SSL problems in WordPress fall into four types. Read which matches your situation first – the fixes are completely different from each other. Browser shows “Your connection is not private”: the certificate is expired or wrong. Padlock with a warning triangle: mixed content (some resources still loading over HTTP). Redirect loop after adding HTTPS: URL configuration conflict. API calls failing with SSL errors: outdated CA certificate bundle on the server.
Type 1: Browser Shows “Your Connection Is Not Private”
This means the SSL certificate itself is invalid, expired, or not installed correctly. Open the error details in the browser (usually a “Certificate” or “Not Secure” link). Check:
- Certificate expired – Look at the “Valid until” date. Let’s Encrypt certificates expire every 90 days and auto-renew. If auto-renewal failed, the certificate is expired. Go to your hosting panel and manually renew or reissue the certificate. Check why auto-renewal failed (often a DNS configuration issue or a rate limit hit).
- Certificate domain mismatch – The certificate was issued for a different domain. A certificate for example.com does not cover www.example.com unless it includes both. Reissue the certificate to include all variants of your domain.
- Certificate not trusted – The certificate is self-signed (common on local development, not on production). Replace with a Let’s Encrypt certificate from your host.
Problem not solved? Describe the issue and get a free estimate.
Type 2: Mixed Content Warnings (Padlock With Warning)
The certificate is valid and the page loads over HTTPS, but some resources (images, scripts, stylesheets) are loading over HTTP. Browsers block or warn about HTTP content on HTTPS pages. The padlock shows a warning rather than being fully green.
Identify the mixed content resources using browser DevTools -> Console. Look for warnings starting with “Mixed Content: The page at ‘https://…’ was loaded over HTTPS, but requested an insecure resource ‘http://…'”. The URL in the warning tells you exactly which resource is loading over HTTP.
Fix the mixed content by making those URLs load over HTTPS. The most reliable method is a database search-replace to update hardcoded HTTP URLs:
# Using WP-CLI:
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guidInstall the Really Simple SSL plugin as a complement – it adds a Content Security Policy header that upgrades HTTP resources to HTTPS automatically on load, catching mixed content that database search-replace misses (like content in theme files or external embeds).
Type 3: Redirect Loop After Adding HTTPS
The site redirects endlessly between HTTP and HTTPS. This is always a configuration conflict where two components disagree about which protocol the site should use.
Check these in order:
WordPress URL settings: Go to Settings -> General. Both WordPress Address and Site Address must use https://. If either says http://, update it to https://.
wp-config.php constants: Look for WP_HOME or WP_SITEURL – if they specify http://, override them with https://.
Cloudflare SSL mode: If you use Cloudflare, check that the SSL mode is “Full” or “Full (Strict)” – not “Flexible”. Flexible mode causes redirect loops with WordPress sites that force HTTPS.
.htaccess redirect: If you have a redirect rule in .htaccess forcing HTTPS, and WordPress is also redirecting HTTP to HTTPS, you may have double redirects. Ensure only one redirect to HTTPS exists.
Type 4: SSL Works in Browser But Fails for API Calls
WordPress makes outgoing HTTPS requests to wordpress.org for updates, to payment gateways, and to various API endpoints. If these fail with SSL errors, your server’s SSL certificate bundle (the list of trusted CA certificates) may be outdated. Contact your host to update the CA certificate bundle. On servers you control, run: update-ca-certificates on Debian/Ubuntu or update-ca-trust on CentOS/RHEL.