TLDR: I walked you through the exact manual steps I used to secure a WordPress site with an SSL certificate: obtain the certificate, install it on your host (cPanel or OpenSSL), update WordPress settings, force HTTPS, fix mixed content, clear caches, and test everything. This method gives you control when your host doesn’t offer one-click SSL or you must use a custom certificate.
I remember the day my site showed Not Secure in the browser bar. I felt exposed and worried about losing traffic and search rankings. I could have clicked a one-click option at my host, but I wanted to understand the process end-to-end. In this guide I’ll show you how I installed SSL manually on WordPress, why it matters, and what to avoid so you don’t break links or lose visitors.
What is SSL and why it matters to you
SSL (Secure Sockets Layer) and its modern version TLS encrypt data between a visitor’s browser and your server. When you install SSL on WordPress, URLs change from http to https. That green padlock signals to users and search engines that your site is trustworthy. I’ve seen sites recover lost conversions and rankings after switching to HTTPS because browsers penalize insecure sites in subtle ways.
Why manual installation might be necessary
Hosts often provide free SSL or automated deployment, but there are times you’ll need to do it manually: you have a custom certificate, your host’s automated tool failed, or you’re migrating servers. Manual installation gives you full control over certificate type, renewal process, and troubleshooting steps.
Before you begin: checklist
Start with this quick checklist so the process goes smoothly:
- Access to your hosting control panel (cPanel/DirectAdmin) or SSH access to the server
- Domain private key and certificate files (or CSR to request a certificate)
- FTP/SFTP or WordPress admin access
- Backup of your site files and database
- A plan for caching and CDN updates
Step 1 — Obtain an SSL certificate
You can use a free certificate from Let’s Encrypt or buy one from a CA (Certificate Authority). I usually choose Let’s Encrypt for standard sites because it’s free and trusted. If you buy from a CA you’ll receive three files: the certificate (.crt), a CA bundle, and the private key. With Let’s Encrypt you can use Certbot on the server or a control panel integration to generate the files.
Step 2 — Install the certificate on your server (cPanel)
If your host offers cPanel the manual install is straightforward. I uploaded the certificate files via the SSL/TLS manager. The basic steps I used are:
- Log into cPanel, open SSL/TLS
- Under Certificates (CRT) paste the certificate contents or upload the file
- Under Private Keys paste the private key generated with your CSR
- Go to Install and Manage SSL for your site and select the domain
- Ensure the Certificate: (CRT) and Private Key fields are filled
- Paste the CA Bundle if required
- Click Install Certificate
If you manage your own server without cPanel you’ll place the certificate and key files in a secure directory and update the web server configuration (Apache or Nginx) to reference them. For example, on Nginx you add ssl_certificate and ssl_certificate_key directives to your server block and reload the service.
Step 3 — Update WordPress to use HTTPS
Once the certificate is active, change WordPress settings so URLs use HTTPS. Log into WP Admin and go to Settings > General. Update the WordPress Address (URL) and Site Address (URL) from http:// to https:// and save changes. I do this after the certificate is installed, otherwise I could lock myself out.
Step 4 — Force HTTPS and fix mixed content
After switching to HTTPS you need to force all traffic to use the secure protocol and fix any mixed content issues (HTTP resources loading on an HTTPS page). I use two methods together for reliability:
- Server-level redirect: Add a 301 redirect from HTTP to HTTPS in your web server. For Apache, add a RewriteRule in .htaccess or virtual host. For Nginx add a return 301 in the server block for port 80.
- Plugin-assisted updates: Use a search-and-replace plugin carefully or run SQL queries to update old resource URLs in the database. I always backup before doing a search-and-replace.
Fixing mixed content often requires updating image, script, and stylesheet URLs in posts, widgets, and theme files. Replace hard-coded http:// links with protocol-relative or https:// links. If you use a CDN, update its settings to serve via HTTPS as well.
Step 5 — Update external tools and clear caches
Don’t forget to update Google Search Console and analytics profiles to the new HTTPS property. If you use caching or a CDN clear the cache so new HTTPS pages serve correctly. This is also the right time to purge cache WordPress so visitors see the secure site immediately.
Step 6 — Test and verify
Run these checks after installation:
- Open your site in a private browser window and verify the padlock appears
- Use SSL Labs’ SSL Test to inspect certificate chain and configuration
- Check pages with mixed content scanning tools and fix remaining issues
- Validate redirects by requesting http:// URLs and confirming they 301 to https://
What I did when something broke
On one site a plugin had hard-coded HTTP assets and caused mixed content warnings. I put the site in maintenance mode, ran a database search-and-replace, and replaced a faulty plugin. If your site breaks after the switch, revert WordPress URLs in the database or restore the backup and troubleshoot step-by-step.
Handling special scenarios: changing domains or migrating servers
If you are moving servers or changing the domain you’ll need to coordinate SSL installation with migration. I recommend planning the switch during low traffic times and following a checklist for DNS changes and certificate installation. When I changed a domain, I also updated the canonical tags and internal links to avoid SEO drops. If you are moving hosts, follow best practices when you migrate WordPress site to avoid downtime.
Automation and renewals
Certificates expire. Let’s Encrypt certificates last 90 days, so automate renewal using Certbot or a control panel cron job. For paid certificates, set calendar reminders. Automating renewal saved me from an expired certificate that once disrupted traffic and caused panic.
Common mistakes to avoid
- Rushing to update WP URLs before the certificate is installed — that can lock you out
- Forgetting to update CDN or external resources to HTTPS — causes mixed content
- Not backing up the database before search-and-replace operations
- Neglecting automated renewal — never let a certificate expire
- Not testing redirects — missing or incorrect redirects harm SEO
How to revert if something goes wrong
If you need to revert quickly: restore a full backup, revert the WordPress Address (URL) in the database (wp_options table), and remove any HTTPS redirects temporarily. That buys time to troubleshoot without prolonged downtime.
Performance and SEO after switching to HTTPS
HTTPS itself does not slow down your site; modern HTTP/2 and TLS optimizations can actually improve performance. After I switched, I also reviewed my caching, updated CDN SSL settings, and rechecked Core Web Vitals to ensure no regressions. Search engines prefer secure sites, so you may see a gradual SEO benefit.
Security hardening tips post-install
- Enable HSTS (HTTP Strict Transport Security) after you’re certain HTTPS is stable
- Disable insecure TLS versions and weak ciphers in your server config
- Use security headers like Content-Security-Policy to reduce mixed content risks
- Keep WordPress core, themes, and plugins updated
FAQs
How long does manual SSL installation take?
For a typical site with cPanel it takes 15 to 45 minutes if you have the certificate files ready. If you need to generate a CSR, purchase a certificate, or troubleshoot mixed content it can take longer. I budget a couple of hours for first-time installs.
Will installing SSL affect my SEO?
Switching to HTTPS is a positive SEO signal, but you must implement 301 redirects and update canonical tags. If you miss redirects or break internal links you can see temporary drops. I always submit an updated sitemap to Search Console after switching.
Can I install SSL myself if I don’t have cPanel?
Yes, but you’ll need SSH access to upload files and edit web server configuration. On Nginx or Apache you’ll reference the certificate and key files in the config and reload the service. If you’re uncomfortable with SSH, ask your host or a sysadmin to assist.
Do I need to update images and scripts manually?
Often yes. Use a search-and-replace tool or a plugin to update old resource URLs. I always take a database backup before making batch replacements to avoid irreversible mistakes.
How do I ensure my certificate renews automatically?
Use Certbot for Let’s Encrypt on servers, or enable your host’s auto-renew feature. For purchased certificates configure a reminder and check whether your host can handle renewals on your behalf.
What should I avoid when installing SSL on WordPress?
Avoid skipping backups, changing WP URLs before the certificate is active, and ignoring mixed content errors. Also avoid enabling HSTS too soon because it tells browsers to always use HTTPS — if you misconfigure it, recovery is harder.
Final thoughts
Installing SSL manually taught me how HTTPS, redirects, and mixed content interact. You gain resilience and control by doing it yourself, but prepare, back up, and test thoroughly. If your host supports one-click SSL and automatic renewal, that’s often the easiest path, but understanding the manual steps helps when things go off script.