d
d
+91 (790) 882-5636

How to Set Up HTTPS on WordPress with Free SSL (2026 Guide)

HTTPS padlock and website security concept

If your WordPress site is still loading on plain HTTP in 2026, you are leaking traffic, search rankings, and trust. Chrome marks HTTP sites as “Not secure” in big red letters, Google Search downranks them, and most payment gateways refuse to integrate. The fix is free, takes about 15 minutes, and does not need any technical background.

This guide walks you through setting up HTTPS on WordPress using a free SSL certificate from Let’s Encrypt, which every major Indian host already supports. We will cover Hostinger, Bluehost, SiteGround, and any cPanel host. By the end your padlock icon will be green and every visitor will be protected.

Why HTTPS is non-negotiable in 2026

HTTPS encrypts data flowing between your visitor’s browser and your server. That matters for three big reasons in 2026:

  • SEO ranking: Google has used HTTPS as a ranking signal since 2014. Sites without it lose positions in mobile search especially.
  • Browser trust: Chrome, Firefox, and Edge all show a “Not secure” warning on HTTP sites. Visitors leave within seconds.
  • AdSense and payment compatibility: Google AdSense, Razorpay, Stripe, PayPal, and Cashfree all require HTTPS for live integration.

If you are also working toward AdSense approval, HTTPS is on the implicit checklist. Read our complete AdSense approval guide for the full checklist.

Step 1: Check if your host already gives you free SSL

Most Indian hosts now ship Let’s Encrypt SSL free with every plan. Before you do anything else, log in and check:

  • Hostinger: hPanel → Security → SSL. If “Active” is shown, you are done with installation. Skip to Step 4.
  • Bluehost India: Sites → Manage Site → Security tab → Free SSL. Toggle on.
  • SiteGround: Site Tools → Security → SSL Manager. Pick Let’s Encrypt and click Get.
  • cPanel hosts: Look for the “AutoSSL” or “Let’s Encrypt SSL” icon. Click your domain, then Issue.
  • Cloudways and Kinsta: One-click button on the application dashboard.

Provisioning takes 1 to 5 minutes. The certificate covers both your apex domain (example.com) and the www subdomain. If your host does not offer free SSL, you can still get one through Cloudflare (covered in Step 2).

Step 2: Use Cloudflare if your host does not offer free SSL

A small minority of resellers do not provide Let’s Encrypt. Cloudflare’s free plan solves this and gives you a CDN as a bonus. Sign up for a free Cloudflare account, add your domain, and follow the wizard. You will:

  1. Change your domain’s nameservers to the two Cloudflare ones at your registrar (GoDaddy, BigRock, Namecheap)
  2. Wait 10 to 60 minutes for propagation
  3. Inside Cloudflare → SSL/TLS, set the encryption mode to “Full”

Cloudflare gives you a shared SSL certificate covering your domain. Visitors connect to Cloudflare over HTTPS, Cloudflare forwards to your origin. The padlock works immediately.

Step 3: Update your WordPress site URL settings

WordPress stores the site URL in the database. Even with the certificate active, WordPress will still serve plain HTTP until you update those URLs. Go to Settings → General and change:

  • WordPress Address (URL): from http://yoursite.com to https://yoursite.com
  • Site Address (URL): same change

Click Save. WordPress will log you out. Log back in via the new HTTPS URL. From this point, all new pages and posts use HTTPS automatically.

Step 4: Install Really Simple SSL plugin to fix mixed content

Old posts may still contain hardcoded HTTP image URLs and links. Browsers see these as “mixed content” and break the padlock. The fastest fix is the free Really Simple SSL plugin.

  1. Plugins → Add New → search “Really Simple SSL”
  2. Install and activate
  3. The plugin auto-detects your certificate and offers a one-click “Activate SSL” button
  4. Click it. The plugin rewrites all internal HTTP URLs to HTTPS on the fly

For a long-term clean fix, also run a one-time database search and replace using the free Better Search Replace plugin. Search for http://yoursite.com and replace with https://yoursite.com. Do a dry run first, then execute. This permanently rewrites all old URLs in posts, options, and meta tables.

Step 5: Set up a 301 redirect from HTTP to HTTPS

Really Simple SSL handles this automatically. If you are not using it, add this to the top of your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Now any visitor who types http://yoursite.com/anything gets sent to the HTTPS version with a permanent redirect. Search engines pass link authority to the new HTTPS URLs.

Step 6: Update your sitemap and Google Search Console

Google sees the HTTPS version as a separate property. To keep your rankings:

  1. Open Google Search Console
  2. Add a new property for https://yoursite.com if you do not already have one
  3. Verify ownership (the WordPress Yoast plugin adds the meta tag automatically)
  4. Submit your new HTTPS sitemap (Yoast generates it at /sitemap_index.xml)
  5. Keep the HTTP property for 6 months so Google can see the 301 redirect

For step-by-step Search Console setup, see our Google Search Console tutorial.

Step 7: Verify with the SSL Labs test

Go to ssllabs.com/ssltest, enter your domain, and wait two minutes. You want an A or A+ grade. Common issues that drop you to a B:

  • Missing intermediate certificate (your host should fix this)
  • Outdated TLS version enabled (disable TLS 1.0 and 1.1 from your hosting panel)
  • Missing HSTS header (Cloudflare or Really Simple SSL Pro can add this)

Common HTTPS problems and quick fixes

Padlock still broken on some pages? You have leftover HTTP image URLs. Use the Chrome DevTools console to find them: open any page, press F12, look at the Console tab for “Mixed Content” warnings. The warning lists the exact HTTP URL. Replace it in your post or theme.

Padlock works for the home page but not posts? Your permalink rewrites may not have updated. Go to Settings → Permalinks and click Save without changing anything. WordPress regenerates the rewrite rules.

FAQ

Is Let’s Encrypt SSL really free forever?

Yes. Let’s Encrypt issues 90-day certificates that auto-renew. Most hosts handle renewal silently. You never pay anything.

Will switching to HTTPS lose my Google rankings?

Not if you set up 301 redirects correctly. You may see a 1 to 2 week dip while Google re-indexes, then rankings return and often improve since HTTPS is a positive signal.

Do I need a paid SSL certificate for my Indian e-commerce store?

Free Let’s Encrypt is enough for almost every site, including e-commerce. Razorpay, Cashfree, and Stripe all accept it. Paid EV certificates only matter for banks and very large brands that want the green company name in older browsers.

What is the difference between Cloudflare Flexible and Full SSL mode?

Flexible only encrypts between visitor and Cloudflare, not Cloudflare and your server. That is technically still insecure. Always use Full or Full (strict) mode. Full strict requires a valid certificate on your origin too, which Let’s Encrypt provides for free.

Can I install SSL myself if my host charges for it?

Yes. Use Cloudflare’s free plan or move to a host that includes it. In 2026 there is no good reason to pay extra for basic domain SSL on shared hosting.

How do I check that my entire site is now on HTTPS?

Use the free Why No Padlock site (whynopadlock.com). Enter your URL and it scans every resource on the page, listing any that still load over HTTP.

Final word

Setting up free HTTPS on WordPress is one of the highest return-on-time tasks you can do. Fifteen minutes of work, zero rupees spent, and you get better SEO, visitor trust, and AdSense compatibility. If you run into the common “HTTPS not working after install” problem, jump to our SSL troubleshooting guide for the fix.

Scroll to Top