SSL encryption adds a layer of security to your website that makes it harder for malicious actors to collect personal information submitted through forms on your website.

This post covers how to purchase and install an SSL certificate in WordPress so that you can load your site using the HTTPS protocol and offer a more secure website experience.

How to Install Your SSL Certificate

Quick Note: When we refer to “SSL Certificates” in this post, we mean a “third-party” SSL certificate. Third-party SSL certificates are validated by a trusted party.

You can also use a “self-signed” SSL certificate or “shared” SSL certificate. Only a third-party SSL certificate will avoid all browser warnings and fulfill all SSL-related gateway and PCI requirements.

Option 1: Get an SSL Certificate From Your Hosting Company

The easiest way to get an SSL Certificate is to:

  • purchase the SSL from your web host, and
  • have your webhost host install the SSL for you

Most WordPress hosting companies have built-in support for SSL. For this reason, your hosting company is the best resource for obtaining and configuring the SSL certificate.

The details and cost of this are different for each host, but they will know exactly how to get your site served over HTTPS with a proper SSL certificate. Again, ignore “shared” or “self-signed” SSL options and make sure that you obtain a full trusted third-party SSL certificate.

If you host has successfully installed and configured your SSL, you must now telling your WordPress site to always load over SSL. Read the Guide: Configuring WordPress to Always Use HTTPS/SSL

Option 2: Generate a Let’s Encrypt SSL Certificate

Let’s Encrypt is a free way to obtain “third party” SSL certificates.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

—via Let’s Encrypt

Many web hosts offer the Let’s Encrypt SSL certificate for free or at a reduced cost.

If your host supports Let’s Encrypt, ask if they will set up the certificate for you.

If your host won’t set it up, but you have SSH access to your web server (typical of dedicated or VPS-level hosting plans), you can generate the certificate yourself and setup your web server to use it.

How to Generate and Install a Let’s Encrypt SSL Certificate

The easiest way to generate and manage Let’s Encrypt SSL certificates is through a command line tool called Certbot.

The Certbot homepage allows you to choose your web server software (e.g. Apache) and your server’s operating system (e.g. Ubuntu Linux) and will give you instructions for using Certbot to setup a Let’s Encrypt SSL. Here are some instructions for using Certbot with Apache on Ubuntu 16.10:

  1. Make sure that your web server is setup with SSL support. Apache calls this module mod_ssl. On recent versions of Ubuntu, you can enable this by typing the following into your command line: (restart Apache when finished)

    `$ sudo a2enmod ssl`

    If this doesn’t work, you’ll want to talk with your host or search their docs for “enabling mod_ssl for Apache”.

  2. Second, use apt-get to install Certbot:

    `$ sudo apt-get install python-certbot-apache`
  3. Third, generate the certificate. (In my experience, Certbot has often failed to configure Apache properly after generating the certificate. So I’ve only used it with the “certonly” option. If you are confident, you can try without that option and it try to automatically update your Apache configuration to use the new certificate.)

    `$ certbot –apache certonly`

    Your terminal should then look something like this:
    Which names would you like to activate HTTPs for? Terminal

    Don’t be alarmed by the border of random letters (I was the first time!). It’s just an ASCII representation of a bounding box. Cerbot tries to detect what domains are setup on your server. If you see your domain, use the arrows keys to highlight it and hit enter to check it, then follow the instructions. If you don’t see the domain you want a certificate for, you can specify the domain in the Certbot command: `$ certbot –apache certonly –domains`

    Certbot then generates a cert.pem and privkey.pem file, typically at the following locations:

    • /etc/letsencrypt/live/
    • /etc/letsencrypt/live/
  4. Fourth, you need to update your Apache configuration to use the new certificate. The exact steps for this will depend on your Apache setup, but you may have an /etc/httpd/conf.d/vhost-ssl.conf file that looks like this or similar code in another Apache config file: (Note the SSLCertificateFile and SSLCertificateKeyFile lines.)

    This is a fairly typical Apache setup. This configuration says to detect traffic coming in via port 443 for the host and redirects that traffic to the …/httpdocs/ folder. This is the same folder as for port 80/regular HTTP traffic. Sometimes your site may be setup to use a different directory for HTTPS traffic. If so, you can have that directory “sym linked” to the regular directory or update your settings per the above. With WordPress, it’s best to serve both HTTP and HTTPS traffic from the same directory.

Now restart Apache to have the new settings go live. It’s a good idea to have backups of your Apache configuration files in case something goes wrong. Then you can switch your files back to the backups and restart Apache to have your site fixed ASAP. Find the error in the Apache (or other web server) error logs and see what might be wrong.

Let’s Encrypt SSL certificates only last 90 days.

To simplify the renewal process, you will want to setup a cron job to renew the certificate regularly. The command to do that is:

$ certbot renew --quiet

You can test it like this:

$ certbot renew --dry-run

And the cron job line to run this daily at 4:17am might look like this:

17 4 * * * certbot renew --quiet --post-hook "systemctl reload httpd"

Option 3: Purchase an SSL Certificate

If you don’t have SSH access to your web server, but do have a way to install SSL certificates (e.g. through a control panel), then you can purchase an SSL certificate from a “certificate authority” for use on your site. You may also want to purchase from a certificate authority if you want a Wildcard SSL, SAN SSL or other advanced SSL.

Here are some place where you can purchase and download SSL certificates:

  • SSL For Free (Uses Let’s Encrypt. Free but must be manually renewed every 90 days.)
  • GoDaddy (Expensive, but lots of options. Affiliate link.)
  • RapidSSL
  • AlphaSSL (Sign up for a reseller account for discounts if you plan to purchase many certificates for clients/etc.

If you manage your own server or otherwise want to do it yourself, you have a couple of options.

How to Install Your Own SSL Certificate

The SSL purchase process sometimes requires you to generate a Certificate Signing Request (CSR). You will have to validate that you control the domain through a standard email address like, an update to the site’s homepage, or a special DNS update.

Once you purchase and and validate the CSR, the provider gives you one or more certificate files to install the SSL certificate. How you exactly install that certificate again depends on your host and/or your control panel software. Most control panels have easy to follow instructions for how to do so.

Now Tell WordPress to Use the SSL

After successfully installing and configuring your SSL, you should now tell your WordPress site to always load over SSL.

Read the Guide: Configuring WordPress to Always Use HTTPS/SSL

Was this article helpful?
Posted in . Bookmark the . Last updated: .