preloader

Really Simple SSL plugin review and common issues

Really Simple SSL is used for small but important admin tasks, redirects, content cleanup, and site maintenance. In most cases, it fits business sites better than a custom build done too early. A common issue is that a simple setting change affects more pages than expected. This usually happens when utility plugins are easy to forget until they conflict with another admin tool. It can save time, but it still needs testing on a staging site before major changes go live. From experience, Really Simple SSL works best when you keep the setup focused and avoid overlapping plugins.

Really Simple SSL plugin review and common issues
Official Plugin Page ↗ Get Help With This Plugin

What is Really Simple SSL plugin?

Really Simple Security (formerly Really Simple SSL) is the most widely installed SSL and security plugin for WordPress, with over 4 million active installations and a 4.9-star rating. It was originally built to solve one specific problem: making the switch from HTTP to HTTPS effortless for WordPress sites that had an SSL certificate installed at the server level but were still serving content over HTTP. With one click, the plugin detects the SSL certificate, forces HTTPS redirection, sets secure cookie flags, and fixes mixed content warnings — reducing what was previously a multi-step technical process to a single plugin activation.

In 2024, the plugin rebranded to Really Simple Security and expanded its scope significantly beyond SSL migration. The free version now includes 18 WordPress hardening features (disable XML-RPC, remove version disclosure, prevent directory browsing, disable file editing, etc.), basic vulnerability detection against a WordPress vulnerability database, and Two-Factor Authentication (2FA) for login security. This positions it as a lightweight security plugin alongside its SSL management core — competing with plugins like Wordfence and Sucuri on specific hardening features while maintaining a much smaller performance footprint.

The Pro version ($49/year for a single site) adds advanced security headers (HSTS, Content Security Policy, X-Frame-Options), mixed content scanning for HTTPS migration edge cases, firewall features, login protection with brute force prevention, and advanced vulnerability management with automated remediation. For agencies managing multiple client sites, the agency license covers unlimited sites. Really Simple Security’s strength is the combination of genuinely simple setup with a meaningful feature set — it is the recommended first step for any WordPress site moving to HTTPS or implementing basic security hardening.

Need Help With Really Simple SSL Setup, Troubleshooting, or Customization?

Need help with Really Simple SSL? Whether you are dealing with errors, broken functionality, styling problems, plugin conflicts, or advanced customization, we can help you fix the issue and get the plugin working properly on your WordPress site.

Get Really Simple SSL Expert Help

Key Features

  • One-click SSL/HTTPS migration with automatic detection
  • 301 redirect from HTTP to HTTPS
  • Secure cookie configuration
  • Mixed content detection and fixing
  • 18 WordPress hardening features: disable XML-RPC, remove version numbers, prevent directory browsing, disable file editing, and more

Pros & Cons

Pros

  • Simplest SSL/HTTPS migration tool available — one click for most sites
  • 4.9-star rating on WordPress.org with 4M+ installations — exceptional reliability track record
  • Now includes 2FA and hardening features beyond SSL — broad security value for a free plugin

Cons

  • Pro features ($49/year) overlap with Wordfence free for some functions like brute force protection
  • Advanced security headers (HSTS, CSP) in Pro require technical knowledge to configure correctly — misconfiguration can break site functionality

Free vs Premium

Free: SSL migration, HTTPS redirect, 18 hardening features, 2FA, basic vulnerability detection. Pro ($49/year, 1 site): advanced security headers, firewall, brute force protection, mixed content scanner, Let’s Encrypt, advanced vulnerability management. Agency (unlimited sites): available at higher pricing.

Common Problems & Fixes

After activating Really Simple SSL, my WordPress site shows a redirect loop — the browser reports "ERR_TOO_MANY_REDIRECTS." How do I fix this?

A redirect loop occurs when the server redirects from HTTP to HTTPS, but WordPress generates an HTTP URL for the redirect target, creating an infinite loop. Causes and fixes: (1) the SSL certificate is not properly installed at the server level — Really Simple SSL cannot force HTTPS if the server does not have a valid SSL certificate; verify SSL in your hosting control panel; (2) a reverse proxy or CDN (Cloudflare) sits between the browser and your server — add define(“FORCE_SSL_ADMIN”, true) and add Cloudflare’s IP ranges to WordPress’s trusted proxies; (3) Really Simple SSL was deactivated without properly reverting the WordPress siteurl and home URL — directly edit wp-config.php to define WordPress URL constants as HTTPS.

Really Simple SSL is showing "mixed content" warnings — some resources are still loading over HTTP. How do I find and fix them?

Mixed content occurs when HTTPS pages load assets (images, scripts, stylesheets) from HTTP URLs. Really Simple SSL’s free version includes basic mixed content fixing by rewriting output buffer URLs from HTTP to HTTPS. For persistent mixed content: (1) use the Really Simple SSL diagnostic tool to identify the source; (2) use browser DevTools → Console to see which specific URLs are loading over HTTP; (3) common sources: hardcoded HTTP URLs in content, external scripts referencing HTTP resources, theme or plugin files with absolute HTTP paths. Run a search-replace in the database (using Better Search Replace plugin) to convert all http://yourdomain.com to https://yourdomain.com.

Really Simple SSL 2FA is locking out an administrator — they entered the wrong 2FA code too many times and cannot log in. How do I disable 2FA for that user?

Access the WordPress database directly via phpMyAdmin or the hosting control panel. Find the user’s record in wp_users and note their user ID. In wp_usermeta, search for meta_key entries associated with that user ID and “two_factor” or “rsssl” — delete those meta entries to disable 2FA for that user. Alternatively, if you have another admin account, log in as that administrator and go to WordPress → Users → [affected user] → Disable 2FA in the user profile. As a preventive measure, configure backup email codes when setting up 2FA for administrators.

Customization & Developer Notes

How do I configure HSTS (HTTP Strict Transport Security) with Really Simple SSL Pro?

In Really Simple SSL Pro → Security Headers → HSTS, enable HSTS and configure the max-age value (how long browsers remember that the site requires HTTPS — recommended: 31536000 seconds = 1 year). Optionally enable “includeSubDomains” to cover all subdomains and “preload” to submit your site to the HSTS preload list (browsers then enforce HTTPS before any connection is made). Start with a short max-age (3600 = 1 hour) to test, then increase to the full year once you are confident the HTTPS configuration is stable. HSTS cannot be easily reversed once set to a long duration — plan carefully.

How do I use Really Simple SSL to generate a free SSL certificate (Let's Encrypt)?

Let’s Encrypt certificate generation in Really Simple SSL Pro requires hosting that does not already provide SSL and supports the ACME protocol (used by Let’s Encrypt for validation). In Pro → SSL → Generate Certificate, enter your domain and email. Really Simple SSL Pro handles the domain validation challenge and certificate installation. Most modern managed WordPress hosts (Kinsta, WP Engine, SiteGround, Cloudways) already provide free SSL automatically — use Really Simple SSL’s SSL enforcement instead. The Let’s Encrypt generation is primarily useful on basic VPS or unmanaged servers without automated SSL provisioning.

Frequently Asked Questions

Is Really Simple SSL sufficient for complete WordPress security, or do I need Wordfence as well?

Really Simple SSL (now Really Simple Security) covers SSL migration, basic hardening, 2FA, and vulnerability scanning. Wordfence adds a dedicated web application firewall (WAF), malware scanning, and real-time threat intelligence. For most small to medium WordPress sites, Really Simple Security’s free features provide a solid security baseline. If the site handles sensitive data, runs WooCommerce, or is a frequent target for attacks, adding Wordfence free (or upgrading to Really Simple Security Pro) provides additional firewall and malware protection. The two plugins can coexist.

What is the difference between Really Simple SSL and Really Simple Security?

They are the same plugin. The plugin was renamed from “Really Simple SSL” to “Really Simple Security” in 2024 to reflect its expanded scope beyond SSL migration — it now includes hardening features, 2FA, vulnerability detection, and (in Pro) a firewall. Existing installations updated automatically. The plugin’s primary URL and WordPress.org listing also updated. All functionality from the old Really Simple SSL is preserved plus the new security features.

Can Really Simple SSL break after updates?

Yes, that can happen, especially on older sites with many plugins. This usually happens when the plugin, theme, and add-ons are updated out of sequence. In most cases, testing on staging catches the issue before it reaches the live site. From experience, backups and changelog reviews save a lot of cleanup time.

What should I check before installing Really Simple SSL?

Start by checking whether another plugin already does the same job. In most cases, overlap is what creates avoidable conflicts and performance issues. A common issue is installing a plugin because it looks convenient without checking the stack first. From experience, a short compatibility review avoids most of the pain later.

Need a Really Simple SSL Developer?

Find a vetted WordPress developer specializing in Really Simple SSL. From setup and configuration to custom Really Simple SSL development — get expert help on WPWizzy.
Get a Free Estimate

Ready to hire your WordPress developer?

WPWizzy connects you with vetted freelance WordPress developers from the Codeable network — the top 2% of WordPress experts worldwide, , you can get a free no-obligation project estimate before hiring. Every developer is carefully screened, backed by Codeable’s satisfaction guarantee, and rated by real clients based on completed WordPress projects.

Pick one option and we’ll take you to the right next step.

After submitting your request, up to three WordPress developers may review your project and ask a few questions to better understand the issue.
This step helps us define the scope of work and provide an accurate estimate. Most projects receive a response within 24 hours.
Providing a few key details about your website or the problem will help us respond faster. There is no obligation to proceed with the project.