WordPress SSL Certificate Problems: Common Causes and Fixes

[ins_single_breadcrumb]
[ins_single_header]
[ins_single_thumb]

WordPress SSL Certificate Problems: Common Causes and Fixes

SSL problems on WordPress sites come from a small set of recurring causes. The fix in each case is well-defined; the trick is identifying which problem you actually have. This guide covers the six most common SSL issues and the specific resolution for each.

1. Certificate Expired

Symptom: Browser shows “Your connection is not private” or “NET::ERR_CERT_DATE_INVALID” warning. The site might still load if the user clicks through the warning, but most won’t.

Cause: The SSL certificate’s validity period ended. For Let’s Encrypt certificates (90-day validity), this usually means auto-renewal silently failed. For paid certificates (typically 1-year validity), this means nobody renewed.

Fix:

  1. Check the actual expiry date. In a browser, click the padlock → Certificate → Valid Until. Confirm it’s actually expired (timezone issues sometimes make a current cert look expired).
  2. For Let’s Encrypt: most hosts manage renewal automatically. Log into the hosting control panel and look for an SSL section — usually there’s a “Renew” button or instructions to manually trigger renewal.
  3. For paid certificates: contact your certificate provider or hosting company to renew.
  4. After installation, force HTTPS sitewide if it isn’t already (see #5 below).

Prevention: SSL expiry monitoring should fire 30 days before expiry. Most uptime monitoring services include this; verify yours is configured. Synergetic’s Care Plans include SSL expiry monitoring.

2. Mixed Content Warnings

Symptom: The site loads on HTTPS but the padlock shows a warning (“Not Fully Secure”). Some images, scripts, or styles don’t load. Forms or payment widgets may not function.

Cause: The page is served over HTTPS but contains references to resources (images, scripts, styles) loaded over HTTP. Browsers block or warn about these mixed requests.

Fix:

  1. Open the affected page in Chrome. Open the console (F12 → Console). Look for “Mixed Content” errors. Each error names a specific URL.
  2. The most common sources of mixed content on WordPress:
  • Image URLs in post content that hardcode HTTP.
  • External script or font URLs that haven’t been updated to HTTPS.
  • Theme files referencing HTTP URLs in CSS.
  • Widgets or plugins with HTTP URLs in their configuration.
  1. Update the specific URLs to HTTPS, or use a plugin like Really Simple SSL to force all asset requests to HTTPS sitewide.

For sitewide content (like image URLs in old posts), a database search-and-replace tool (Better Search Replace plugin, free) can rewrite all http://yoursite.com/ references to https://yoursite.com/ in one pass.

3. SSL Works Without www, Fails With www (or Vice Versa)

Symptom: https://yoursite.com works fine. https://www.yoursite.com shows a warning, or vice versa.

Cause: The SSL certificate covers one hostname but not the other. Many free certificates issue only the main domain unless explicitly configured to include www.

Fix:

  1. Reissue the certificate with both yoursite.com and www.yoursite.com covered. Most certificate providers do this automatically; if your provider doesn’t, switch to one that does (Let’s Encrypt does by default through most hosts).
  2. After the certificate covers both, set up a 301 redirect to enforce one version. In WordPress Settings → General, set the WordPress Address and Site Address to your preferred version (with or without www); add a .htaccess redirect to send the other version to the preferred one.

4. SSL Renewal Failed Silently

Symptom: SSL was working. Now the certificate is expired or expiring soon and you don’t know why renewal didn’t happen.

Cause: Let’s Encrypt renewal requires the renewal process to access a specific URL on your site to verify ownership. If that URL is blocked (by a firewall, by a misconfigured plugin, by a maintenance page, by a CDN), renewal fails silently.

Fix:

  1. Identify why renewal is failing. The renewal process usually logs the failure. Hosting providers typically expose this; for self-hosted setups, check /var/log/letsencrypt/ or your renewal tool’s log.
  2. Common causes:
  • The site is behind Cloudflare and Cloudflare’s challenge mode is blocking the renewal.
  • A security plugin is blocking the /.well-known/acme-challenge/ URL path.
  • A maintenance mode plugin is intercepting requests to that path.
  • The site changed hosts and the renewal process is pointed at the old host.
  1. Fix the blocking issue, manually trigger a renewal, confirm it succeeds, then test that automatic renewals work going forward.

5. HTTPS Loop or Redirect Loop

Symptom: Browser shows “ERR_TOO_MANY_REDIRECTS.” The site never loads.

Cause: The site is configured to redirect HTTP to HTTPS, but something else is then redirecting HTTPS to HTTP, creating an infinite loop.

Common configurations that cause this:

  • A CDN (Cloudflare, often) is set to “Flexible SSL” mode (which terminates SSL at Cloudflare and connects to origin over HTTP), but the WordPress site also forces HTTPS, so it redirects.
  • A .htaccess redirect to HTTPS conflicts with a server-level HTTPS configuration.
  • WordPress Settings → General has the WordPress URL with http:// but the site is forcing HTTPS.

Fix:

  1. If using Cloudflare: change SSL mode from “Flexible” to “Full” or “Full (Strict).”
  2. Check .htaccess for HTTPS redirect rules. Confirm they’re not creating a loop with the server’s own HTTPS configuration.
  3. In wp-config.php, confirm WP_HOME and WP_SITEURL (if defined) use https://.
  4. In WordPress Settings → General, both URLs should be https://.

6. Subdomain or Multisite SSL Issues

Symptom: SSL works on the main domain but fails on subdomains, or vice versa. On WordPress Multisite, some subsites work and others don’t.

Cause: Most SSL certificates don’t cover subdomains by default. Wildcard certificates (*.yoursite.com) do, but they’re more expensive and not always issued automatically.

Fix:

  1. For a small number of subdomains, issue separate certificates for each (Let’s Encrypt allows multiple Subject Alternative Name entries on one certificate).
  2. For unpredictable subdomains or multisite, get a wildcard certificate. Let’s Encrypt issues these for free but they require DNS-based verification, which not all hosts support.
  3. For WordPress Multisite specifically, the SSL setup needs to match the multisite configuration (subdirectory multisite uses the main domain SSL; subdomain multisite needs wildcards or per-subsite certificates).

When SSL Issues Indicate a Bigger Problem

Recurring SSL issues are often a symptom of broader infrastructure neglect. If you’ve fixed the same SSL issue twice, the maintenance process is the actual problem.

A WordPress care plan includes SSL monitoring as part of standard maintenance — expiry alerts well in advance, renewal triggered automatically, and someone responsible for resolving renewal failures before they become visitor-facing.

If the SSL problem is urgent and you don’t have a care plan, Synergetic’s Emergency WordPress Diagnostic covers SSL triage as part of general site emergencies. For a one-time hardening review that includes SSL, the Security & Malware Cleanup service covers it; the Technical SEO service also catches SSL issues as part of the audit.

For systematic monitoring including SSL: see WordPress Uptime Monitoring. For the broader site triage process when SSL is one symptom among several: How to Recover a Broken WordPress Site.

[ins_post_cta]
Shopping Cart
Scroll to Top