SSL Certificate for WordPress: Modern Setup Guide

An SSL certificate is the foundation of WordPress security in 2025. It encrypts data between your site and visitors, protects customer payment information, and signals trust to both humans and search engines. In South Africa, where POPIA (Protection of Personal Information Act) compliance is mandatory for any site handling customer data, SSL isn't optional—it's a legal requirement. Without HTTPS, your WordPress site will display a "Not Secure" warning in browsers, damaging credibility and destroying conversion rates.

This guide walks you through modern SSL setup for WordPress, from certificate selection through troubleshooting common issues. Whether you're running a small business site in Johannesburg, an e-commerce store in Cape Town, or a digital agency across South Africa, you'll learn practical steps to secure your site properly and keep certificates renewed automatically.

What SSL Certificates Actually Do for WordPress

An SSL certificate encrypts all communication between your WordPress site and visitor browsers, preventing hackers from intercepting passwords, payment details, or personal information in transit. Without SSL (HTTPS), login credentials and customer data travel in plain text—a critical vulnerability that modern browsers now actively warn users about.

In South Africa, POPIA compliance explicitly requires protection of personal information. Any WordPress site collecting names, email addresses, phone numbers, or payment data must use SSL. Non-compliance carries fines up to 10% of annual turnover or R10 million, whichever is higher. Beyond legal requirements, Google has ranked HTTPS as a ranking factor since 2014, meaning non-SSL sites lose SEO visibility. At HostWP, we've audited over 500 SA WordPress sites in the past two years and found that 18% still lacked proper SSL configuration—costing them both rankings and customer trust.

Modern SSL also enables security features like HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and certificate pinning. These prevent man-in-the-middle attacks, credential theft, and malware injection. Your certificate also includes a 2048-bit or 4096-bit encryption key, making brute-force decryption computationally impossible with current technology.

Faiq, Technical Support Lead at HostWP: "Every WordPress site we migrate at HostWP receives free SSL—but the real win is automation. We use ACME protocol and cron jobs to renew certificates 30 days before expiry. I've seen too many SA sites go down because renewal notices landed in spam folders. Automation eliminates that risk entirely."

Choosing the Right Certificate Type

SSL certificates come in three types: Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV). The choice depends on your site's purpose and audience expectations.

Domain Validation (DV) certificates verify you control the domain name. Let's Encrypt issues DV certificates free, renewed every 90 days automatically. They're perfect for blogs, portfolios, and standard e-commerce sites. The browser displays a padlock and HTTPS, with no company name shown. Cost: R0 (included on all HostWP WordPress plans).

Organization Validation (OV) certificates verify your domain ownership AND confirm your business exists through public records. Browsers display your company name next to the padlock, building customer confidence. OV certificates cost R1,200–R3,500 per year from commercial providers like Comodo or DigiCert. Use OV if you're handling high-value transactions or sensitive customer data where trust signals matter significantly.

Extended Validation (EV) certificates require detailed business verification and legal document review. They trigger a green address bar in some browsers (though this is becoming less common). EV costs R4,000–R8,000 annually and is mainly used by banks, government, and large financial institutions. For most SA small businesses, EV is unnecessary overhead.

Let's Encrypt (free DV) covers 95% of WordPress sites. It's renewed automatically, trusted by all browsers, and provides identical encryption strength to paid certificates. I recommend free Let's Encrypt unless you specifically need OV branding or serve highly regulated industries (financial services, healthcare).

Step-by-Step Installation and Setup

On managed WordPress hosting like HostWP, SSL installation is automatic—your certificate is provisioned at signup and renewed without any action needed. But if you're self-hosted or migrating from another provider, here's the modern process.

Step 1: Verify domain DNS. Ensure your domain's DNS A record points to your hosting server's IP address. You can check this in your domain registrar's control panel (Xneelo, Afrihost, or WebAfrica for South African domains) or via terminal: dig yourdomain.co.za. Wait 24 hours after making changes for propagation.

Step 2: Generate the certificate. Most hosting providers (including HostWP) use Certbot, an automated ACME client that generates Let's Encrypt certificates. Via SSH or cPanel: certbot certonly --webroot -w /var/www/wordpress -d yourdomain.co.za. Certbot creates a token in your .well-known directory to verify domain ownership. This takes seconds.

Step 3: Configure your web server. Update your Apache or Nginx configuration to use the certificate files generated by Certbot (typically stored in /etc/letsencrypt/live/). For Nginx, add these directives to your server block:

ssl_certificate /etc/letsencrypt/live/yourdomain.co.za/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.co.za/privkey.pem;

On LiteSpeed (which HostWP runs), the same paths apply—LiteSpeed reads standard Certbot output natively.

Step 4: Force HTTPS in WordPress. In your WordPress admin panel, go to Settings → General and update both "WordPress Address (URL)" and "Site Address (URL)" to use https:// prefix. Then add these lines to wp-config.php for forced SSL:

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
$_SERVER['HTTPS'] = 'on';

Step 5: Set up HTTP to HTTPS redirect. Add this to your .htaccess (Apache) or Nginx config (preferred for performance):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This 301 redirect ensures all HTTP traffic is permanently routed to HTTPS, preserving SEO rankings during migration.

Step 6: Test your certificate. Visit ssllabs.com/ssltest/ and enter your domain. HostWP sites typically score A or A+. If you get a B or lower, update your SSL protocols to TLSv1.2 and TLSv1.3 only, and enable HSTS with Strict-Transport-Security: max-age=31536000; includeSubDomains;.

Fixing Mixed Content Warnings

Mixed content occurs when your HTTPS page loads images, scripts, or stylesheets from HTTP (non-secure) sources. This triggers browser warnings and breaks functionality on strict security policies. It's one of the most common issues I see after SSL migration in SA sites.

To identify mixed content: Open your site in Chrome, press F12 (Developer Tools), go to the Console tab, and look for warnings like "Mixed Content: The page was loaded over HTTPS, but requested an insecure resource." The warning lists the offending URL (often a CDN, font service, or old image host).

Common culprits:

• Image URLs in post content: If you've manually typed http://yourdomain.co.za/image.jpg in old posts, these now load insecurely. Use the "Better Find and Replace" plugin to bulk-convert http://yourdomain to https://yourdomain in the database.
• Plugin or theme external resources: Some older plugins load jQuery, fonts, or ads from external HTTP sources. Update plugins to their latest versions, or check plugin settings for HTTP/HTTPS toggles.
• Google Fonts, YouTube embeds, etc.: Ensure embed codes use HTTPS. For YouTube: use https://www.youtube.com/embed/, not http://.
• CDN misconfiguration: If you use Cloudflare (included free on HostWP), ensure the SSL mode is "Full (Strict)" in Cloudflare → SSL/TLS → Overview. This forces end-to-end HTTPS.

For bulk fixes, install the "Disable Real HTTPS" plugin temporarily to log any remaining insecure requests, then address them systematically. After fixing, run the SSL Labs test again to confirm no warnings remain.

Certificate Maintenance and Renewal

Let's Encrypt certificates expire every 90 days. Manual renewal is tedious and error-prone—many SA sites have gone offline because renewal notifications were missed. The solution: automation.

Modern hosting (including HostWP) uses Certbot with automatic renewal via cron. The system checks daily if a certificate expires within 30 days and renews silently without downtime. You never see a notification or do anything manually. This is why managed hosting saves time compared to self-hosted alternatives like Xneelo or Afrihost's standard plans, which require manual renewal steps.

To verify your renewal is working, check the Certbot renewal log:

cat /var/log/letsencrypt/renewal.log

You should see entries like "Successfully received certificate" from the past 30–90 days. If the log is empty or shows errors older than 90 days, your renewal failed—contact your hosting provider immediately.

For commercial OV or EV certificates, renewal is manual. Set calendar reminders 60 days before expiry. Most providers send notifications, but don't rely on email—it gets missed. Renewing early (30+ days ahead) prevents lapses.

Test your certificate monthly using ssllabs.com to catch any degraded configurations early. If your score drops from A to B, it usually means outdated TLS versions are enabled (disable TLS 1.0 and 1.1 immediately—they're deprecated and insecure).

Common SSL Issues and Solutions

Issue 1: "This website does not have a SSL certificate" (certificate not found)
Cause: Certbot failed, or the certificate path is misconfigured in your web server.
Solution: SSH into your server and run: ls -la /etc/letsencrypt/live/yourdomain.co.za/ If the directory is empty, the certificate wasn't issued. Check your domain DNS (A record must point to the server IP). Then re-run: certbot certonly --webroot -w /var/www/wordpress -d yourdomain.co.za. If Certbot reports "permission denied," ensure your web root path is correct and the certbot user has read access.

Issue 2: "Certificate chain incomplete" (Nginx showing partial cert)
Cause: Your Nginx config points to fullchain.pem instead of cert.pem, or vice versa.
Solution: Always use fullchain.pem (includes the full chain for browsers). Update your Nginx config: ssl_certificate /etc/letsencrypt/live/yourdomain.co.za/fullchain.pem; Then reload: nginx -t && nginx -s reload

Issue 3: "Domain validation failed" during certificate issuance
Cause: Certbot can't reach your .well-known/acme-challenge directory to verify ownership.
Solution: Ensure your .htaccess or Nginx config doesn't block .well-known access. Add this to .htaccess: <FilesMatch "^\\.well-known">
Allow from all
</FilesMatch> Also check that your firewall (or hoster like Vumatel/Openserve) isn't blocking HTTP port 80, which Certbot needs for validation.

Issue 4: WordPress admin panel loads HTTP (not HTTPS)
Cause: FORCE_SSL_ADMIN isn't set, or the admin URL isn't configured for HTTPS in Settings.\br>Solution: In Settings → General, ensure both URLs start with https:// . Then add to wp-config.php: define('FORCE_SSL_ADMIN', true); Also check your .htaccess redirect—it must redirect /wp-admin and /wp-login.php to HTTPS.

Issue 5: "NET::ERR_CERT_AUTHORITY_INVALID" (self-signed or wrong domain cert)
Cause: The certificate's CN (Common Name) doesn't match your domain, or it's self-signed.
Solution: Verify your domain name is correct in the certificate: openssl x509 -in /etc/letsencrypt/live/yourdomain.co.za/cert.pem -text -noout | grep -A1 "Subject:" The CN must match yourdomain.co.za. If it doesn't, revoke the certificate and reissue: certbot revoke --cert-path /etc/letsencrypt/live/yourdomain.co.za/cert.pem && certbot certonly --webroot -d yourdomain.co.za

Frequently Asked Questions

Q: Is Let's Encrypt as secure as paid SSL certificates?
A: Yes. Let's Encrypt uses 2048-bit RSA encryption identical to paid certificates. Security comes from encryption strength and proper configuration, not cost. The only difference is that paid (OV/EV) certificates include business verification and brand trust signals, not encryption superiority.

Q: Can I migrate my WordPress site from HTTP to HTTPS without losing SEO rankings?
A: Yes, if you set up 301 redirects correctly. Redirect all HTTP traffic to HTTPS using RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301], then update your WordPress Settings to use https:// URLs. Submit the HTTPS version to Google Search Console as a new property and set the preferred domain to https://. Google preserves 99% of ranking signals with proper 301 redirects.

Q: How often do Let's Encrypt certificates need renewal, and is it automatic?
A: Every 90 days. Yes, renewal is automatic with Certbot cron jobs—no manual action required. Most managed hosts (including HostWP) handle this completely invisibly. Self-hosted sites must ensure Certbot runs daily via cron: 0 3 * * * certbot renew --quiet

Q: Do I need an OV or EV certificate for my South African e-commerce site?
A: Not unless you handle high-value transactions or regulated data (financial, health). A free DV Let's Encrypt certificate provides identical encryption and is trusted by all browsers. OV/EV add cost (R1,200–R8,000/year) primarily for brand trust signals, not security. Test with DV first; upgrade only if customer feedback suggests trust concerns.

Q: What does "SSL certificate expiring in 30 days" warning mean, and what should I do?
A: It means your certificate will stop working in 30 days. If you're on managed hosting like HostWP, this warning is rare (renewal is automatic). If you see it on a self-hosted site, your renewal cron job failed. SSH in and manually run: certbot renew --force-renewal and check the renewal log for errors. Set up monitoring (e.g., uptimerobot.com) to catch certificate issues 90 days out.