How to Enable HTTPS on Your Website: A Step-by-Step Guide

Why HTTPS Is No Longer Optional

HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP. It protects the data exchanged between your visitors' browsers and your server from eavesdropping and tampering. Beyond security, HTTPS is now a ranking signal for Google, a trust indicator for users, and a requirement for many modern browser features like geolocation and service workers.

If your site still runs on plain HTTP, this guide will walk you through exactly what you need to do to make the switch.

Step 1: Choose and Obtain an SSL/TLS Certificate

The first step is acquiring a certificate. You have several options:

• Free certificates via Let's Encrypt — Ideal for most websites. Widely supported and auto-renewable.
• Certificates from your hosting provider — Many hosts (cPanel, Plesk, SiteGround, Bluehost, etc.) offer free or paid certificate installation through their dashboards.
• Paid certificates from a CA — Best for e-commerce or enterprise sites needing OV or EV validation.

Step 2: Install the Certificate on Your Server

Installation varies by server software and hosting environment. Here are the most common scenarios:

Shared Hosting (cPanel)

1. Log into your cPanel account.
2. Navigate to Security > SSL/TLS.
3. Use AutoSSL or manually upload your certificate, private key, and CA bundle.
4. Click "Install Certificate."

Apache Server

1. Upload your certificate files to your server (e.g., /etc/ssl/certs/).
2. Edit your Apache virtual host configuration to add SSL directives pointing to your certificate files.
3. Enable the SSL module with a2enmod ssl and restart Apache.

Nginx Server

1. Upload certificate and private key files to your server.
2. Update your server block in the Nginx config to listen on port 443 with SSL.
3. Reload Nginx with nginx -s reload.

Step 3: Force HTTPS with Redirects

Once HTTPS is working, you must redirect all HTTP traffic to HTTPS. Without this step, visitors accessing http://yoursite.com won't be redirected to the secure version.

For Apache, add this to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

For Nginx, add a server block that returns a 301 redirect from port 80 to port 443.

Step 4: Fix Mixed Content Issues

Mixed content occurs when your HTTPS page loads resources (images, scripts, stylesheets) over HTTP. Browsers will either block these resources or show security warnings. To fix this:

• Update all internal links and asset URLs from http:// to https:// or use protocol-relative URLs (//).
• Use a plugin like "Really Simple SSL" on WordPress to handle bulk replacements.
• Run your site through a mixed content checker tool to identify remaining issues.

Step 5: Update Your Settings Everywhere

After going live with HTTPS, don't forget to:

• Update your site URL in Google Search Console and resubmit your sitemap.
• Update your URL in Google Analytics (or other analytics platforms).
• Update canonical tags and any hardcoded URLs in your CMS or database.
• Update any third-party integrations that use your site's URL.

Verify Your Setup

Once everything is in place, test your site with the Qualys SSL Labs Server Test (free, online tool) to check your certificate validity, supported protocol versions, and cipher suite configuration. Aim for an A or A+ rating.