WordPress SSL Certificate Problems: Common Causes and Fixes
SSL problems on WordPress sites come from a small set of recurring causes. The fix in each case is well-defined; the trick is identifying which problem you actually have. This guide covers the six most common SSL issues and the specific resolution for each.
1. Certificate Expired
Symptom: Browser shows “Your connection is not private” or “NET::ERR_CERT_DATE_INVALID” warning. The site might still load if the user clicks through the warning, but most won’t.
Cause: The SSL certificate’s validity period ended. For Let’s Encrypt certificates (90-day validity), this usually means auto-renewal silently failed. For paid certificates (typically 1-year validity), this means nobody renewed.
Fix:
- Check the actual expiry date. In a browser, click the padlock → Certificate → Valid Until. Confirm it’s actually expired (timezone issues sometimes make a current cert look expired).
- For Let’s Encrypt: most hosts manage renewal automatically. Log into the hosting control panel and look for an SSL section — usually there’s a “Renew” button or instructions to manually trigger renewal.
- For paid certificates: contact your certificate provider or hosting company to renew.
- After installation, force HTTPS sitewide if it isn’t already (see #5 below).
Prevention: SSL expiry monitoring should fire 30 days before expiry. Most uptime monitoring services include this; verify yours is configured. Synergetic’s Care Plans include SSL expiry monitoring.
2. Mixed Content Warnings
Symptom: The site loads on HTTPS but the padlock shows a warning (“Not Fully Secure”). Some images, scripts, or styles don’t load. Forms or payment widgets may not function.
Cause: The page is served over HTTPS but contains references to resources (images, scripts, styles) loaded over HTTP. Browsers block or warn about these mixed requests.
Fix:
- Open the affected page in Chrome. Open the console (F12 → Console). Look for “Mixed Content” errors. Each error names a specific URL.
- The most common sources of mixed content on WordPress:
- Image URLs in post content that hardcode HTTP.
- External script or font URLs that haven’t been updated to HTTPS.
- Theme files referencing HTTP URLs in CSS.
- Widgets or plugins with HTTP URLs in their configuration.
- Update the specific URLs to HTTPS, or use a plugin like Really Simple SSL to force all asset requests to HTTPS sitewide.
For sitewide content (like image URLs in old posts), a database search-and-replace tool (Better Search Replace plugin, free) can rewrite all http://yoursite.com/ references to https://yoursite.com/ in one pass.
3. SSL Works Without www, Fails With www (or Vice Versa)
Symptom: https://yoursite.com works fine. https://www.yoursite.com shows a warning, or vice versa.
Cause: The SSL certificate covers one hostname but not the other. Many free certificates issue only the main domain unless explicitly configured to include www.
Fix:
- Reissue the certificate with both
yoursite.comandwww.yoursite.comcovered. Most certificate providers do this automatically; if your provider doesn’t, switch to one that does (Let’s Encrypt does by default through most hosts). - After the certificate covers both, set up a 301 redirect to enforce one version. In WordPress Settings → General, set the WordPress Address and Site Address to your preferred version (with or without
www); add a.htaccessredirect to send the other version to the preferred one.
4. SSL Renewal Failed Silently
Symptom: SSL was working. Now the certificate is expired or expiring soon and you don’t know why renewal didn’t happen.
Cause: Let’s Encrypt renewal requires the renewal process to access a specific URL on your site to verify ownership. If that URL is blocked (by a firewall, by a misconfigured plugin, by a maintenance page, by a CDN), renewal fails silently.
Fix:
- Identify why renewal is failing. The renewal process usually logs the failure. Hosting providers typically expose this; for self-hosted setups, check
/var/log/letsencrypt/or your renewal tool’s log. - Common causes:
- The site is behind Cloudflare and Cloudflare’s challenge mode is blocking the renewal.
- A security plugin is blocking the
/.well-known/acme-challenge/URL path. - A maintenance mode plugin is intercepting requests to that path.
- The site changed hosts and the renewal process is pointed at the old host.
- Fix the blocking issue, manually trigger a renewal, confirm it succeeds, then test that automatic renewals work going forward.
5. HTTPS Loop or Redirect Loop
Symptom: Browser shows “ERR_TOO_MANY_REDIRECTS.” The site never loads.
Cause: The site is configured to redirect HTTP to HTTPS, but something else is then redirecting HTTPS to HTTP, creating an infinite loop.
Common configurations that cause this:
- A CDN (Cloudflare, often) is set to “Flexible SSL” mode (which terminates SSL at Cloudflare and connects to origin over HTTP), but the WordPress site also forces HTTPS, so it redirects.
- A
.htaccessredirect to HTTPS conflicts with a server-level HTTPS configuration. - WordPress Settings → General has the WordPress URL with
http://but the site is forcing HTTPS.
Fix:
- If using Cloudflare: change SSL mode from “Flexible” to “Full” or “Full (Strict).”
- Check
.htaccessfor HTTPS redirect rules. Confirm they’re not creating a loop with the server’s own HTTPS configuration. - In
wp-config.php, confirmWP_HOMEandWP_SITEURL(if defined) usehttps://. - In WordPress Settings → General, both URLs should be
https://.
6. Subdomain or Multisite SSL Issues
Symptom: SSL works on the main domain but fails on subdomains, or vice versa. On WordPress Multisite, some subsites work and others don’t.
Cause: Most SSL certificates don’t cover subdomains by default. Wildcard certificates (*.yoursite.com) do, but they’re more expensive and not always issued automatically.
Fix:
- For a small number of subdomains, issue separate certificates for each (Let’s Encrypt allows multiple
Subject Alternative Nameentries on one certificate). - For unpredictable subdomains or multisite, get a wildcard certificate. Let’s Encrypt issues these for free but they require DNS-based verification, which not all hosts support.
- For WordPress Multisite specifically, the SSL setup needs to match the multisite configuration (subdirectory multisite uses the main domain SSL; subdomain multisite needs wildcards or per-subsite certificates).
When SSL Issues Indicate a Bigger Problem
Recurring SSL issues are often a symptom of broader infrastructure neglect. If you’ve fixed the same SSL issue twice, the maintenance process is the actual problem.
A WordPress care plan includes SSL monitoring as part of standard maintenance — expiry alerts well in advance, renewal triggered automatically, and someone responsible for resolving renewal failures before they become visitor-facing.
If the SSL problem is urgent and you don’t have a care plan, Synergetic’s Emergency WordPress Diagnostic covers SSL triage as part of general site emergencies. For a one-time hardening review that includes SSL, the Security & Malware Cleanup service covers it; the Technical SEO service also catches SSL issues as part of the audit.
For systematic monitoring including SSL: see WordPress Uptime Monitoring. For the broader site triage process when SSL is one symptom among several: How to Recover a Broken WordPress Site.
