Phase 1~30 minEasy

1.4 SSL and HTTPS

Prerequisites

Before you start, make sure you have:

A website hosted somewhere (Section 1.2)
Access to your hosting dashboard

Step-by-Step

Check if SSL is already active

Most modern hosting providers include free SSL via Let’s Encrypt. Type your website URL with https:// in front. If there is no ‘Not Secure’ warning, your SSL is working. Modern browsers no longer show a padlock — they only warn when SSL is missing.

Enable SSL in your hosting dashboard

For Squarespace: it’s automatic. For WordPress on shared hosting: look for ‘SSL/TLS’ or ‘Security’ in your cPanel, and enable the free Let’s Encrypt certificate. For Cloudflare: SSL is automatic with the free plan — set the SSL mode to ‘Full (Strict)’.

Force HTTPS redirect

You want ALL traffic to use HTTPS. In Squarespace, this is automatic. In WordPress, install the Really Simple SSL plugin (free). In Cloudflare, turn on ‘Always Use HTTPS.’

Check for mixed content

Mixed content happens when your HTTPS page loads some resources (images, scripts) over HTTP. Use Why No Padlock (whynopadlock.com) — enter your URL and it’ll tell you exactly which resources are loading over HTTP. Fix them by changing http:// to https://.

Browser SSL Indicator

Modern browsers (Chrome, Safari, Brave, Edge) no longer display a padlock icon for secure sites. Instead, they show a 'Not Secure' warning when SSL is NOT configured. If you see no warning when visiting your site, your SSL is working correctly.

Cloudflare SSL/TLS Overview for rmdboothco.com.au — showing Full encryption mode with 732 TLS v1.3 connections in the last 24 hours.

Cloudflare encryption mode configuration — select "Full" or "Full (Strict)" for proper end-to-end encryption.

Edge Certificates panel showing active SSL certificates with auto-renewal configured.

Common Mistakes to Avoid

Paying for SSL — Free SSL from Let’s Encrypt or Cloudflare is perfectly adequate. Don’t let anyone charge you $100+/year for a basic certificate.
Mixed content warnings — One HTTP image on an HTTPS page can trigger a ‘Not Secure’ warning for the whole page.
Not setting up auto-renewal — Let’s Encrypt certificates expire every 90 days. Verify auto-renewal is working.

Pro Tip

After enabling SSL, test your setup at ssllabs.com/ssltest — enter your domain and aim for an A grade.

You're Done When

Your website loads with https:// and shows no ‘Not Secure’ warning
Typing http:// redirects to https://
No mixed content warnings on any page
SSL Labs test shows grade A or B

30 hours. That's a full working week.

We deliver this entire guide in about 5 days.

Get Your Free Audit Book a Call

Next: 1.5 Transactional Email→← Back: 1.3 Setting Up Business Email View all sections