How to Set Up SSL on Your Website: Installation and Configuration Guide
Before You Start
Check whether your hosting provider already includes SSL. SiteGround, Cloudways, Kinsta, Hostinger, Bluehost, A2 Hosting, and most reputable hosting providers include free Let's Encrypt SSL certificates with automatic installation and renewal. If your provider includes SSL, you may only need to activate it in your hosting dashboard rather than installing it manually. For hosted ecommerce platforms like Shopify, BigCommerce, and Squarespace, SSL is included and active by default with no action required from you.
You need your domain pointed to your hosting server before installing SSL. The SSL certificate is tied to your domain name, and the certificate authority verifies you control the domain by checking DNS records or placing a verification file on your server. If you recently registered your domain or changed your DNS settings, allow 24 to 48 hours for propagation before attempting SSL installation. The SSL certificates guide covers the different types of certificates and when free vs paid certificates make sense.
Step-by-Step SSL Setup
Log into your hosting control panel and look for SSL, Security, or Let's Encrypt in the menu. On cPanel hosting, find the "SSL/TLS Status" or "Let's Encrypt SSL" tool in the Security section. On Cloudways, go to your application's SSL Certificate settings. On SiteGround's Site Tools, navigate to Security, SSL Manager. If you see your domain listed with an active certificate, SSL is already installed and you can skip to Step 3 (configuring HTTPS redirect). If you see an option to install or activate Let's Encrypt, proceed to Step 2. If your hosting does not offer Let's Encrypt, you can add SSL through Cloudflare (free plan includes SSL) or by purchasing a certificate from a provider like SSLs.com or Comodo.
On cPanel hosting with Let's Encrypt: Open the "Let's Encrypt SSL" or "SSL/TLS Status" tool, select your domain from the list, and click "Issue" or "Install." The tool automatically generates a certificate, validates your domain ownership, and installs the certificate on your server. The process takes 1 to 5 minutes. Enable auto-renewal to prevent the certificate from expiring (Let's Encrypt certificates are valid for 90 days and must be renewed).
On Cloudways: Go to your application, click SSL Certificate, select "Let's Encrypt," enter your email address and domain name, and click Install. Cloudways handles installation and auto-renewal automatically.
On SiteGround: Open Site Tools, go to Security, SSL Manager, select your domain, choose "Let's Encrypt" as the SSL type, and click Get. SiteGround installs the certificate and enables auto-renewal.
Using Cloudflare (any hosting): If your hosting does not support Let's Encrypt, sign up for a free Cloudflare account, add your domain, and update your domain's nameservers to Cloudflare's nameservers. Cloudflare automatically provides SSL between visitors and Cloudflare's servers. Set the SSL mode to "Full" (or "Full Strict" if your origin server also has a certificate) in Cloudflare's SSL/TLS settings. This provides encryption for visitors without requiring you to install a certificate on your origin server, though "Full Strict" mode with an origin certificate is more secure.
Manual certificate installation: If you purchased a certificate from a certificate authority, you received three files: the certificate file (.crt), the private key (.key), and the CA bundle (intermediate certificates). In cPanel, go to SSL/TLS, then "Install and Manage SSL for your site," select your domain, paste the certificate in the Certificate field, paste the private key in the Private Key field, and paste the CA bundle in the Certificate Authority Bundle field. Click "Install Certificate." On Nginx or Apache without cPanel, you need to edit the server configuration files to specify the paths to these certificate files.
After SSL is installed, configure your server to automatically redirect all HTTP requests to HTTPS. This ensures that visitors who type your domain without https:// or follow old HTTP links are automatically redirected to the secure version. On many managed hosting providers (SiteGround, Cloudways, Kinsta), HTTPS redirect is enabled automatically when SSL is installed, or can be toggled in the SSL settings panel.
On Apache servers (most cPanel hosting): Add the following rules to your .htaccess file in your website's root directory (public_html):
RewriteEngine On followed by RewriteCond %{HTTPS} off and RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]. This creates a permanent (301) redirect from HTTP to HTTPS for all pages.
On WordPress: Update your WordPress Address and Site Address in Settings, General from http:// to https://. Install the Really Simple SSL plugin for automatic redirect configuration and mixed content fixing, or add the Apache redirect rules to your .htaccess file manually.
On Cloudflare: Enable "Always Use HTTPS" in SSL/TLS, Edge Certificates. This redirects all HTTP requests to HTTPS at the Cloudflare level before they reach your server.
Mixed content occurs when your HTTPS page loads some resources (images, scripts, stylesheets, fonts) over plain HTTP. Browsers block or warn about mixed content because it undermines the security of the HTTPS connection. Common sources of mixed content are images inserted in blog posts or page content with hardcoded http:// URLs, theme or plugin files that reference external resources using HTTP, custom CSS with background images using HTTP URLs, and embedded content (iframes, videos) loaded over HTTP.
For WordPress, the Really Simple SSL plugin automatically fixes most mixed content by rewriting HTTP URLs to HTTPS on the fly. For a permanent fix, use a database search-and-replace tool to change all http://yourdomain.com references to https://yourdomain.com. The WP-CLI command
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' handles this efficiently including serialized data.
For non-WordPress sites, search your HTML, CSS, and JavaScript files for http:// references to your own domain and change them to https:// or use protocol-relative URLs starting with // (like //yourdomain.com/image.jpg). Check browser developer tools (F12, Console tab) for mixed content warnings that identify the specific resources causing issues.
Run the free Qualys SSL Labs test on your domain. Enter your domain and wait for the full analysis (it takes 2 to 3 minutes). Aim for an A or A+ rating. Common issues that lower your score include supporting outdated TLS 1.0 or TLS 1.1 protocols (disable them in your server configuration, as no modern browser requires them), weak cipher suites, missing HSTS header, and incomplete certificate chains (where the CA bundle or intermediate certificate is not installed).
Test your site manually by visiting every major page type (homepage, product pages, blog posts, checkout, account pages) and verifying the padlock icon appears on each page with no mixed content warnings. Check in multiple browsers (Chrome, Firefox, Safari) because mixed content handling varies slightly between browsers. Use the browser developer tools console to identify any remaining mixed content warnings.
After confirming SSL works correctly, add HSTS (HTTP Strict Transport Security) headers to tell browsers to always use HTTPS. On Apache, add
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" to your .htaccess or server configuration. On Cloudflare, enable HSTS in SSL/TLS, Edge Certificates with a max-age of 12 months. HSTS prevents SSL stripping attacks and eliminates the HTTP to HTTPS redirect latency for returning visitors.
SSL on Specific Platforms
Shopify: SSL is included automatically for all stores. Every Shopify store gets a free SSL certificate covering both the myshopify.com subdomain and any custom domain. No installation or configuration is needed. If you connected a new custom domain and SSL is not yet showing, allow up to 48 hours for automatic provisioning.
WooCommerce: SSL depends on your hosting provider. After installing SSL through your host, update WordPress Address and Site Address to https:// in Settings, General. WooCommerce will force SSL on checkout pages automatically once WordPress is configured for HTTPS. Verify that your entire store loads over HTTPS, not just the checkout.
Squarespace: SSL is included automatically for all sites with no configuration needed.
BigCommerce: SSL is included automatically for all stores. Custom domains receive automatic SSL provisioning. Shared SSL is also available for the checkout process.
Common SSL Problems and Fixes
"Your connection is not private" error: This usually means your SSL certificate has expired, is not yet active (DNS has not propagated), or is installed for the wrong domain. Check the certificate details by clicking the padlock icon (or the "Not Secure" warning) in your browser. If expired, renew through your hosting control panel. If installed for the wrong domain, reissue the certificate for the correct domain name.
Redirect loop (ERR_TOO_MANY_REDIRECTS): This happens when your server and Cloudflare (or another proxy) create competing redirects. If you use Cloudflare, set the SSL mode to "Full" or "Full (Strict)" instead of "Flexible." Flexible SSL connects to your origin server over HTTP, which your server then redirects to HTTPS, which Cloudflare redirects back to HTTP, creating an infinite loop.
SSL works on the main domain but not subdomains: Standard SSL certificates cover only the specific domain they are issued for (yourdomain.com and www.yourdomain.com). If you use subdomains like shop.yourdomain.com or blog.yourdomain.com, you need either a wildcard certificate (*.yourdomain.com) or separate certificates for each subdomain. Let's Encrypt issues wildcard certificates at no cost.
Mixed content after migration: When migrating to a new host, old HTTP URLs in your database content survive the migration. Run a database search-and-replace to update all references from HTTP to HTTPS on the new server.