypt, the right plugin, and avoiding common mixed content errors.

4 minRead time
1,000Words
Quick answerFormat
Get a fixed-price quote → Get the $500 audit
Short answer

Don’t pay for an SSL certificate. Every modern WordPress host (Kinsta, WP Engine, Cloudways, SiteGround, even Bluehost) includes free SSL via Let’s Encrypt — usually one-click to enable. After enabling it on the server, install the Really Simple SSL plugin to handle the WordPress side. The whole process takes 10 minutes and costs $0.

Why SSL matters

SSL (now called TLS, but everyone still says SSL) is what makes your URL start with https:// instead of http:// and shows the padlock icon in browsers. It encrypts data sent between visitor and server, which matters for:

  • Forms — name, email, phone, message, any data they submit
  • Logins — preventing eavesdropping on admin credentials
  • E-commerce — payment data, addresses, customer details
  • Trust signals — visitors expect HTTPS, and Chrome/Safari warn them about HTTP sites
  • SEO — Google has used HTTPS as a ranking factor since 2014
  • Modern features — many web APIs (geolocation, service workers, payment APIs) require HTTPS

A WordPress site without SSL in 2026 looks broken to visitors and unprofessional to Google. It’s table stakes.

The “don’t pay” answer

In the past, SSL certificates cost $50 to $500 per year. Companies like GeoTrust, Comodo, and DigiCert sold them as a recurring expense.

That world is gone. Let’s Encrypt — a free, automated, nonprofit certificate authority — provides SSL certificates that browsers trust the same as paid ones. Every quality web host integrates Let’s Encrypt and offers free SSL.

If a host or developer tries to sell you a $99/year SSL certificate, push back. The free Let’s Encrypt cert is identical for the purposes you care about — encryption strength, browser trust, padlock icon, SEO.

When paid SSL still makes sense (rare)

Paid SSL certificates still exist for specific cases:

  • Extended Validation (EV) SSL — used to show the company name in the address bar. Browsers stopped showing this prominently around 2019. Mostly pointless now.
  • Wildcard SSL covering all subdomains — Let’s Encrypt offers this for free too, but some hosts charge for it. $20 to $80/year if needed.
  • Site Seals — visual badges from Norton, McAfee, etc. Some users find them trust-building. $50 to $200/year. Marginal value.

For 99% of Tampa businesses, free Let’s Encrypt is plenty.

How to add SSL: the actual steps

Step 1: Enable SSL on your host

This is host-specific but usually obvious:

  • Kinsta: MyKinsta dashboard → your site → Tools → “Generate SSL Certificate” → done
  • WP Engine: User Portal → site → SSL → “Add Certificate” → free Let’s Encrypt
  • Cloudways: Application → SSL Certificate → Let’s Encrypt → Enter email → Install
  • SiteGround: Site Tools → Security → SSL Manager → Let’s Encrypt → Install
  • Rocket.net: Dashboard → SSL → Auto-issued, no action needed
  • Bluehost / HostGator: cPanel → SSL/TLS Status → enable Let’s Encrypt
  • GoDaddy: Hosting Account → SSL Certificates → AutoSSL (sometimes hidden)

If your host doesn’t have a clear “Let’s Encrypt” option, contact support and ask them to enable it. Every quality host has this.

After this step, your site should respond at https://yourdomain.com — but WordPress still won’t fully use it yet.

Step 2: Force WordPress to use HTTPS

WordPress stores its base URL in the database. After enabling SSL, you need to tell WordPress to use HTTPS for everything.

The easy way:

  1. Install the Really Simple SSL plugin (free)
  2. Activate it
  3. Click “Go ahead, activate SSL”
  4. Plugin handles the rest — updates URLs, sets redirects, fixes most mixed content issues

The manual way:

  1. Go to WordPress Settings → General
  2. Change “WordPress Address (URL)” and “Site Address (URL)” from http:// to https://
  3. Save (you’ll be logged out)
  4. Log back in over HTTPS
  5. Set up server-level 301 redirects from HTTP to HTTPS

The manual way is fine if you’re comfortable, but Really Simple SSL handles edge cases (mixed content, redirects, HSTS headers) automatically.

Step 3: Check for mixed content errors

After SSL is enabled, some pages may still load resources (images, scripts, stylesheets) over HTTP. Browsers flag this as “mixed content” — the page is partially secure, which breaks the padlock.

Common sources of mixed content:

  • Hardcoded image URLs in pages or posts (http://yoursite.com/image.jpg)
  • Embedded YouTube/Vimeo videos using HTTP iframe URLs
  • External fonts or stylesheets loaded over HTTP
  • Theme or plugin files hardcoded with http://

How to fix:

  1. Open your site in Chrome
  2. Right-click → Inspect → Console tab
  3. Look for “Mixed Content” warnings
  4. Click each warning to find the source URL
  5. Edit the post/page/theme to use https:// or relative URLs

Really Simple SSL catches most of these automatically. A few stubborn ones may need manual fixes.

Step 4: Verify the certificate

Visit:

  • https://yourdomain.com — should show padlock, no warnings
  • https://www.yourdomain.com — same
  • https://yourdomain.com/contact (or any internal page) — same
  • https://yourdomain.com/wp-admin — login over HTTPS

Run a free check at:

  • ssllabs.com/ssltest — gives you a grade (aim for A or A+)
  • whynopadlock.com — explains any specific issues

A Let’s Encrypt certificate properly installed will typically score A on SSL Labs. A misconfigured one will fail.

Step 5: Set up auto-renewal

Let’s Encrypt certificates expire every 90 days. They auto-renew on most hosts — but verify yours does. If a cert expires unexpectedly, your site shows scary “not secure” warnings to all visitors until it renews.

Most managed WordPress hosts handle renewal automatically. cPanel-based hosts (Bluehost, HostGator) usually have “AutoSSL” enabled by default. Confirm in your host dashboard.

Common SSL gotchas

1. Mixed content from hardcoded URLs

Already covered. The most common issue post-migration.

2. WordPress Address vs. Site Address

These can be different things. Generally, set both to HTTPS. If one is wrong, you’ll get redirect loops.

3. CDN configuration

If you use Cloudflare or another CDN, SSL configuration is more complex. Cloudflare’s “Full (strict)” SSL mode is correct for most setups. “Flexible” mode is wrong and causes redirect loops.

4. Cached pages serving HTTP

If you had caching enabled before adding SSL, cached versions of pages may still link to HTTP resources. Flush all caches after enabling SSL.

5. Email being forgotten

SSL covers your website, not your email. If you use yourdomain.com for email, the email server has its own SSL setup. Usually handled by your email host (Google Workspace, Microsoft 365), not WordPress.

6. Subdomains not covered

Let’s Encrypt issues per-domain certificates by default. If you have staging.yourdomain.com or shop.yourdomain.com, each subdomain needs its own certificate (or a wildcard cert that covers all subdomains).

What about HSTS?

HSTS (HTTP Strict Transport Security) is an extra security header that tells browsers “always use HTTPS for this site, never even try HTTP.” Stronger than just redirecting HTTP to HTTPS.

Most modern setups should enable HSTS. Really Simple SSL Pro adds this. Some hosts add it at the server level. Once enabled, it’s hard to undo — browsers will refuse to load your site over HTTP for the HSTS duration, even if SSL breaks. So enable it once your SSL setup is verified solid.

SEO impact of switching to HTTPS

When you move from HTTP to HTTPS:

  • Set up 301 redirects from every HTTP URL to the matching HTTPS URL
  • Update Google Search Console — add https:// version as a separate property
  • Update Google Analytics — set the default URL to HTTPS
  • Update internal links — most CMS handles this, but check hardcoded references
  • Update external link sources where reasonable (your social profiles, business listings)

Done right, the SEO impact is positive over a few weeks. Done sloppily (broken redirects, mixed content), you can temporarily drop in rankings until fixed.

What if SSL won’t work?

Edge cases:

  • Old hosting: Some legacy shared hosting doesn’t support Let’s Encrypt. Time to migrate. See how to migrate WordPress to a new host.
  • DNS issues: Let’s Encrypt needs to verify domain ownership. If DNS isn’t properly configured, the certificate won’t issue.
  • WAF interference: Some firewalls block the Let’s Encrypt verification challenge. Whitelist the verification endpoints.
  • Self-signed certificates: If you see a cert but browsers don’t trust it, your host issued a self-signed cert instead of Let’s Encrypt. Contact support.

If basic Let’s Encrypt setup fails, almost always the problem is host configuration or DNS, not WordPress.

Bottom line

Adding SSL to a WordPress site in 2026 is free, fast (10 minutes), and required. Use Let’s Encrypt through your host. Install Really Simple SSL to handle the WordPress side. Verify with ssllabs.com. Don’t pay for an SSL certificate unless you have a very specific edge case. See is WordPress secure for the broader security context, and our recommended WordPress setup for Tampa businesses for the full stack.

Web Design Tampa Florida

Got a more specific question about your project?

Send the details — we reply within one business day with a straight answer, no sales theater. Or book the 30-minute discovery call directly.

Get a fixed-price quote → Get the $500 audit
1 day
Reply window · no sales call required