SSL/TLS is no longer optional for a WordPress site. Browsers flag HTTP pages as "Not Secure"; Google ranks HTTPS sites higher; UK GDPR expects transport encryption for any site collecting personal data. Fortunately, smartxhosting.uk includes free Let's Encrypt SSL on every WordPress plan and automates renewal indefinitely. This guide covers why HTTPS matters, how to activate SSL through Plesk, three complementary methods for forcing HTTPS on every request, how to fix the mixed-content warnings that sometimes follow, and the HSTS and premium-certificate questions that come up for businesses with compliance needs.
Why SSL and HTTPS matter · Free SSL on every smartxhosting.uk plan · Activating SSL in Plesk · Forcing HTTPS — three methods · Fixing mixed content · Checking your SSL configuration · Why SSL matters for UK businesses · Premium SSL certificates: OV and EV · HSTS — HTTP Strict Transport Security · Certificate renewal and troubleshooting · Frequently asked questions
SSL/TLS encrypts data travelling between visitors' browsers and your WordPress server. When SSL is active, the URL starts with https:// and browsers show a padlock. Without it:
The practical bar is simple: in 2026, there is no credible reason to run a WordPress site without SSL.
All WordPress hosting plans — WP Minimum (GBP 2/mo), WP Standart (GBP 5/mo), WP Maximum (GBP 10/mo) — include free Let's Encrypt SSL.
Your domain's DNS must point to smartxhosting.uk before you can issue an SSL certificate. If you have just connected a new domain, wait for DNS propagation to complete (typically 1–4 hours) before issuing. See the domain and SSL setup guide.
Plesk left sidebar > Websites & Domains > select your domain > SSL/TLS Certificates.
Click Install (or Get it free) under Let's Encrypt. Configure:
webmail..Click Get it free. Plesk performs DNS validation (or HTTP-01 challenge), issues and installs. Typically under a minute.
When complete, a green padlock icon appears next to the domain in Websites & Domains. Site is now encrypted.
Installing SSL does not automatically redirect HTTP to HTTPS. Use all three methods together for full coverage.
Creates a server-level 301 redirect that works before WordPress even loads.
All HTTP requests now redirect to HTTPS with a 301 status code, preserving SEO link equity.
Regardless of the Plesk redirect, update URLs inside WordPress.
http:// to https://.Only do this after SSL is confirmed working. Changing URLs before SSL is active can lock you out of the dashboard.
If URLs get out of sync, use WP-CLI from the Plesk WordPress Toolkit:
wp option update siteurl 'http://yourdomain.co.uk' wp option update home 'http://yourdomain.co.uk'
Reverts and gets you back in. Fix SSL first, then update URLs.
To ensure the WordPress dashboard always loads over HTTPS even in edge cases, add to wp-config.php above the "That's all, stop editing!" line:
define( 'FORCE_SSL_ADMIN', true );
Forces all login pages and dashboard requests to HTTPS. Especially important if admin access happens from public Wi-Fi.
After enabling HTTPS you may notice the padlock shows a warning or is missing. Mixed content — the HTML is HTTPS but some resources (images, stylesheets, scripts, fonts) are still referenced with http:// URLs.
Browsers either block mixed content (scripts, stylesheets) or load it but strip the padlock (images, media).
http://yourdomain.co.uk.https://yourdomain.co.uk.Plesk WordPress Toolkit has a WP-CLI button. Run:
wp search-replace 'http://yourdomain.co.uk' 'https://yourdomain.co.uk' --all-tables --dry-run
Review, remove --dry-run, run for real. WP-CLI handles serialised data correctly — safer than raw SQL.
Plugin that fixes mixed content automatically at page render via output filtering. Adds a small runtime cost per page load but requires no database changes. Easy one-click option.
Cached HTML still contains old URLs until refreshed.
Visit your site in Chrome/Firefox/Safari. Click the padlock icon. Should show "Connection is secure" and certificate details including expiry date, issuer (Let's Encrypt Authority X3 or similar).
Visit ssllabs.com/ssltest. Enter your domain. Get a detailed report grading your SSL configuration A+ to F. Target A+.
Useful flags SSL Labs might raise:
Other free SSL/security grading tools. Check multiple for different perspectives.
Security tab shows full certificate chain, protocol and cipher details. Useful for deep diagnosis.
Beyond the generic reasons, SSL carries specific UK relevance.
Free Let's Encrypt certificates are "Domain Validated" (DV) — the CA confirms the requester controls the domain. Sufficient for the vast majority of UK sites.
Two higher-validation tiers exist.
CA additionally confirms the legal entity exists (Companies House lookup for a UK Ltd, equivalent registries elsewhere). 1–5 business days to issue. GBP 40–80 per year.
Deeper checks including physical address verification, director confirmation. GBP 100–300 per year.
The visual differentiator (the green bar with company name) was removed from every major browser in 2019. Browsers show the same padlock regardless of validation level.
Premium certificates still occasionally required for compliance:
For typical UK SMEs, Let's Encrypt DV is sufficient and saves money.
Once HTTPS is working reliably, enable HSTS. Tells browsers "always use HTTPS for this domain, even if the user types http" — removes a small window where HTTP-to-HTTPS redirects could theoretically be intercepted.
Plesk > Websites & Domains > Apache & nginx Settings > Additional HTTP response headers:
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Or via .htaccess:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Once HSTS is active, browsers remember the instruction for the max-age duration (one year above). Downgrading back to HTTP becomes difficult within that window. Only enable when HTTPS is solid.
For extra security, submit your domain to the HSTS preload list (hstspreload.org). Then browsers ship with the instruction baked in — even first-time visitors are HTTPS-enforced. Adds preload to the header and takes a couple of weeks to propagate into browser updates.
Let's Encrypt certificates valid for 90 days. Plesk's Let's Encrypt integration renews automatically around 30 days before expiry. You do not need to touch it.
Common causes:
Let's Encrypt emails you 20 days before expiry if renewal fails. Plesk dashboard also flags it. Worst case, re-issue manually from the SSL/TLS Certificates page — same two-click process as original install.
If a certificate expires without renewal, browsers show a prominent warning page. Resolve by re-issuing. Visitor trust impact is temporary if fixed within hours.
Do I need SSL on my development site?
Yes, if publicly accessible. smartxhosting.uk staging clones inherit SSL from the wildcard certificate. For non-smartxhosting.uk staging, use the Let's Encrypt certificate if the staging domain is on the same Plesk account.
Why is my site still marked "Not Secure" after installing SSL?
Either (1) WordPress URL fields are still set to http:// (Settings > General), (2) hosting-level HTTP → HTTPS redirect is not enabled, (3) there is mixed content in pages or CSS, or (4) a stale cache serves the old version. Work through all four in order.
Does Cloudflare's free SSL replace Let's Encrypt at the origin?
Cloudflare's "Flexible SSL" mode encrypts only between visitor and Cloudflare — the link from Cloudflare to your origin is still HTTP. Weaker than end-to-end encryption. Use Cloudflare in "Full (Strict)" mode with Let's Encrypt on the origin.
Can the same SSL certificate cover email?
Yes. Tick Secure the mail server when issuing. SMTP and IMAP services use the same certificate, so mail clients connect over TLS without certificate warnings.
What happens if Let's Encrypt goes down?
Existing certificates continue working until expiry. If Let's Encrypt is unavailable during a renewal attempt, Plesk retries automatically. Let's Encrypt has had very high uptime since 2016; this is a theoretical concern more than a practical one.
Do I need a dedicated IP address for SSL?
No. Modern SSL uses SNI (Server Name Indication), so many sites can share one IP with individual certificates. Dedicated IPs are rarely needed for SSL anymore.
How do I know if HSTS is enabled?
Chrome DevTools > Network tab, inspect any response. Look for the Strict-Transport-Security header.
Will switching to HTTPS hurt my SEO temporarily?
A correctly executed switch (301 redirects, canonical URLs updated, sitemap resubmitted) should see Google re-index the HTTPS version within 1–4 weeks. Ranking drops of 5–10% during the transition are not unusual but usually recover and often improve beyond pre-switch levels.
Can I get multiple certificates for different subdomains?
Yes, but the wildcard Let's Encrypt certificate is simpler — covers all subdomains with one certificate. Only use separate certificates for specific compliance reasons.
What if I want to buy a paid OV/EV certificate?
Buy from any CA (DigiCert, Sectigo, GlobalSign). Upload via Plesk's SSL/TLS Certificates screen. Install on the domain alongside or replacing Let's Encrypt. Supported; just costs more than the free option.
Launch your WordPress site on smartxhosting.uk
UK hosting with the Plesk WordPress Toolkit, LiteSpeed Cache, Redis object caching, free Let’s Encrypt SSL, free CDN and daily backups — from £2/month.
View WordPress hosting plans →