Every blog should run on HTTPS. Google uses HTTPS as a ranking signal. Browsers show a ‘Not Secure’ warning on HTTP pages where users enter information. Visitors increasingly expect the padlock. For bloggers, the good news is that free SSL certificates are available for every major blogging platform, and for most hosted platforms, the process is either automatic or a single click.
The right path to free SSL depends entirely on which platform your blog runs on. The steps for a WordPress.com blog are completely different from a self-hosted WordPress blog on shared hosting, which is again different from a blog on a VPS. This guide covers the exact steps for each major blogging platform and hosting environment so you can find your specific situation and follow the right path.
Find Your Platform
| Your platform | SSL status | What you need to do |
| WordPress.com (the hosted service at wordpress.com) | Automatic: already done | Nothing. SSL is managed by WordPress.com for all sites including custom domains. |
| WordPress.org on shared hosting (cPanel, Plesk, DirectAdmin) | Usually automatic via AutoSSL | Check your hosting panel; most hosts enable Let’s Encrypt automatically. If not, one click to activate. |
| WordPress.org on VPS or cloud server (you manage the server) | Requires setup | Install Let’s Encrypt via Certbot or your web server’s built-in ACME client. |
| Blogger / Blogspot | Automatic for blogspot.com subdomains; one setting for custom domains | In Blogger settings, enable HTTPS redirect for custom domains. No certificate setup needed. |
| Wix | Automatic | SSL is managed by Wix. You cannot change it. |
| Squarespace | Automatic | SSL is managed by Squarespace. You cannot change it. |
| Ghost Pro (ghost.org hosted) | Automatic | SSL is managed by Ghost Pro. |
| Ghost self-hosted | Built-in Let’s Encrypt via setup | Run ghost setup ssl during Ghost installation or run ghost ssl afterward. |
| GitHub Pages with custom domain | Automatic: enable in settings | In your GitHub repo settings under Pages, check Enforce HTTPS once the custom domain DNS is configured. |
| Cloudflare-proxied blog on any platform | Automatic edge SSL via Cloudflare Universal SSL | SSL at the edge is automatic when Cloudflare proxying is enabled. Configure origin SSL separately. |
WordPress.com (Hosted): Nothing to Do
If your blog is hosted on WordPress.com (meaning you signed up at wordpress.com and your admin is at yourblog.wordpress.com or a custom domain you connected), SSL is fully managed by Automattic, the company that operates WordPress.com. All sites on WordPress.com have SSL automatically enabled, including custom domains.
You do not need to install, configure, renew, or think about your SSL certificate. WordPress.com handles everything including renewal. If you have a custom domain connected to WordPress.com and the SSL shows as active in the WordPress.com dashboard, your work is done.
The only action you may want to take is ensuring HTTPS redirection is enabled, which forces all HTTP visitors to the HTTPS version of your site. In WordPress.com, go to Upgrades or Domains, find your domain, and confirm that HTTPS is shown as enabled. This should be on by default.
WordPress.org on Shared Hosting: Usually One Click
If you installed WordPress yourself on shared hosting (Bluehost, SiteGround, Hostinger, DreamHost, A2 Hosting, and most other shared hosts), your hosting provider almost certainly offers free SSL through Let’s Encrypt via AutoSSL. The implementation differs slightly by hosting control panel.
cPanel hosting
Most shared hosts use cPanel. Log in to your hosting account’s cPanel (usually accessible at yourdomain.com/cpanel or through your host’s client area). Look for the Security section. Most cPanel installations show an SSL/TLS or Let’s Encrypt SSL option here. Click it, select the domain you want to secure, and click Install. The certificate is issued and installed automatically. If your cPanel shows AutoSSL, it runs automatically on a schedule and may have already issued a certificate.
After installation, check whether WordPress is configured to use HTTPS. In your WordPress admin, go to Settings, General, and ensure that both WordPress Address (URL) and Site Address (URL) start with https. If they still show http, update them to https. Your site will then serve on HTTPS.
Plesk hosting
Plesk users can find Let’s Encrypt under Websites and Domains, then select your domain and look for Let’s Encrypt SSL. Enable it and select whether to secure the www and non-www versions. Plesk handles renewal automatically.
DirectAdmin hosting
In DirectAdmin, go to SSL Certificates under your domain management area. You can generate a free Let’s Encrypt certificate from this section. Select the domain, confirm the subdomain (www), and request the certificate.
If your WordPress blog was on http and you are switching to https after the fact, installing the SSL certificate alone is not enough. You also need to update the WordPress URL settings (Settings, General in the admin panel), update any hardcoded http links in your content, and configure a 301 redirect from http to https. The Really Simple SSL plugin for WordPress handles most of this automatically and is covered in the WordPress SSL Plugins guide on this site.
WordPress.org on VPS or Dedicated Server: Certbot or Built-in ACME
If you manage your own server (whether a VPS on DigitalOcean, Linode, Vultr, AWS, or any cloud provider, or a dedicated server), you are responsible for obtaining and renewing the SSL certificate. The standard approach is Let’s Encrypt via Certbot or your web server’s built-in ACME client.
Certbot is the most widely supported ACME client for Let’s Encrypt. It has plugins for Nginx and Apache that automate both certificate issuance and web server configuration. Caddy, a modern web server, has ACME support built in and handles SSL automatically without any certificate management commands. If you are setting up a new server and have flexibility in choosing a web server, Caddy’s automatic HTTPS is the simplest path.
For Nginx and Apache users, the Certbot installation and usage guide is available at certbot.eff.org with instructions specific to your operating system and web server. The process typically takes five to ten minutes.
Let’s Encrypt discontinued sending certificate expiry notification emails in June 2025. If your automated renewal fails silently on a VPS, the first indication will be visitors seeing browser SSL errors. After setting up automatic renewal with Certbot, also set up an external certificate monitoring tool that checks your domain’s certificate from outside your server and alerts you before expiry. Free monitoring options include UptimeRobot (monitors SSL expiry), StatusCake, and similar uptime monitoring services that include certificate expiry alerts.
Blogger / Blogspot: Automatic with One Setting
Blogger is Google’s free blogging platform. SSL handling depends on whether you use a blogspot.com subdomain or a custom domain.
Blogspot.com subdomains (yourname.blogspot.com)
If your blog’s address is yourname.blogspot.com, HTTPS is available automatically. In your Blogger dashboard, go to Settings, then scroll to HTTPS. You will see two settings: HTTPS Availability and HTTPS Redirect. Ensure HTTPS Availability is enabled (this makes the HTTPS version of your blog available). Enable HTTPS Redirect to automatically redirect HTTP visitors to the HTTPS version.
Custom domains on Blogger
Custom domains on Blogger point their DNS to Google’s servers. Once the DNS is correctly configured and Blogger recognizes the custom domain, Google manages the SSL certificate automatically. In Settings, you should see your custom domain listed with an HTTPS availability indicator. If the HTTPS is shown as unavailable, it usually means the DNS change is still propagating (allow 24-48 hours) or there is a DNS configuration issue. Once Google confirms the DNS is correct, SSL activates automatically. Enable HTTPS Redirect in Settings once it is available.
Wix and Squarespace: Fully Automatic
Both Wix and Squarespace manage SSL certificates automatically for all sites on their platforms, including custom domains. There is no SSL setup process, no settings to toggle, and no renewal to manage. The SSL certificate is handled entirely by the platform.
For Wix, SSL is automatically active on all sites including free sites and premium sites with custom domains. You cannot configure SSL settings yourself; the platform manages everything.
For Squarespace, SSL is similarly automatic. All Squarespace sites run on HTTPS with certificates managed by Squarespace. In the Security settings for your site, you should see SSL shown as active. If it shows as pending, it usually means a custom domain DNS change is still propagating.
On both platforms, if you notice mixed content warnings (some resources loading over HTTP despite the site running on HTTPS), it is usually due to content you embedded from an external HTTP source. Update embedded media and link URLs to their HTTPS versions to resolve mixed content.
Ghost: Built-in for Self-Hosted; Automatic for Ghost Pro
Ghost Pro (ghost.org hosted service)
Ghost Pro manages SSL automatically for all hosted blogs. Custom domains configured in Ghost Pro receive SSL certificates managed by Ghost. No setup is needed.
Ghost self-hosted
Self-hosted Ghost on a VPS has a built-in SSL setup process that uses Let’s Encrypt via the Ghost CLI. During the initial ghost setup, SSL configuration is part of the setup wizard. If you need to add SSL to an existing Ghost installation, running ghost ssl in the Ghost CLI triggers the certificate issuance process. Ghost’s built-in process handles Nginx configuration automatically.
Like all Let’s Encrypt certificates on self-hosted servers, set up external monitoring for the certificate expiry since Let’s Encrypt no longer sends expiry notification emails.
GitHub Pages with Custom Domain: Enable in Repository Settings
GitHub Pages hosts static websites directly from GitHub repositories. For sites served at username.github.io, SSL is automatically active. For sites with custom domains, the process requires one additional step.
- Configure your custom domain’s DNS to point to GitHub Pages. GitHub’s documentation provides the specific IP addresses or CNAME target to use.
- In your GitHub repository, go to Settings, then Pages.
- Under Custom domain, enter your domain name if not already entered.
- Wait for the DNS verification to complete. GitHub checks the DNS configuration and issues a Let’s Encrypt certificate automatically.
- Once DNS is verified and the certificate is issued, check Enforce HTTPS. This redirects all HTTP traffic to HTTPS.
GitHub manages certificate renewal automatically. The certificate is valid as long as the custom domain remains configured in the repository settings and the DNS points to GitHub Pages.
Adding Cloudflare: Free Edge SSL for Any Blog Platform
Cloudflare provides a free CDN service that also includes free edge SSL (Universal SSL). If your blog host does not provide free SSL or you want additional performance and security features, adding Cloudflare is an option.
Cloudflare Universal SSL terminates HTTPS at Cloudflare’s edge servers. Visitors connect to Cloudflare over HTTPS; Cloudflare then connects to your origin server. For the Cloudflare-to-origin connection to also be encrypted, you need to configure the SSL/TLS mode in Cloudflare correctly.
Flexible SSL mode: Cloudflare connects to your origin over HTTP. The visitor sees HTTPS (the padlock) but the connection from Cloudflare to your server is unencrypted. This is technically a security gap and creates problems with some WordPress configurations (redirect loops are common with WordPress and Cloudflare Flexible mode).
Full SSL mode: Cloudflare connects to your origin over HTTPS but accepts any certificate, including self-signed. This is better than Flexible but still accepts invalid certificates.
Full (Strict) SSL mode: Cloudflare connects to your origin over HTTPS and requires a valid, trusted certificate. This is the recommended mode. Your origin server needs a valid certificate from Let’s Encrypt, your hosting provider’s AutoSSL, or a Cloudflare Origin Certificate (a free certificate from Cloudflare that is trusted only by Cloudflare’s edge).
If you are using Cloudflare with a self-hosted WordPress blog and seeing a redirect loop (the site keeps redirecting from HTTP to HTTPS or vice versa), the most common cause is Cloudflare set to Flexible SSL mode combined with WordPress configured for HTTPS. Both Cloudflare and WordPress are each trying to force a redirect, creating a loop. Fix this by setting Cloudflare’s SSL/TLS mode to Full or Full (Strict), which requires a valid certificate on your origin server.
After Installing SSL: Three Things Every Blog Owner Should Do
1. Update your blog’s URL to HTTPS
Installing the certificate does not automatically redirect HTTP to HTTPS or update your blog’s internal URLs. On self-hosted WordPress, go to Settings, General in the admin panel and change both the WordPress Address and Site Address from http to https. This ensures WordPress generates HTTPS links throughout the site. For other platforms, check the admin panel for a Site URL or Primary Domain setting and update it to the HTTPS version.
2. Set up a 301 redirect from HTTP to HTTPS
Visitors who bookmarked or linked to the HTTP version of your site should automatically be redirected to HTTPS. On most hosting control panels with cPanel, this can be configured under Redirects. On VPS servers with Nginx or Apache, add a server-side redirect rule. For WordPress users, the Really Simple SSL plugin handles this automatically. Without a redirect, HTTP versions of your pages continue to load without SSL, giving some visitors the ‘Not Secure’ warning despite having a certificate installed.
3. Check for mixed content warnings
After switching to HTTPS, some resources on your pages may still load over HTTP: images hosted elsewhere, embedded videos, external scripts, or links. These create mixed content warnings that browsers display to users even though the main page is HTTPS. The browser console (F12, Console tab) shows mixed content warnings if they exist. For WordPress users, the Really Simple SSL plugin detects and fixes most mixed content automatically. For other platforms, manually update embedded media URLs from http to https where possible.
Keeping Your SSL Certificate Healthy: Monitoring and Renewal
For blogs on hosted platforms (WordPress.com, Wix, Squarespace, Blogger, Ghost Pro), certificate renewal is fully managed by the platform. You do not need to monitor or renew.
For self-hosted blogs (WordPress on shared hosting, WordPress on VPS, Ghost self-hosted), automated renewal via Let’s Encrypt means the certificate should renew itself. But automated renewal can fail silently. Since Let’s Encrypt discontinued expiry notification emails in June 2025, there is no built-in safety net for renewal failures.
Set up an external certificate monitoring check that alerts you by email or SMS when your certificate is within 21 days of expiry. Free options include UptimeRobot (has SSL certificate expiry monitoring on its free tier), StatusCake, and similar uptime monitoring services. The monitoring check connects to your blog from outside your server, checks the certificate, and alerts you before it expires. This takes five minutes to set up and prevents the worst outcome: visitors seeing SSL error pages on your blog because renewal failed and you did not know.
Frequently Asked Questions
Do I need to pay for SSL for my blog?
No. Free SSL certificates from Let’s Encrypt are trusted by all major browsers and provide the same HTTPS encryption as paid DV certificates. For personal blogs, portfolio sites, and most small to medium business blogs, free SSL is sufficient. Paid certificates add organization identity verification (OV) or extended validation (EV), which matters for enterprise contexts but is not needed for typical blogs. Most hosted blogging platforms include free SSL automatically. Self-hosted WordPress on shared hosting almost universally includes free Let’s Encrypt SSL through AutoSSL.
Will SSL improve my blog’s search ranking?
HTTPS is a positive ranking signal in Google’s algorithm. Switching an HTTP blog to HTTPS provides a modest ranking benefit, though content quality remains the dominant factor. More practically, Google Chrome and other browsers show a ‘Not Secure’ warning on HTTP pages where users input information (contact forms, comment boxes, login fields). This warning reduces user confidence and can affect engagement metrics. Getting SSL is a baseline requirement for credibility in 2026, not a strong ranking booster on its own.
My hosting provider says SSL costs extra. What should I do?
Most reputable shared hosting providers include free Let’s Encrypt SSL. If your current host charges for SSL, check whether their control panel (cPanel, Plesk) has a Let’s Encrypt option you have not enabled yet: it may be free and just requires activation. If the host genuinely charges for SSL as an add-on and does not offer a free path, consider switching hosts. Bluehost, SiteGround, Hostinger, DreamHost, and most current shared hosting providers include SSL at no additional cost. Paying for SSL separately from a hosting provider that charges for it is not necessary when free options are universally available.
My blog shows a padlock but some images show HTTP warnings. What is wrong?
This is mixed content: your main page loads over HTTPS but some resources (images, scripts, or embedded content) are loaded over HTTP. Browsers display warnings for mixed content because the HTTP resources are not encrypted even though the main page is. For WordPress, the Really Simple SSL plugin detects and fixes most mixed content automatically. For other platforms, open the browser’s developer console (F12, Console tab), look for mixed content warnings, and update the URLs of the listed resources from http to https. Embedded third-party content that does not offer an HTTPS version may need to be removed or replaced.
