Know-how

SSL Certificate and HTTPS in WordPress — Configuration, Enforcement, Mixed Content, and SEO Impact

Q: Does my WordPress site need an SSL certificate?

Yes — absolutely. Chrome marks sites without SSL as 'Not Secure'. Google has used HTTPS as a ranking factor since 2014. Over 87% of websites use SSL. A site without HTTPS loses trust, Google rankings, and — if it collects any data (forms, login) — violates data security principles.

Q: Is the free Let's Encrypt certificate sufficient?

Yes — for the vast majority of WordPress sites. Let's Encrypt offers the same level of encryption as paid certificates. The difference is validation: Let's Encrypt is a DV (Domain Validation) certificate. OV and EV (Organization/Extended Validation) verify the company's identity — useful for banks but not required for business sites and stores.

Q: What is mixed content and how do I fix it?

Mixed content occurs when a page loads over HTTPS but some resources (images, scripts, CSS) are fetched over HTTP. Fix: replace http:// URLs with https:// in the database (WP-CLI search-replace or Better Search Replace plugin), check theme and plugins for hardcoded HTTP URLs, use the CSP upgrade-insecure-requests header as a safety net.

Q: How do I enforce HTTPS across the entire site?

Three steps: 1) Change WordPress and site URLs to https:// in Settings → General. 2) Add a 301 redirect from HTTP to HTTPS in .htaccess (Apache) or Nginx configuration. 3) Replace all http:// URLs with https:// in the database. Optionally: enable the HSTS header.

Q: Does SSL affect Google rankings?

Yes. Google confirmed HTTPS as a ranking signal in 2014. A site without SSL may rank lower than an identical site with HTTPS. Additionally, Chrome displays a 'Not Secure' warning on HTTP pages — increasing bounce rate and indirectly affecting SEO through worse UX signals.

Published: March 20, 2026 · Author: Marcin Szewczyk-Wilgan

HTTPS is not optional — it is the standard. In 2026, over 87% of websites use an SSL certificate, and over 98% of mobile requests occur over HTTPS. Google has used HTTPS as a ranking factor since 2014, and Chrome marks sites without SSL as “Not Secure.” Yet many WordPress sites still struggle with issues: misconfiguration, mixed content (mixed HTTP/HTTPS resources), missing redirects, and absent security headers. Starting March 2026, SSL certificate lifetime shortening to 200 days also takes effect — forcing renewal automation. In this article, we describe the full SSL/HTTPS configuration in WordPress: from certificate installation, through HTTPS enforcement and mixed content repair, to HSTS and SEO impact.

SSL Certificate — Types and Installation

An SSL certificate (Secure Sockets Layer) encrypts the connection between the user’s browser and the server. Without it, data — logins, forms, credit card data — is transmitted as plain text, readable by anyone intercepting network traffic.

Let’s Encrypt (DV)Free Domain Validation certificate — confirms domain ownership. Same encryption level as paid certificates. Automatic issuance and renewal (every 90 days). Let’s Encrypt serves over 500 million sites and issues 10 million certificates daily. Sufficient for the vast majority of WordPress sites, blogs, and WooCommerce stores.

OV and EV (paid)Organization Validation (OV) and Extended Validation (EV) — verify organization identity, not just the domain. EV used to display the company name in the browser bar — since 2019 browsers no longer show this. In practice, in 2026 Let’s Encrypt DV is the standard for WordPress, business, and e-commerce sites. OV/EV makes sense for banks, financial institutions, and government.

Wildcard and multi-domainWildcard (*.domain.com) covers all subdomains — essential for WordPress Multisite with subdomains. Multi-domain (SAN) covers multiple domains on a single certificate. Let’s Encrypt supports both types — wildcard requires DNS validation (DNS-01 challenge).

InstallationMost hosting providers offer automatic Let’s Encrypt installation from their panel (cPanel, Plesk, Hestia). On VPS/dedicated servers: Certbot (official Let’s Encrypt client) automates installation and renewal. After certificate installation — WordPress and server configuration require additional steps.

Lifetime shortening (2026+)Starting March 2026, the maximum SSL certificate validity period shortens to 200 days (previously 398). By 2029, further shortening to 47 days is planned. This forces full renewal automation — manual certificate management becomes impractical. Let’s Encrypt with Certbot handles this automatically.

Enforcing HTTPS in WordPress — Step by Step

Installing an SSL certificate on the server is just the beginning. WordPress must be configured to use HTTPS across the entire site — and all HTTP traffic must be redirected to HTTPS.

1. WordPress URLsIn the WordPress dashboard: Settings → General → change “WordPress Address (URL)” and “Site Address (URL)” from http:// to https://. After saving, you will be logged out — log back in at the https:// address. This tells WordPress the site runs on HTTPS.

2. 301 redirectConfigure a server-level redirect of all HTTP → HTTPS traffic. Apache (.htaccess): RewriteEngine On / RewriteCond %{HTTPS} off / RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]. Nginx: server { listen 80; return 301 https://$host$request_uri; }. The 301 redirect tells browsers and Google the change is permanent.

3. Database URL replacementWordPress stores full URLs in the database — posts, pages, options, meta fields. After switching to HTTPS, old entries still contain http://. WP-CLI tool: wp search-replace 'http://domain.com' 'https://domain.com' --recurse-objects --skip-columns=guid. Alternative: Better Search Replace plugin. Always backup before this operation.

4. VerificationCheck: whether the padlock appears on all pages, whether there are no warnings in the browser console (DevTools → Console → “Mixed Content”), whether forms, login, and cart work correctly. Tools: Why No Padlock, JitBit SSL Check, Chrome DevTools.

Mixed Content — The Most Common Problem After SSL Deployment

Mixed content occurs when a page loads over HTTPS, but some resources (images, scripts, CSS files, fonts) are fetched over unencrypted HTTP. The browser hides the padlock and displays a warning — negating the benefits of SSL.

Active

Active mixed content

JavaScript and CSS files loaded over HTTP. Browsers block this type by default — scripts do not work, layout breaks. The most dangerous type: a malicious script injected through an unencrypted connection could hijack the page. Chrome blocks it entirely.

Passive

Passive mixed content

Images, videos, fonts loaded over HTTP. Browsers display a warning but usually do not block them. The padlock disappears from the address bar. Less dangerous, but still breaks user trust and affects security perception.

Causes

Why mixed content occurs

Hardcoded http:// URLs in the database (posts, options, meta fields). Themes and plugins with hardcoded HTTP. Resources from external sources loaded over HTTP. Content inserted before SSL migration — images, embedded videos, embeds.

Fix

How to fix mixed content

WP-CLI search-replace (most effective). Better Search Replace plugin. Content-Security-Policy: upgrade-insecure-requests header (safety net — browser automatically tries HTTPS). Check theme and plugins. Chrome DevTools → Console identifies exact URLs of problematic resources.

HSTS and Security Headers

A simple HTTP → HTTPS redirect is not enough — a user who types http:// in the browser still makes the first request without encryption. HSTS eliminates this gap.

HSTSHTTP Strict Transport Security — a header that tells the browser: “always connect to this site via HTTPS, even if the user types http://.” Eliminates the unencrypted first request. Configuration: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. About 60% of the top 1,000 sites have HSTS enabled.

HSTS PreloadOptional step: submit the domain to the HSTS Preload list (hstspreload.org). Browsers have a built-in list of domains that always connect via HTTPS — even on the first visit. Once added — removal is difficult and time-consuming. Use only on sites that will definitely stay on HTTPS.

Content-Security-PolicyThe upgrade-insecure-requests header tells the browser: “if you find an http:// resource, automatically try to fetch it via https://.” A safety net catching remaining mixed content — but does not replace proper URL replacement in the database. CSP adoption grew by 20% in 2025, reaching about 22% of sites.

SSL, HTTPS, and SEO

HTTPS is one of hundreds of Google ranking factors — but one of the easiest to implement. Here is how SSL affects search visibility:

Ranking factorGoogle officially confirmed HTTPS as a ranking signal in 2014. A site with SSL has an advantage over an identical site without SSL — especially in competitive niches where other factors are equal.

“Not Secure” warningChrome displays a warning on HTTP pages — especially those with forms and login fields. This increases bounce rate and shortens time on page — indirect UX signals that affect rankings.

Referral dataTraffic from HTTPS to HTTP loses the referer header — in Google Analytics it appears as “direct” instead of traffic from a specific source. HTTPS on both sides preserves referral data — giving more accurate analytics.

Core Web VitalsHTTPS with HTTP/2 (required by most browsers) enables request multiplexing, header compression, and server push — translating to faster loading and better Core Web Vitals. HTTP/2 does not work without SSL.

Summary

SSL and HTTPS are the absolute minimum for security and professionalism in 2026. A free Let’s Encrypt certificate provides full encryption. Enforcing HTTPS requires WordPress configuration, 301 redirect, and database URL replacement. Mixed content is the most common post-deployment problem — solvable with search-replace and CSP headers. HSTS eliminates the last gap — the unencrypted first request. And starting March 2026, certificate lifetime shortening forces renewal automation — manual SSL management is a thing of the past.

At WebOptimo, SSL configuration, HTTPS enforcement, mixed content repair, and security header deployment are standard parts of every WordPress deployment and care plan. If your site lacks SSL, has mixed content issues, or needs a security audit — contact us or check our WordPress security and WordPress hosting offer.

Frequently Asked Questions About SSL and HTTPS in WordPress

Does my WordPress site need an SSL certificate?+

Yes — absolutely. Chrome marks sites without SSL as “Not Secure.” Google uses HTTPS as a ranking factor. Over 87% of sites use SSL. A site without HTTPS loses trust, Google rankings, and violates data security.

Is the free Let’s Encrypt certificate sufficient?+

Yes — same encryption level as paid certificates. Let’s Encrypt is a DV (Domain Validation) certificate. Paid OV/EV verify company identity — useful for banks, but not required for business sites and stores.

What is mixed content and how do I fix it?+

An HTTPS page loading resources (images, scripts) over HTTP. Fix: database URL replacement (WP-CLI search-replace), check theme and plugins, CSP upgrade-insecure-requests header as a safety net.

How do I enforce HTTPS across the entire site?+

Change URLs to https:// in Settings → General. Add 301 redirect in .htaccess or Nginx. Replace URLs in the database. Optionally: enable HSTS.

Does SSL affect Google rankings?+

Yes — HTTPS is a confirmed ranking factor since 2014. A site without SSL may rank lower. Chrome’s “Not Secure” warning increases bounce rate, indirectly affecting SEO.