Sometimes, the sun shines as intended, everything goes as planned, and you are about to hand out your website project to the client, and then, boom, the SSL issue appears, as it seems, from nowhere. The website is full of errors, doesn’t load correctly, and you are in pain.
I will do my best to be helpful and analyze and collect all the possible SSL issues that may occur on the WordPress website and how to fix them.
Table of Contents
What Is SSL?
SSL certificate is a must for a website to have a secure HTTPS connection. Before going into technical details about SSL, let me put it simply: SSL issues are a very, very big problem for any website because, let’s guess, how many potential clients will dare to visit your site if they see this screen of “Your Connection is not private”:
I guess just very few – only those who actually understand what’s going on, really want to open your website and don’t wonder why no one fixed this issue, right?
The rest will leave, no matter how much you’ve paid for the ads or if the most trusted influencers promoted you. Since 2018, when Google started showing such warnings and ranking sites without HTTPS lower, SSL certificates are important even if you don’t store any sensitive user information.
Long story short, SSL certificates encrypt the connection between the browser and server and make it secure.
Now, let’s go into more detail about SSL and how it works.
SSL stands for Secure Socket Layer; it’s often used with TLS (SSL/TLS) or just “SSL” as a general name for both. They use asymmetric and symmetric encryption, where two keys are involved, public and private, used by a web server and a browser to encrypt and then decrypt data, so it’s very hard to steal it on the way during the transmission.
Types of SSL certificates
The two major types of SSL certificates are free and paid.
Let’s Encrypt is a free and the most common SSL/TLS certificate that you can get from pretty much any hosting provider while setting up a website. Such certificates are open-source, and while they are valid for only 90 days, there is an automatic renewal option, so you don’t have to worry about setting it up again and again. There are also other certification authorities (CAs) that provide such certificates.
In most cases, especially if you use shared hosting, setting up such a certificate takes just a few clicks.
The downside of free certificates is that they are issued automatically, so anyone, including attackers, can use them for fishing sites.
Another type is paid SSL certificates. They are used mostly by financial institutions and authorities that store a lot of user information, have many transactions, have big eCommerce sites, databases, etc. In this case, CAs physically investigate domains or companies. There is also such a thing as a warranty, so the victim gets financial compensation in case of security breaches.
Validation levels
Certification authorities can validate sites on three main levels: domain level, organization level, and extended validation level.
- The Domain Validation level (DV certificates) are great for smaller websites that don’t store sensitive data. They can be free or quite cheap.
- The Organization Validation level (OV certificates) provides stronger validation of the organization and protection.
- Extended Validation (EV certificates) are the best for websites that store sensitive user information.
Common SSL Issues
There are a few common issues with SSL certificates you can come across; let’s see how to fix them.
SSL can’t be installed
This issue can happen because of improper DNS settings, such as if the DNS A records are different from the AAAA records. In this case, copy the existing AAAA (IPV6) record, paste it somewhere to the notepad as a backup, and then delete it.
Actually, different domain registrars can have slightly different protocols for pointing domains to your server, which is why it’s better to use their support documentation.
There are other installation issues, such as SSL certificate type mismatch, which can happen if you are trying to install a multi-domain certificate for certain types of shared hosting plans. Again, the restrictions can be specific to your hosting provider, so check their documentation.
No redirect to HTTPS
After SSL certificate installation, make sure all the requests are redirected to HTTPS. WordPress doesn’t do it automatically. That’s why you have to either find such a setting on your hosting panel (most of the shared hostings provide it) or add this code to the .htaccess file manually:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ (.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L, R=301]
</IfModule>Mixed Content Error
If you have this issue, your website may not be displayed properly (CSS is not fetched, or certain functionality doesn’t work). The reason for this is that some of your external files, which the website likes and tries to use (e.g., CSS files or images), are using an HTTP connection instead of HTTPS, so they are blocked. Sometimes, this happens when you move a website from a local environment, and the hard-coded links are still there; that’s why it’s highly recommended to use relative links.
To detect the issue, use either your web browser Console panel or tools like SSL Check Bot. Detection is a compulsory step, as such links must first be detected to be fixed. If it’s just a couple of links, it’s easier to fix it manually. But if there are many, you will need a tool to streamline the process.
Plugins like Better Search Replace are helpful here. But first, make sure that the resources are available via HTTPS connection.
Another thing worth paying attention to is that scripts, fonts, and stylesheets must be properly enquired (registered) in WordPress (in functions.php). The SSL Insecure Content Fixer plugin will be helpful here.
Also, you can direct the browser to treat all the unsecured headers as secure by inserting this line in the .htaccess file before the closing #End WordPress line:
Header always set Content-Security-Policy: upgrade-insecure-requests;FAQ
You will see an error message if there’s something wrong with your SSL, but you can also use this tool to diagnose potential problems.
Use a plugin that forces SSL only if you can’t set it up from the hosting panel.
Go to the hosting panel and reinstall it because it didn’t renew automatically.
Takeaway
SSL/TLS certificates have been a must-have since 2018 for any website. Most often, especially if you use shared hosting plans by recognized providers, it’s quite a straightforward process. However, some of the popular ones, such as Godaddy/Namecheap, can make life a bit difficult, so pay attention when buying hosting whether an SSL certificate is included in the price.
Enterprise-level websites, especially in finance, should definitely have their paid SSL certificates for EV type.
