Bluehost includes a free SSL certificate on all hosting plans, issued through Let’s Encrypt. In most cases it activates automatically when your domain points to Bluehost. But there are situations where you need to enable it manually, force HTTP traffic to redirect to HTTPS, test that it is working correctly, or work out why the padlock is not showing. This guide covers all of that for both the Bluerock and Legacy control panels, plus what to do for WooCommerce stores and when to consider a paid certificate.
What is an SSL Certificate?
An SSL certificate secures the data transmitted between your website and your visitors. When an SSL certificate is active, the site address starts with https:// instead of http://, and a padlock icon appears in the browser address bar.
Beyond visitor trust, SSL has a direct impact on your site’s performance. Research shows that 85% of customers will not interact with a website that lacks an SSL certificate. Google Chrome displays a “Not Secure” warning on pages served over plain HTTP, which damages credibility and reduces conversions. Google has also confirmed that HTTPS is a ranking signal.
The free SSL certificates Bluehost provides cover all assigned and parked domains on your account. The certificate is issued by Let’s Encrypt and renews automatically every 90 days. If you need to add a domain to Bluehost first, do that before enabling SSL, since the certificate will not issue until the domain is properly pointing to Bluehost’s nameservers.
Enabling the Free SSL Certificate on Bluerock
If your account uses the Bluerock interface, follow these steps to enable the free Bluehost SSL certificate.
Step 1 - Log In
Log into your Bluehost account and access the control panel at my.bluehost.com.
Step 2 - My Sites
Click the My Sites tab in the left-hand navigation menu.
Step 3 - Locate Your Site
Find the site you want to secure and click the Manage Site button next to it.
Step 4 - Security Tab
Open the Security tab. Under the Security Certificate section, toggle Free SSL to the On position.
After enabling it, the certificate can take up to a few hours to provision and become active. Bluehost will email you if any additional action is required on your end. Check your site again after 2 to 3 hours to confirm the padlock is showing.
Enabling the Free SSL Certificate on Legacy
If your account is still on the Legacy control panel, use the instructions below to install the Bluehost Let’s Encrypt SSL certificate.
Step 1 - Log In
Log into your Bluehost control panel. From the top navigation, click the WordPress Tools tab.
Step 2 - Security
Click the Security tab in the left-hand menu.
Step 3 - Secure Certificate
Scroll down to the Secure Certificate section and toggle Certificate issued by Let’s Encrypt to the On position.
This should now enable the SSL certificate on your website. Give it a few hours to activate fully before checking the padlock in your browser.
How to Force HTTPS on Bluehost
Once the SSL certificate is active, you need to make sure all HTTP traffic redirects to HTTPS. Without this redirect, visitors who type your address without https:// may still land on the insecure version of your site, and Google may index both versions separately.
Forcing HTTPS via Bluerock
Bluerock includes a built-in toggle for this. Go to My Sites, click Manage Site, then open the Security tab. Below the Free SSL toggle, you will see an option to Enable HTTPS Redirect. Turn this on and all HTTP requests will automatically forward to HTTPS.
Forcing HTTPS via .htaccess (Legacy)
On the Legacy account, you can add a redirect rule to your .htaccess file. Log into cPanel, open the File Manager, and navigate to your site’s root directory (usually public_html). Look for the .htaccess file. If you cannot see it, make sure “Show Hidden Files” is checked.
Add the following lines at the top of the .htaccess file, below the line that reads RewriteEngine On:
RewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Save the file. All HTTP requests will now permanently redirect to the HTTPS version of your site. If you’re running WordPress, you can also update the Site URL and WordPress Address fields in Settings > General from http:// to https:// to avoid mixed content issues.
SSL for WooCommerce on Bluehost
Bluehost is an officially recommended WooCommerce host, and SSL is not optional for a WooCommerce store. Every checkout page that collects payment details must be served over HTTPS to meet PCI DSS compliance standards. Without it, your store is transmitting sensitive customer data over an unencrypted connection, which puts your customers at risk and exposes you to liability.
The practical steps for enabling SSL on a WooCommerce store are the same as for any other site on Bluehost. Enable it through the Security tab (Bluerock) or the Secure Certificate section (Legacy), then enable the HTTPS redirect. But there are a few extra steps specific to WooCommerce:
- Update your site URL settings: Go to Settings > General in WordPress and change both the WordPress Address and Site Address from http:// to https://. WooCommerce reads these URLs for checkout page generation.
- Run a database search and replace: Old http:// URLs stored in your product descriptions, image URLs, and page builder content will cause mixed content warnings. Use the Better Search Replace plugin to find and update them in bulk.
- Check the WooCommerce cart and checkout pages: After updating, visit the cart and checkout while logged out and look for the padlock. Any missing padlock or browser warning at the checkout stage is a direct barrier to conversions.
- Consider a paid certificate for extended trust signals: The free Let’s Encrypt certificate is adequate for most WooCommerce stores. However, if your store handles large volumes or enterprise orders, an OV (Organization Validated) or EV (Extended Validation) certificate displays your company name in some browsers and adds an extra layer of customer reassurance. These are available through the Bluehost marketplace.
If your WooCommerce store uses a payment gateway like Stripe or PayPal, those providers handle their own checkout security and do not require your site to have EV SSL. The free Let’s Encrypt certificate is sufficient for redirect-based payment flows. Where SSL on your own domain matters most is when you host the payment form directly (for example, with WooCommerce Payments or a Stripe Elements integration on your site).
Testing Your SSL Certificate
After enabling SSL and forcing HTTPS, it is worth running a proper check rather than just glancing at the browser padlock. The padlock confirms the certificate is present, but it does not tell you about cipher strength, chain issues, or mixed content problems that could still affect visitors or search engines.
SSL Labs Server Test
SSL Labs (by Qualys) provides the most thorough free SSL test available. Go to ssllabs.com/ssltest, enter your domain, and run the analysis. It returns a letter grade (A+ to F) along with details on certificate validity, cipher suites, protocol support, and known vulnerabilities. Most Bluehost Let’s Encrypt installations score an A. If you score lower, the report will tell you exactly why.
WhyNoPadlock
If your site loads over HTTPS but the padlock is not showing, the most likely cause is mixed content: some resources (images, scripts, or fonts) are still loading over plain HTTP. whynopaddock.com scans a single URL and lists every insecure resource it finds on that page, with the exact file paths. This is much faster than hunting through your source code manually.
Browser Developer Tools
You do not need a third-party tool to catch mixed content. Open Chrome DevTools (F12), go to the Console tab, and load your site. Any mixed content warnings will appear as yellow or red warnings with the exact URL of the offending resource. The Security tab in DevTools also gives you a summary of the certificate, including the issuer, expiry date, and whether the connection is considered secure.
Google Search Console Security Issues
Once HTTPS is active, check the Security & Manual Actions section in Google Search Console. If Google detected any security issues related to your certificate or insecure content during its crawls, they will appear here. This is also where you can verify that Google is indexing your https:// URLs rather than the old http:// versions.
Free SSL vs Paid SSL on Bluehost: Which Do You Need?
The free Let’s Encrypt certificate covers the vast majority of use cases. Here is a clear breakdown of when free is enough and when a paid certificate makes sense.
When the Free Certificate Is Enough
- Personal blogs and portfolio sites
- Small business sites collecting contact form submissions
- WooCommerce stores using hosted payment gateways (Stripe, PayPal redirect)
- WordPress membership sites and content subscriptions
- Any site where HTTPS is needed primarily for rankings and user trust
When to Consider a Paid Certificate
- Wildcard SSL: You need to secure multiple subdomains (shop.yourdomain.com, members.yourdomain.com, api.yourdomain.com) under one certificate. The free Let’s Encrypt certificate does not cover custom subdomains. A wildcard certificate costs approximately $49 to $99 per year through the Bluehost marketplace.
- Organization Validated (OV) certificates: These verify your business identity, not just domain ownership. They display the company name in certificate details, which can matter for business-to-business sites where clients check the cert manually. Prices typically start around $79 per year.
- Extended Validation (EV) certificates: The highest level, with full legal identity verification. Priced from around $99 per year and up.
- Multi-domain (SAN) certificates: Cover multiple completely separate domains under one certificate. Useful if you manage several sites and want one certificate to handle all of them.
Bluehost sells certificates from Comodo and DigiCert through its marketplace. You install them via cPanel under Security > SSL/TLS. Unless you have a specific need for wildcard coverage or business identity validation, the free Let’s Encrypt certificate is the right choice for most Bluehost customers.
SSL and the Bluehost Website Builder (WonderSuite)
If you are using the Bluehost website builder (branded as WonderSuite on newer accounts), SSL is handled automatically on your behalf. When you create a site through WonderSuite, the free Let’s Encrypt certificate is provisioned and HTTPS is enforced without any manual steps. You do not need to visit the Security tab or enable any toggles.
If you switch from a WonderSuite site to a self-managed WordPress installation on the same domain, you may need to re-verify the SSL status. Go to the Security tab in My Sites and confirm the free SSL toggle is still on. HTTPS redirect should also be re-enabled if it was set up under the WonderSuite flow, since the underlying site configuration changes when you take over WordPress management directly.
SSL Troubleshooting on Bluehost
Here are the most common SSL problems Bluehost users run into and how to fix them.
Certificate Has Been Pending for More Than 24 Hours
SSL certificates on Bluehost typically activate within a few hours. If yours has been pending for more than 24 hours, the most likely cause is that your domain is not yet pointing to Bluehost’s nameservers. Check your domain registrar and confirm the nameservers are set to ns1.bluehost.com and ns2.bluehost.com. Once DNS propagation is complete, the certificate should provision automatically. If it still does not activate after 48 hours, contact Bluehost support and ask them to manually trigger the SSL issuance.
Mixed Content Warnings (Padlock Shows With a Warning)
A mixed content warning appears when your page loads over HTTPS but some resources (images, scripts, or stylesheets) are still being called over plain HTTP. To fix this in WordPress, install a plugin like Really Simple SSL or Better Search Replace, which will update all internal HTTP references in your database to HTTPS. You can also search your theme files and page builder templates for hardcoded http:// URLs and replace them manually.
SSL Not Working After a Domain Transfer
When you transfer a domain to or from Bluehost, the SSL certificate does not automatically carry over. After the transfer is complete and your nameservers are pointed to Bluehost, you will need to go back into the Security tab (Bluerock) or the Secure Certificate section (Legacy) and re-enable the free SSL. The certificate will issue fresh within a few hours of the nameservers propagating.
SSL Certificate Error on a Specific Subdomain
The free Bluehost SSL certificate covers your primary domain and the www subdomain. It does not cover other subdomains (such as shop.yourdomain.com or blog.yourdomain.com) unless you have a separate hosting plan or install a separate certificate for each subdomain. If a subdomain needs HTTPS coverage, you will need to add it as an addon domain in cPanel and enable SSL for it individually, or purchase a wildcard certificate as described above.
HTTPS Working in Browser but Google Still Showing HTTP in Search Results
Google indexes URLs, not just domains. If your site had http:// URLs indexed before you switched to HTTPS, Google will continue to show those old URLs until it recrawls them and follows the 301 redirect to the https:// version. This process usually takes a few weeks. To speed it up: submit your https:// sitemap in Google Search Console, request indexing for your main pages using the URL Inspection tool, and confirm that your 301 redirect from http:// to https:// is in place and returning the correct status code.
SSL Working on Homepage but Not on Other Pages
If the padlock appears on your homepage but breaks on inner pages, the most common cause is hardcoded http:// links within your content or theme. Use the WhyNoPadlock tool or browser console on the affected page to find the exact resource causing the issue, then update those references to https:// or use a protocol-relative URL.
ERR_SSL_PROTOCOL_ERROR or Connection Not Private
This error typically means the certificate is not yet active, has expired, or is being served for the wrong domain. Check the following in order: confirm the certificate is enabled in the Security tab, check that the domain in your browser address bar matches the domain the certificate was issued for (www and non-www are both covered, but a completely different subdomain is not), and check the expiry date using an SSL checker like SSL Labs. If the certificate appears valid but the error persists, clearing your browser cache and trying in a private/incognito window often resolves it, since browsers cache certificate errors aggressively.
Does Bluehost SSL Auto-Renew?
Yes. The free SSL certificate that Bluehost provides is issued by Let’s Encrypt, which issues certificates with a 90-day validity period. Bluehost handles the renewal process automatically in the background, so you do not need to take any action. Your certificate will be renewed before it expires without any interruption to your site.
You will not receive a renewal notification email for the free certificate because the process is fully automatic. If for some reason the auto-renewal fails (for example, if your domain is no longer pointing to Bluehost), you will get an alert from Bluehost asking you to take action.
Does Bluehost Support Wildcard SSL?
The free SSL certificate that Bluehost provides through Let’s Encrypt does not include wildcard coverage. It covers your root domain and the www subdomain only. If you need to secure multiple custom subdomains, you have two main options:
- Add each subdomain as an addon domain in cPanel and enable a separate free SSL certificate for each one
- Purchase a third-party wildcard SSL certificate and install it through the Bluehost cPanel SSL/TLS section
Bluehost does sell paid SSL certificates, including wildcard options, through its marketplace. These can be installed via cPanel under the Security > SSL/TLS section. Wildcard certificates start at approximately $49 per year and cover an unlimited number of subdomains under a single domain.
Final Word: How to Set Up SSL on Bluehost
An SSL certificate is a basic requirement for any website today. It protects your visitors, improves trust signals, and contributes to search rankings. Bluehost provides a free Let’s Encrypt SSL certificate on all plans, and enabling it takes just a few clicks in either the Bluerock or Legacy control panel. Once it’s active, force the HTTPS redirect so all traffic lands on the secure version of your site, then run a quick test with SSL Labs or WhyNoPadlock to confirm there are no mixed content issues. For WooCommerce stores, those extra steps around database URL updates and checkout page verification are worth the few minutes they take. For additional account security steps, see our guide on how to change your Bluehost cPanel password. And if you haven’t already set up your hosting, take a look at our full Bluehost overview to get started. Make sure your nameservers and A records are correctly configured before enabling SSL, as described in the Bluehost Domain & DNS Guide.
