- 1
Install an SSL certificate
Most hosts offer free Let's Encrypt certificates in the control panel. Enable it for your domain (and www) first.
- 2
Set your site URL to https://
In Settings → General, update both WordPress Address and Site Address to use https://. For hard-coded values, set them in wp-config.php.
- 3
Redirect all HTTP traffic
Force HTTPS at the server so old links upgrade automatically:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] - 4
Fix mixed content
Update any http:// image/script URLs in your content and database to https:// so the padlock shows on every page, then add the HSTS header.
Related concept: SSL/TLS Certificate
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.