In 2026, a website without HTTPS is a website that loses visitors, Google rankings and credibility. Browsers display a "Not Secure" warning on every page served over HTTP. Users close those pages before reading the first paragraph. Google has penalized unencrypted sites in search results since 2014. The problem goes beyond SEO: a contact form submitted without encryption exposes your clients' data to anyone intercepting network traffic.

Many WordPress site owners delay the HTTPS migration because they fear breaking their site. Others believe their SSL certificate is properly configured when their setup actually contains mixed content flaws that nullify the protection. This guide covers everything you need to know about SSL certificates and the HTTPS protocol: how they work, which certificate to choose, how to install it correctly on WordPress, and how to verify that the configuration is solid. For a broader view of WordPress security, see our complete WordPress security guide.

How to install and configure an SSL certificate on WordPress (5 etapes)

1
Activate SSL at your hosting provider — Log into your hosting control panel (cPanel, Plesk, proprietary interface). Find the SSL/TLS or Security section. Activate the free Let's Encrypt SSL certificate for your domain. Most hosting providers (SiteGround, Bluehost, A2 Hosting, Cloudways) offer one-click activation.
2
Update URLs in WordPress settings — In your WordPress dashboard, go to Settings then General. Replace http:// with https:// in both the WordPress Address (URL) and Site Address (URL) fields. Save the changes. WordPress will automatically log you out to apply the change.
3
Force 301 redirects from HTTP to HTTPS — Add redirect rules to your .htaccess file at the site root. The lines RewriteEngine On, RewriteCond %{HTTPS} off, and RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] redirect all HTTP requests to their HTTPS equivalent. Test by accessing your site via http:// to confirm the redirect.
4
Fix mixed content errors — Install the Really Simple SSL plugin or use Better Search Replace to replace all occurrences of http://yourdomain.com with https://yourdomain.com in the database. Check theme files and widgets that might contain hardcoded URLs. Use the browser console (F12) to identify resources still loaded over HTTP.
5
Update Google Search Console and external tools — Add the https://yourdomain.com property in Google Search Console. Resubmit your XML sitemap. Update the URL in Google Analytics, your social media profiles and directories where your site is listed. Verify that existing backlinks redirect correctly to the HTTPS version.

What HTTPS Means and Why It Matters

The Difference Between HTTP and HTTPS

HTTP (HyperText Transfer Protocol) is the protocol that lets your browser communicate with a web server. The problem: data travels in plain text. Anyone on the same Wi-Fi network can read the contents of the exchanges. Passwords, credit card numbers, form data -- everything goes through without protection.

HTTPS adds an encryption layer to that protocol. The "S" stands for "Secure." In practice, HTTPS uses the TLS (Transport Layer Security) protocol to encrypt data between the browser and server. An attacker intercepting the traffic sees only unreadable data. The HTTPS protocol uses port 443, while HTTP uses port 80.

How HTTPS Encryption Protects Data

HTTPS encryption relies on an asymmetric key system. The server holds a private key (secret) and a public key (shared with all browsers through the SSL certificate). When a visitor accesses your site, the following process takes place:

The browser asks the server to identify itself
The server sends its SSL certificate containing its public key
The browser verifies that the certificate is valid and issued by a recognized certificate authority
The browser and server negotiate a temporary session key (symmetric encryption)
All exchanged data is encrypted with this session key

This process is called the "TLS handshake." It completes in milliseconds and is completely invisible to the user. The result: a secure, authenticated and tamper-proof connection.

Data Integrity and Authentication

HTTPS does more than encrypt. It guarantees two additional properties. Data integrity means information cannot be modified during transfer without the modification being detected. An internet service provider cannot inject ads into your pages. An attacker cannot alter a banking page to redirect a transfer.

Authentication confirms that the visitor is communicating with the server they intend to contact. The SSL certificate is a digital identity document. Without this authentication, an attacker could create a fake banking site identical to the original and intercept victim credentials (man-in-the-middle attack).

SSL, TLS and Certificates: The Technical Basics

SSL vs TLS: What Is the Difference in 2026

The terms SSL and TLS are often used interchangeably, but they refer to different protocols. SSL (Secure Sockets Layer) was developed by Netscape in the 1990s. SSL 2.0 and SSL 3.0 had serious vulnerabilities (POODLE, DROWN) and are now obsolete. No browser supports them anymore.

TLS (Transport Layer Security) is the direct successor to SSL. TLS 1.0 and 1.1 have also been deprecated since 2021. In 2026, the standard is TLS 1.2 at minimum, and TLS 1.3 for modern configurations. TLS 1.3, published in 2018, reduces the handshake round trips from two to one, improving latency by 20 to 30% compared to TLS 1.2.

The industry continues using "SSL certificate" out of habit, even though the actual protocol is TLS. When your hosting provider mentions "SSL," they are actually talking about TLS 1.2 or 1.3.

SSL Certificate Types: DV, OV and EV

Not all SSL certificates are equal. They differ by the level of verification performed by the certificate authority (CA) before issuance.

Domain Validation (DV): The simplest and fastest certificate to obtain. The certificate authority only verifies that you control the domain name (through a DNS record or a file on the server). Issued in minutes. This is the type provided by Let's Encrypt. Suitable for blogs, brochure sites and small e-commerce stores.

Organization Validation (OV): The certificate authority verifies the legal existence of the organization. It checks business registration details, physical address and phone number. Issued in 1 to 3 days. The certificate displays the organization name in its details. Recommended for business sites handling sensitive data.

Extended Validation (EV): The strictest verification level. The certificate authority conducts a thorough audit: legal existence, physical address, phone verification, authorized requester validation. Issued in 1 to 2 weeks. Modern browsers no longer display the distinctive green bar, but the company name remains visible in certificate details. Used primarily by banks, financial institutions and major e-commerce sites.

Multi-Domain and Wildcard Certificates

Beyond the validation level, certificates differ by their coverage. A standard certificate covers a single domain (example.com). A Wildcard certificate covers a domain and all its subdomains (*.example.com). A multi-domain certificate (SAN) covers multiple distinct domains under a single certificate.

For a standard WordPress site, a DV certificate covering the main domain is sufficient. If you manage multiple subdomains (blog.example.com, shop.example.com, app.example.com), a Wildcard certificate saves you from managing separate certificates.

Getting a Free SSL Certificate with Let's Encrypt

Why Let's Encrypt Changed Everything

Before 2016, an SSL certificate cost between 50 and 300 dollars per year. That cost was a barrier for small sites and bloggers. Let's Encrypt, launched in 2016 by the ISRG (Internet Security Research Group) with support from Mozilla, Google, Cisco and the EFF, democratized HTTPS by offering free, automated and open DV certificates.

In 2026, Let's Encrypt protects over 400 million websites. The certificate authority issues certificates valid for 90 days, with automatic renewal. This short duration is deliberate: if a private key is compromised, exposure is limited in time.

Hosting Providers That Include Let's Encrypt

Most WordPress hosting providers include Let's Encrypt in their admin panel. Activation takes less than 5 minutes.

SiteGround: Activation through Site Tools in the Security section. SiteGround provides a free Let's Encrypt DV certificate with every hosting plan and handles automatic renewal.

Bluehost: Activation in the cPanel, Security section. Bluehost includes a free SSL certificate and automatically installs it on new domains.

A2 Hosting: Activation through cPanel > Security > Let's Encrypt SSL. The certificate is automatically renewed. A2 Hosting also offers premium SSL certificates for OV and EV validation.

Cloudways: Activation in the Application Management panel under SSL Certificate. Cloudways supports Let's Encrypt with automatic renewal and also allows custom certificate installation for enterprise needs.

When to Choose a Paid SSL Certificate

A free Let's Encrypt certificate is sufficient for most sites. A paid certificate is justified in specific cases.

High-volume e-commerce sites processing thousands of daily transactions benefit from an OV or EV certificate that displays the company name, reinforcing buyer trust. Paid certificates generally include a financial warranty (from $10,000 to $1,750,000 depending on the provider) covering losses in case of certificate failure.

Financial institutions and sites handling medical data are sometimes subject to regulatory requirements mandating an OV or EV certificate. The PCI-DSS standard for credit card processing does not require a specific certificate type but recommends strict TLS configurations.

Large multi-domain enterprises managing dozens of subdomains sometimes find it more practical to use a paid Wildcard certificate with premium technical support and 1-year validity.

Installing an SSL Certificate on WordPress: The Complete Method

Prerequisites Before the HTTPS Migration

Before touching anything, prepare your migration.

Back up your entire site: database and files. Use a plugin like UpdraftPlus or your hosting provider's backup system. Keep this backup off the server (Google Drive, Dropbox, local disk).

List all elements containing hardcoded URLs: pages, posts, widgets, theme files, plugins loading external resources, stylesheets and JavaScript files. This list will serve you when fixing mixed content.

Check your plugin compatibility: some old or poorly coded plugins load resources over HTTP regardless of the site protocol. Update all plugins and themes before migration.

Activating SSL at Your Hosting Provider

The first step is always activating the certificate on the server side. Log into your hosting admin panel and activate the SSL certificate for your domain.

On cPanel (used by most hosting providers), the procedure is: go to Security > Let's Encrypt SSL > Issue New Certificate. Select your domain and click Issue. The certificate is generated in seconds.

On Plesk: go to Websites & Domains > SSL/TLS Certificates > Let's Encrypt. Check the options for the domain and www subdomain, then click Install.

Wait a few minutes after activation. The certificate needs to propagate on the server. Verify by accessing https://yourdomain.com in your browser. If the page loads with the padlock icon, the certificate is in place.

Configuring WordPress for HTTPS

Once the certificate is active, configure WordPress to use HTTPS by default. In your WordPress dashboard, go to Settings > General. Change both URL fields by replacing http:// with https://. Save. WordPress will log you out. Log back in via the https:// URL.

To force all connections over HTTPS, add this line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

This directive forces HTTPS for the admin dashboard, preventing admin sessions from being intercepted.

301 Redirects: The Critical Piece

301 redirects are critical. Without them, your site is accessible over both HTTP and HTTPS simultaneously. Google sees two versions of the same content (duplicate content), existing backlinks point to the HTTP version, and link equity is diluted.

Add these rules at the beginning of your .htaccess file (before WordPress rules):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If your server uses Nginx instead of Apache, add in your server block:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Test redirects by accessing http://yourdomain.com, http://www.yourdomain.com and http://yourdomain.com/any-page. Each URL must redirect to its HTTPS equivalent with a 301 code.

Fixing Mixed Content

Mixed content is the most common problem after an HTTPS migration. It occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. The browser blocks these resources or displays a warning, breaking the page layout or functionality.

How to detect mixed content: open your site in Chrome, press F12 to open developer tools, and check the Console tab. Mixed content errors appear with the "Mixed Content:" prefix. The Security tab also indicates whether the page is fully secure.

Automatic fix with a plugin: the Really Simple SSL plugin detects and fixes most mixed content issues automatically. It redirects internal HTTP requests to HTTPS and corrects URLs in the database. This is the fastest solution for beginners.

Manual fix with Better Search Replace: for a permanent fix without a plugin, use Better Search Replace. Search for http://yourdomain.com and replace with https://yourdomain.com across all database tables. Run a "dry run" (simulation) first to verify the number of replacements before applying them.

External resources: some resources loaded from third-party domains (Google Fonts, analytics scripts, social media widgets) may use HTTP URLs. Check each external resource and update URLs to their HTTPS version. If a third-party service does not support HTTPS, replace it with a secure alternative.

Why HTTPS Is an SEO Ranking Factor

The Ranking Signal Confirmed by Google

Google officially announced in August 2014 that HTTPS is a ranking signal in its algorithm. At the time, Google called it a "lightweight signal." Since then, the weight of this signal has increased. In 2026, an HTTP site faces a double handicap: it loses the HTTPS bonus and Google penalizes it indirectly through user experience signals (high bounce rate caused by the "Not Secure" warning).

Data from the Google Transparency Report shows that over 95% of pages loaded in Chrome use HTTPS. The HTTPS protocol is no longer a competitive advantage -- it is the standard. Not having it is a handicap. For a full analysis of ranking factors, see our comprehensive SEO guide.

HTTP/2, HTTP/3 and Performance

The HTTP/2 protocol, which delivers significant performance gains (multiplexing, header compression, server push), requires HTTPS in practice. All modern browsers implement HTTP/2 only over TLS connections. By staying on HTTP, you miss out on HTTP/2 and the 5 to 15% speed improvements it brings.

HTTP/3, built on the QUIC protocol, goes further with a 0-RTT handshake that reduces time to first byte. HTTP/3 is also tied to HTTPS. Sites using these modern protocols see measurable improvements in their Core Web Vitals, particularly LCP (Largest Contentful Paint) and INP (Interaction to Next Paint).

User Trust and Conversion Rate

A HubSpot study reports that 82% of users leave a site displaying the "Not Secure" warning. For e-commerce sites, the impact on conversion rate is direct. GlobalSign showed that 84% of online shoppers abandon their purchase if data is sent over an unsecure connection.

The padlock displayed in the address bar has become a universal trust signal. Users no longer notice it when present, but they immediately notice its absence. HTTPS does not necessarily increase conversions -- it prevents their collapse.

Verifying and Auditing Your SSL Configuration

Quick Verification Tools

After installation, methodical verification is necessary. Several free tools let you validate your configuration.

SSL Checker (sslshopper.com): enter your domain and the tool verifies certificate validity, the certification chain, expiration date and domain name match. This is the basic test to run first.

Why No Padlock (whynopadlock.com): this tool scans a specific page and identifies every resource loaded over HTTP that prevents the padlock from displaying. Useful for locating mixed content sources.

SSL Labs (ssllabs.com): the most thorough audit. Qualys SSL Labs analyzes your server's TLS configuration in depth: protocol version, supported cipher suites, known vulnerabilities (Heartbleed, POODLE, BEAST), Forward Secrecy support, HSTS configuration. The result is a grade from A+ (best) to F (critical). Aim for A or A+.

Interpreting SSL Labs Results

An A+ result on SSL Labs confirms a solid configuration. Here are the key points to check in the report.

Protocols: TLS 1.2 and TLS 1.3 must be active. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 must be disabled. If your server still supports TLS 1.0, it is exposed to downgrade attacks.

Cipher suites: prefer suites using AES-256-GCM or CHACHA20-POLY1305 with ECDHE for Forward Secrecy. Disable suites using RC4, 3DES or RSA key exchanges without Diffie-Hellman.

Forward Secrecy: this property ensures that compromising the server's private key does not allow decryption of past communications. Make sure all cipher suites support ECDHE (Elliptic Curve Diffie-Hellman Ephemeral).

HSTS (HTTP Strict Transport Security): this HTTP header tells browsers to never access the site over HTTP, even if the user types http:// in the address bar. Enable HSTS with a minimum duration of 6 months (max-age=15768000). For the A+ grade, HSTS is mandatory.

Ongoing Monitoring and Renewal

A Let's Encrypt certificate expires every 90 days. Renewal is normally automatic (via the certbot daemon or your hosting interface), but problems can occur: DNS configuration error, server unreachable during validation, renewal quota exceeded.

Set up proactive monitoring. The following tools send an alert before expiration:

Uptime Robot (free): monitors the certificate and sends an email 14 days before expiration
SSL Labs: run a monthly audit to detect configuration regressions
Google Search Console: the security report flags certificate issues

Common Mistakes to Avoid During HTTPS Migration

Not Redirecting All URLs

The most common mistake: redirecting only the homepage to HTTPS while forgetting internal pages. Every URL on your site must have its own 301 redirect. Verify by testing deep URLs like http://yourdomain.com/my-post/ or http://yourdomain.com/my-category/.

Forgetting to Update Sitemap and robots.txt

After migration, your XML sitemap must contain HTTPS URLs. If your SEO plugin generates the sitemap automatically (Yoast, Rank Math), the update is immediate after changing the URL in WordPress settings. Verify manually by accessing https://yourdomain.com/sitemap_index.xml.

The robots.txt file must also reference the sitemap in HTTPS. Verify that the Sitemap: directive points to https://yourdomain.com/sitemap_index.xml.

Ignoring Hardcoded Internal Links

Internal links hardcoded in your content, widgets or theme files may remain in HTTP after migration. These links generate 301 redirect chains that slow navigation and dilute PageRank. Use Better Search Replace or an SQL script to fix these URLs in the database. Check theme files manually for URLs hardcoded in PHP code or templates.

Not Testing on Mobile

Site behavior after migration can differ between desktop and mobile. Some WordPress themes load different resources depending on the viewport. Test your site on a real mobile device or with Chrome developer tools in responsive mode to ensure HTTPS works correctly everywhere.

HSTS: Extra Protection Against Downgrade Attacks

What HSTS Is and Why to Enable It

HSTS (HTTP Strict Transport Security) is a mechanism that forces browsers to exclusively use HTTPS when communicating with your site. Without HSTS, an attacker can attempt an "SSL stripping" attack: they intercept the first HTTP request (before the 301 redirect) and present an HTTP version of the site to the victim.

With HSTS, the browser knows it must always use HTTPS for that domain. Even if the user types http:// in the address bar, the browser converts to https:// before sending the request. No HTTP request is ever sent.

How to Enable HSTS on Your Server

On Apache, add this directive to your .htaccess file or virtual host configuration:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

On Nginx, add in the HTTPS server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

The max-age parameter defines the duration (in seconds) during which the browser must force HTTPS. 31536000 seconds equals 1 year. includeSubDomains extends the policy to all subdomains. preload enables registration in the browser HSTS preload list.

The HSTS Preload List

The HSTS Preload list is a list of domains built directly into browser source code (Chrome, Firefox, Safari, Edge). Domains on this list are automatically loaded over HTTPS, even during the very first visit. This eliminates the vulnerability window that exists before the browser has received the HSTS header for the first time.

To register your domain, visit hstspreload.org, verify your configuration meets the prerequisites (valid certificate, 301 redirect, HSTS header with preload, includeSubDomains and minimum max-age of 1 year), then submit your domain. Registration takes several weeks to propagate across all browsers.

Warning: registration on the HSTS Preload list is difficult to reverse. Ensure all your subdomains support HTTPS before registering.

Special Cases: E-Commerce, Multisite and CDN

E-Commerce and SSL Certificates

For a WordPress e-commerce site (WooCommerce), HTTPS is a legal obligation as much as a technical one. GDPR and consumer protection regulations require protection of personal and financial data. A free DV certificate is technically sufficient, but an OV certificate displays your company name in certificate details, reinforcing buyer trust.

WooCommerce includes a "Force HTTPS on checkout pages" option in its settings. Enable it, but force HTTPS across the entire site, not just checkout pages. A partially secured site is worse than a fully secured one: transitions between HTTP and HTTPS generate warnings and mixed content errors.

WordPress Multisite and Wildcard Certificates

If you manage a WordPress Multisite network with subdomains, a Wildcard certificate covers the entire network. The Wildcard certificate for *.yourdomain.com automatically secures all subdomains: blog.yourdomain.com, shop.yourdomain.com, members.yourdomain.com.

Let's Encrypt has offered free Wildcard certificates since 2018. Validation requires DNS verification (DNS-01 challenge) instead of the standard HTTP verification. Your hosting provider must support this validation method.

CDN and SSL: The Double Encryption Layer

If you use a CDN (Content Delivery Network) like Cloudflare, Fastly or StackPath, SSL configuration involves two connections: visitor to CDN and CDN to your origin server.

Full SSL mode (recommended): the CDN encrypts the connection between the visitor and CDN, and between the CDN and your server. Your origin server must have a valid SSL certificate.

Full (Strict) mode: identical to Full mode, but the CDN verifies that your origin server's certificate is valid and issued by a recognized certificate authority. This is the most secure mode.

Flexible mode (avoid): the CDN only encrypts the connection between the visitor and CDN. The connection between CDN and your server remains HTTP. This mode creates a false sense of security and can cause redirect loops.

Troubleshooting: The Most Common SSL Errors

ERR_CERT_DATE_INVALID: Expired Certificate

The certificate has passed its validity date. Check in your hosting panel that automatic renewal is active. If renewal failed, manually regenerate the certificate. Common failure causes: DNS server change, site unreachable during validation, Let's Encrypt rate limit reached.

ERR_CERT_COMMON_NAME_INVALID: Wrong Domain

The domain name in the certificate does not match the visited domain. This error occurs when the certificate covers example.com but not www.example.com (or vice versa). Regenerate the certificate including both domain variants. On Let's Encrypt, add both domains to the certificate request.

ERR_SSL_PROTOCOL_ERROR: TLS Configuration Failure

The server and browser cannot negotiate a common TLS protocol. Verify that your server supports TLS 1.2 or 1.3. If you recently modified the TLS configuration, verify that at least one common cipher suite is available. Use SSL Labs to diagnose the issue.

NET_ERR_CERT_AUTHORITY_INVALID: Unrecognized Authority

The certificate is issued by a certificate authority the browser does not recognize. This problem occurs with self-signed certificates (used in development) or when the certification chain is incomplete. Verify that the intermediate certificate is correctly installed on your server.

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are encryption protocols for securing web communications. SSL is the old version, now obsolete and vulnerable (SSL 2.0 and 3.0 are disabled everywhere). TLS is the successor to SSL, with TLS 1.2 and TLS 1.3 as current standards in 2026. The industry still uses the term 'SSL' out of habit, but all modern 'SSL certificates' actually use the TLS protocol.

Is a free Let's Encrypt SSL certificate good enough for SEO?

Yes. Google makes no distinction between a free Let's Encrypt certificate and a paid certificate in its ranking algorithm. The ranking signal is binary: HTTPS active or not. A free DV certificate provides exactly the same level of encryption as a paid certificate. The only difference concerns the identity validation level (DV vs OV vs EV), which has no impact on SEO.

Will my site be slower with HTTPS?

No, the opposite is true. The TLS handshake adds a few milliseconds to the first connection, but HTTPS enables HTTP/2 and HTTP/3, which deliver performance gains of 5 to 15% through multiplexing, header compression and server push. TLS 1.3 further reduces handshake latency with one fewer round trip compared to TLS 1.2. In practice, a well-configured HTTPS site is faster than an HTTP site.

How do I renew my Let's Encrypt SSL certificate?

Let's Encrypt issues certificates valid for 90 days. Renewal is normally automatic via the certbot client or your hosting interface. Verify that automatic renewal is active in your hosting panel. If renewal fails, the most common causes are: a DNS change, server unreachable during validation, or exceeding the renewal quota (5 duplicates per week per domain).

What happens if my SSL certificate expires?

Browsers display a full-screen warning 'Your connection is not private' (ERR_CERT_DATE_INVALID) that prevents site access without explicit visitor action. Google continues crawling the site but may demote it in results. Users leave the site immediately. For an e-commerce site, this means zero sales until resolution. Set up expiration monitoring to avoid this situation.

How do I fix the 'your connection is not private' error?

This error can have multiple causes. Expired certificate: renew the certificate. Invalid certificate: regenerate it with the correct domain name. Incorrect system clock: check your device's date and time. Incomplete certification chain: install the intermediate certificate on your server. Corrupted browser cache: clear cache and browsing data. If the issue persists, use SSL Labs to diagnose the configuration.

Does HTTPS protect against all attacks?

No. HTTPS protects data in transit (encryption), verifies server identity (authentication) and guarantees data integrity. But it does not protect against application vulnerabilities (SQL injection, XSS, CSRF), malware installed on the server, brute force attacks on credentials, or phishing. An HTTPS site can be compromised if the PHP code, plugins or server have vulnerabilities. Web security is multilayered.

Can you have HTTPS without an SSL certificate?

No. The HTTPS protocol requires an SSL/TLS certificate to function. The certificate provides the public key needed for encryption and the server identity needed for authentication. Without a certificate, the browser cannot establish a secure connection. It is however possible to generate a self-signed certificate for local development, but browsers will display a warning because the issuing authority is not recognized.

What is HSTS and should I enable it?

HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS for your domain, even if the user types http:// in the address bar. Without HSTS, the first HTTP request is vulnerable to an SSL stripping attack. With HSTS, the browser automatically converts to HTTPS before sending the request. Enable HSTS after confirming that HTTPS works correctly across the entire site. Start with a short max-age (1 hour) and increase progressively.

How can I verify my SSL certificate is correctly installed?

Use three verification levels. Basic test: access your site and check for the padlock in the address bar. Intermediate test: use SSL Checker (sslshopper.com) to verify validity, certification chain and expiration date. Advanced test: run an SSL Labs audit (ssllabs.com) to get an overall security grade and identify configuration weaknesses (obsolete protocols, weak cipher suites, missing HSTS). Aim for grade A or A+.

Does migrating from HTTP to HTTPS cause SEO traffic loss?

A correctly executed migration does not cause traffic loss. 301 redirects from HTTP to HTTPS transfer the full PageRank and link equity. Google treats HTTPS migration as a standard URL change. The transition period typically lasts 2 to 4 weeks while Google recrawls and reindexes HTTPS URLs. A poorly executed migration (missing redirects, mixed content, redirect loops) can cause a temporary drop. Follow the steps in this guide to avoid it.