SSL Certificate Expired on WordPress: How to Fix It Fast

What an Expired SSL Actually Does

When your SSL certificate expires, browsers display a full-page warning: “Your connection is not private” (Chrome) or “This Connection Is Not Private” (Safari). Visitors can’t reach your site without clicking through a scary warning that most people — rightfully — won’t dismiss.

This isn’t cosmetic. An expired SSL means:

• Visitors leave. Nobody enters credit card info or fills out a contact form on a site their browser says is unsafe.
• Google demotes you. HTTPS is a ranking signal. An expired cert can trigger a drop in search visibility.
• Form submissions fail. If your site forces HTTPS (which it should), an expired cert makes the entire site unusable.
• Trust evaporates. Even after you fix it, some visitors remember the warning and don’t come back.

Why It Expired

SSL certificates have a fixed lifespan — typically 90 days for Let’s Encrypt (free) or 1 year for paid certificates. They need to be renewed before expiration. When they aren’t, it’s usually one of these reasons:

Auto-Renewal Failed

Most modern hosting providers auto-renew Let’s Encrypt certificates. When auto-renewal fails, it’s typically because:

• DNS changed. If you moved your DNS to Cloudflare or another provider without updating your hosting’s renewal configuration, the HTTP challenge that Let’s Encrypt uses to verify domain ownership fails silently.
• The .well-known directory is blocked. Some security plugins, .htaccess rules, or server configurations block the /.well-known/acme-challenge/ path that Let’s Encrypt needs to validate your certificate.
• cPanel/Plesk job failed. The cron job that handles renewal got stuck or was disabled during a server update.

Paid Certificate Wasn’t Renewed

If you’re using a paid SSL from a provider like Comodo, DigiCert, or GoDaddy, someone needs to manually renew and install it. Renewal emails go to the domain’s admin contact — if that email address is outdated, nobody sees the warning.

How to Fix It

If You’re on Let’s Encrypt (Most WordPress Hosts)

1. Log into your hosting control panel (cPanel, Plesk, or the host’s custom dashboard).
2. Find SSL/TLS settings. Look for “SSL/TLS Status,” “Let’s Encrypt,” or “AutoSSL.”
3. Trigger a manual renewal. Most panels have a “Renew” or “Issue” button. Click it and wait 2-3 minutes.
4. If manual renewal fails, check the error message. Common fixes: verify DNS A records point to the correct server, ensure /.well-known/ isn’t blocked, or temporarily disable security plugins that might interfere.

If You’re on Cloudflare

Cloudflare provides its own SSL at the edge, but you also need a certificate between Cloudflare and your server (origin certificate). If the browser shows an SSL error:

• Check that Cloudflare’s SSL/TLS mode is set to “Full (Strict)”
• Generate an origin certificate in Cloudflare’s dashboard and install it on your server
• Make sure you’re not using a conflicting certificate from your host

If You Have a Paid Certificate

Contact your certificate provider (or whoever manages your hosting). Renew the certificate through their portal, download the new cert files, and install them via your hosting control panel. If your hosting provider manages SSL for you, open a support ticket — they need to install the new certificate on the server.

After the Certificate Is Renewed

Once the new certificate is active:

• Test with SSL Labs. Visit ssllabs.com/ssltest and enter your domain. You want an A or A+ rating with no chain issues.
• Check for mixed content. If some page elements load over HTTP instead of HTTPS, browsers show a “partially secure” warning. Look for hard-coded http:// URLs in your content, theme, or plugins. The “Better Search Replace” plugin can bulk-update these in the database.
• Verify forced HTTPS. Make sure wp-config.php has define('FORCE_SSL_ADMIN', true); and your .htaccess redirects HTTP to HTTPS.

Preventing This From Happening Again

Set a calendar reminder 2 weeks before your SSL expiration date. Or better yet, use hosting that handles SSL renewal automatically and alerts you when it fails.

Parameter Pulse includes free SSL certificates that auto-renew, and Protect monitors your SSL status as part of 24/7 site monitoring — so you find out about renewal failures before your visitors do. If your SSL is expired right now and you need help, our emergency service can usually resolve it within an hour.

If SSL issues keep recurring, the certificate is not really the problem — your ops process is. A free audit surfaces the rest.