How to Setup HTTPS (SSL) on Your Website and Get the Web Browser to Show a Padlock

To make a website accessible via HTTPS (SSL) and get the web browser to show a padlock in the web address bar, an SSL certificate needs to be installed on its domain, and each web page must not cause any HTTPS errors.

Automatic FREE SSL installation

When you add a domain to your HostM hosting account, our system automatically installs a FREE SSL certificate from Let’s Encrypt backed by Mozilla, Google, Cisco, Facebook, the Electronic Frontier Foundation, and others.

It usually takes less than 2 minutes for an SSL certificate to be automatically installed on a domain from the time you add the domain to your hosting account. The same applies when adding a subdomain.

Once installed, your website will at this stage be accessible via both HTTP and HTTPS, but you’re not done yet — depending on how your existing website is coded, it might not be able to fully load via HTTPS without any errors. You’ll also need to redirect your HTTP website traffic to HTTPS.

Check each page of your site over HTTPS

Visit the HTTPS version of each page of your site by typing https:// instead of http:// into your web browser’s address bar at the beginning of its web address.

Your goal is to ensure that each page visit on your website results in the web browser showing an unbroken padlock icon in the web address bar, indicating that the page is able to load via HTTPS without any issues.

If the padlock icon is missing or broken, or if you see a “mixed content” security warning, it means the current page you’re on contains embedded elements with hard-coded HTTP (unsecured) web addresses (URLs).

You can see exactly which elements are causing the issue by debugging each affected web page.

To resolve the issue, you’ll need to modify the affected pages and change the URLs of any such embedded elements from HTTP to HTTPS.

The embedded elements can include assets such as images, videos, CSS and JavaScript files, with URLs based on your website‘s domain as well as other domains.

  • Remove any embedded elements (such as images, CSS, and JavaScript files) that have URLs based on other domains that aren’t accessible via HTTPS (i.e. do not have SSL installed).

  • Change the URLs of all embedded elements that are currently hard-coded to begin with http:// to begin with https:// instead. This applies both to URLs located on the same domain as well as on other domains, as long as they are currently hard-coded to begin with http://.

  • If your website runs on WordPress, perform the steps outlined in our guide on moving a WordPress site from HTTP to HTTPS.

  • If your website runs on any other web app, such as Joomla, edit the app’s settings so that your website’s URL begins with https:// rather than http://. If the web app uses a custom theme, you may need to modify the theme as well.

Redirecting HTTP website traffic to HTTPS

Once you’ve double-checked the various pages of your website and confirmed that they’re loading without any errors via HTTPS, you’ll want to redirect your HTTP traffic to HTTPS.

  • Insert the following lines at the beginning of the .htaccess file in your website’s folder (replace example.com below with your actual domain):

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^example.com$ [NC,OR]
    RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
    RewriteRule (.*) https://www.example.com/$1 [R=301,L]
    RewriteCond %{HTTP_HOST} ^example.com$ [NC]
    RewriteRule (.*) https://www.example.com/$1 [R=301,L]

    If a .htaccess file doesn’t exist in your website’s folder, simply create a new one.

    For subdomains such as sub.example.com, use the following code instead (replace sub.example.com below with your actual subdomain):

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^sub.example.com$ [NC,OR]
    RewriteCond %{HTTP_HOST} ^www.sub.example.com$ [NC]
    RewriteRule (.*) https://sub.example.com/$1 [R=301,L]
    RewriteCond %{HTTP_HOST} ^www.sub.example.com$ [NC]
    RewriteRule (.*) https://sub.example.com/$1 [R=301,L]

Final stage

Upon reaching this stage, your website should now be accessible via HTTPS without errors, the web browser should be displaying a secure padlock logo in the web address bar, and HTTP traffic to your website should be redirecting to HTTPS.

If you’ve done all of the above and something still isn’t working right, and you’re not sure how to fix it, please feel free to open a Client Care ticket via the Client Lounge with specific information on how and where the exact issue is, so that we can advise further.

Automatic SSL renewals

HostM automatically renews your FREE SSL certificates for you, so you don’t have to worry about doing it yourself.

Please ensure that the domain remains on the correct nameservers (DNS) as provided to you in our step-by-step guide to adding a domain to your hosting account. The correct nameservers are needed to ensure that the SSL certificate can be automatically renewed with the certificate authority.

If you change the domain’s nameservers (DNS), or let the domain expire (which will cause the domain registrar to change its nameservers), it will no longer be properly hosted on our servers, and our SSL renewal system won’t be able to automatically renew your SSL certificate for you.

Should you have any questions about making your website accessible via HTTPS, please feel free to open a Client Care ticket via the Client Lounge.