SSL setup for WordPress, done properly.

SSL is free, mandatory, and still set up wrong on a surprising number of WordPress sites. The certificate is installed but mixed-content warnings appear because some assets are still loading over HTTP. The redirect from HTTP to HTTPS is missing or loops. TLS 1.0 and 1.1 are still enabled, failing modern security scans. HSTS is missing, leaving the site vulnerable to downgrade attacks. None of these are hard to fix, but they need to be fixed properly.

The setup itself is straightforward: provision a Let's Encrypt certificate (free, auto-renewing), or install a paid OV/EV certificate where business identity verification matters. Both secure traffic equivalently from a cryptography standpoint. We almost always recommend Let's Encrypt for cost and convenience; the only reason to pay is for the visible company name in the certificate, which matters for enterprise and finance.

The migration from HTTP to HTTPS is where things go wrong. Search-and-replace across the database must update every http:// URL to https:// — across posts, options, postmeta, usermeta and serialised data. Hard-coded asset URLs in custom themes need updating. Third-party scripts (analytics, fonts, embeds) need to be loaded over HTTPS or relative URLs. Server-level redirect from HTTP to HTTPS needs to be in place. Get any of these wrong and you see mixed-content warnings or browsers refusing to load resources.

After SSL is live, we harden the configuration. Disable TLS 1.0 and 1.1 (still enabled by default on many hosts). Enable TLS 1.3 for faster handshakes. Enable HSTS with a sensible max-age (start at 1 day, ramp to 1 year once you're confident). Score A+ on SSL Labs. Enable HTTP/2 and HTTP/3 (both require HTTPS). The result is a site that's secure, faster, and passes every modern security and compliance scan.