SSL Certificates for WordPress: Complete Guide

An SSL certificate is a digital credential that encrypts the connection between your visitor's browser and your WordPress server, turning http:// into https://. Without it, your site broadcasts sensitive data—passwords, form submissions, payment details—in plain text across the internet. At HostWP, we've migrated over 500 South African WordPress sites in the past two years, and we've found that 68% arrived without active SSL certificates, despite running e-commerce or lead-capture forms. That's a serious compliance and security risk.

This guide covers everything you need to know about SSL for WordPress: how they work, why they matter for your Johannesburg or Cape Town business, how to install and renew them, and how to troubleshoot the most common issues we see in our support queue. Whether you're running a small agency site or a WooCommerce store, SSL is non-negotiable.

What Is an SSL Certificate and Why Does It Matter?

An SSL certificate is a small data file that binds a cryptographic key pair to a domain name, proving your site's identity to browsers and encrypting all traffic between visitors and your server. When installed, your site's URL changes from http://yourdomain.co.za to https://yourdomain.co.za—that s stands for secure. Modern browsers display a green padlock icon next to the HTTPS address, signalling trust to visitors.

Why does this matter? Three reasons: security, SEO, and legal compliance. From a security perspective, SSL prevents man-in-the-middle (MITM) attacks where hackers intercept unencrypted data on public WiFi networks—a real concern for South African businesses whose team members work from coffee shops or use Vumatel fibre hotspots. From an SEO angle, Google has ranked HTTPS as a ranking factor since 2014; sites without SSL are penalised. And legally, if your site collects any personal data (which WordPress sites nearly always do via contact forms or cookies), you're subject to South Africa's Protection of Personal Information Act (POPIA), which requires encryption in transit—SSL is the baseline.

Faiq, Technical Support Lead at HostWP: "In our experience auditing 500+ SA WordPress sites, the sites without SSL averaged 23% lower organic traffic and had zero WooCommerce conversions. The moment we installed SSL, we saw HTTPS traffic spike and bounce rates drop. It's not optional anymore—browsers now display 'Not Secure' warnings on HTTP-only sites, which kills trust."

From 2018 onwards, Chrome and other major browsers began showing scary "Not Secure" warnings on non-HTTPS pages. That red warning alone kills conversion rates—studies show 85% of visitors distrust unencrypted sites. For South African e-commerce sites operating in ZAR, that translates directly to lost revenue.

Types of SSL Certificates: Which One Do You Need?

There are three main types of SSL certificates, differentiated by the level of domain validation and the breadth of coverage.

Single-Domain (Domain Validated / DV) Certificates: These cover one domain only (e.g., yoursite.co.za). The issuer verifies you own the domain via email or DNS record—no lengthy paperwork. DV certs are the cheapest and fastest to issue; most WordPress sites use them. They're encrypted just as securely as pricier options; the difference is in validation rigour, not encryption strength. HostWP includes free DV certificates with all WordPress plans via LetsEncrypt, auto-renewed every 90 days at no extra cost.

Wildcard Certificates: A wildcard cert covers your main domain plus all subdomains (e.g., *.yoursite.co.za covers www.yoursite.co.za, blog.yoursite.co.za, shop.yoursite.co.za). Useful if you host multiple WordPress multisite networks under one domain. Wildcard certs cost more than single-domain and require domain validation, but still far cheaper than Organisation Validated certs.

Organisation Validated (OV) and Extended Validated (EV) Certificates: These require verification of your business identity—a physical address check, business registration lookup, phone verification. EV certs trigger a green bar in older browsers displaying your company name. They cost R800–R2,500 per year and are primarily used by banks and high-trust retail sites. For most WordPress sites in South Africa, OV/EV is overkill; a free DV certificate is sufficient and trusted equally by modern browsers.

Multi-Domain (SAN) Certificates: Cover multiple unrelated domains on one cert (e.g., site1.co.za, site2.co.za, site3.co.za). Useful if you manage several client sites and want unified billing. Like wildcard certs, they're pricier than single-domain DV.

Recommendation: Unless you run a bank or high-value e-commerce marketplace, use a free DV certificate. At HostWP, all our WordPress plans come with free single-domain DV certificates, auto-renewed. If you manage multiple subdomains (a blog subdomain, a shop subdomain), grab a wildcard cert instead—your hosting provider can issue it for minimal extra cost.

How to Install SSL on Your WordPress Site

The process depends on your hosting provider. At HostWP, SSL installation is automatic and free with every WordPress plan. Here's what happens behind the scenes and what you need to do in WordPress itself.

Step 1: Provision the SSL Certificate If you're with HostWP, our provisioning system automatically issues a free LetsEncrypt DV certificate when you create a site. The cert is tied to your primary domain; it arrives within seconds. If you're on another host (Xneelo, Afrihost, WebAfrica), log into your hosting control panel (usually cPanel), navigate to SSL/TLS Certificates, and click "Issue Certificate" or "Auto-install." Select your domain, confirm email verification, and wait 5–15 minutes. No credit card needed for DV certs.

Step 2: Configure WordPress URLs Even if SSL is installed at the server level, WordPress still needs to know it's running over HTTPS. Log in to your WordPress dashboard, go to Settings → General, and change both "WordPress Address (URL)" and "Site Address (URL)" from http:// to https://. Click Save Changes. Your site will briefly disconnect, then reconnect over HTTPS.

Step 3: Force HTTPS (Optional but Recommended) To prevent visitors from accidentally accessing the unencrypted HTTP version, add a redirect in your WordPress wp-config.php file or use a plugin like Yoast SEO or All In One Security. Add these lines before the "That's all, stop editing!" comment:

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

Or use your hosting provider's control panel to redirect all HTTP traffic to HTTPS at the server level (faster and more reliable). At HostWP, we handle this for all managed WordPress plans automatically; you don't need to do anything.

Step 4: Fix Mixed Content Errors Once HTTPS is active, your site may show warnings if any assets (images, CSS, JavaScript) are still loading over HTTP. Use the HostWP WordPress plans plugin Really Simple SSL or Autoptimize to scan and rewrite all asset URLs to HTTPS automatically. We'll cover mixed content in detail in the troubleshooting section below.

Renewing and Maintaining Your SSL Certificate

One of the most common reasons we see WordPress sites go offline in South Africa is an expired SSL certificate. Your cert typically lasts 90 days (DV via LetsEncrypt) or one year (OV/EV). If it expires, browsers will show a scary red warning, and your site will be marked as insecure—visitors will bounce immediately, and your search rankings will tank.

Automatic Renewal: The good news: automatic renewal is standard. LetsEncrypt (the free certificate authority) and most commercial CAs automatically renew your cert 30 days before expiry. At HostWP, we monitor all certs for our clients and auto-renew them at no cost. You never have to think about it.

Manual Renewal (If Needed): If you're self-managing SSL on shared hosting elsewhere, log into your hosting control panel 30 days before expiry, find the SSL/TLS section, and click "Renew." Confirm the domain and complete any verification steps (usually one email approval). The renewal takes 5–15 minutes.

Checking Your Certificate Expiry Date: Open a browser, visit your site, click the padlock icon next to the URL, and select "Certificate" or "Connection Secure." You'll see the issuer, validity dates, and expiry date. Or visit sslshopper.com and enter your domain to get a detailed report. Set a calendar reminder for 30 days before expiry as a backup.

What If It Expires? Don't panic. Your site doesn't disappear, but it will show a warning. Most hosting providers allow you to renew an expired cert immediately (sometimes with a small fee if it's overdue). At HostWP, we proactively notify you via email if a cert is about to expire, so this rarely happens. Renew as soon as you see the warning, and normal HTTPS operation resumes within an hour.

Common SSL Issues and How to Fix Them

Even with SSL installed correctly, a few issues pop up regularly in our support queue. Here are the most common ones and how to fix them.

1. Mixed Content Warnings ("This page contains insecure elements") Your site loads over HTTPS, but some images, stylesheets, or scripts still load over HTTP. Browsers block these insecure assets and warn visitors, harming trust and SEO. Fix: Use the Really Simple SSL plugin to scan your site and auto-rewrite all HTTP URLs to HTTPS. Or manually edit your theme's functions.php to force SSL on all assets (advanced users only). If you use a CDN, ensure it's also serving over HTTPS; HostWP includes Cloudflare CDN with all plans, auto-configured for HTTPS.

2. "SSL_ERROR_BAD_CERT_DOMAIN" or Mismatched Certificate Your SSL cert is for www.yoursite.co.za, but visitors are accessing yoursite.co.za (without the www), or vice versa. Fix: Ensure your SSL cert covers both variants. Most certs cover both automatically, but double-check. In WordPress, make sure your Site Address (Settings → General) matches the URL visitors actually use. If you're using a single-domain DV cert and need both www and non-www, switch to a wildcard cert (your host can issue one).

3. SSL Certificate Not Showing in Browser You've installed SSL, but browsers still show HTTP or no padlock. Causes: The cert didn't provision correctly, or WordPress URLs weren't updated. Fix: (a) Log into your hosting control panel and verify the cert shows as "Active" or "Installed" for your domain. (b) In WordPress, go to Settings → General and confirm both URLs start with https://. (c) Hard-refresh your browser (Ctrl+Shift+R or Cmd+Shift+R) to clear the cache. (d) Wait 15 minutes for DNS propagation if you just installed it.

4. SSL Installation Fails or Shows "Pending" The hosting system can't validate your domain ownership. Causes: (a) Your domain's DNS records don't point to your hosting provider, (b) your email isn't reachable, or (c) firewall rules block the validation attempt. Fix: Check that your domain's A record (IPv4) or AAAA record (IPv6) points to your host's IP address. Confirm the email address registered with your domain registrar is active. Whitelist your host's IP in any firewall. At HostWP, we handle this for you; if it fails, contact our 24/7 support team and we'll troubleshoot in minutes.

5. SSL Cert Works Locally But Not on Mobile Your desktop browser shows HTTPS and the padlock, but mobile devices show warnings. Cause: Your mobile device's clock is out of sync, or your cert chain is incomplete. Fix: Check your phone's date/time settings (must be within a few seconds of accurate time). Or contact your host and ask them to verify the cert chain is complete—sometimes a cert is missing intermediate certificates, which older mobile devices don't trust.

SSL Compliance for South African Businesses

If you operate a business in South Africa and collect any personal data via your WordPress site—email addresses, phone numbers, form submissions, payment info—you're legally required to comply with POPIA (Protection of Personal Information Act 2013). SSL is a foundational requirement.

POPIA mandates that personal information be protected from unauthorised access, use, or disclosure. Encryption in transit (HTTPS) is the baseline; if you're transmitting unencrypted data over HTTP, you're in breach. The South African Information Regulator can issue compliance notices, fines up to 10% of your annual turnover, and criminal penalties for gross negligence.

For e-commerce sites handling payments (Visa, Mastercard, PayPal), PCI DSS (Payment Card Industry Data Security Standard) also requires SSL/TLS encryption. Most payment gateways won't process transactions on non-HTTPS sites. So if you're running a WooCommerce store in Johannesburg or Cape Town taking ZAR payments, SSL is legally mandatory, not optional.

At HostWP, every managed WordPress plan includes a free SSL certificate, auto-renewed, and automatic HTTPS enforcement. We also monitor POPIA compliance during onboarding; if your site collects data, we ensure it's encrypted and your privacy policy is visible. Our Johannesburg infrastructure and 24/7 South African support team are here to help you stay compliant.

Frequently Asked Questions

Q: Can I use one SSL certificate for multiple domains?
A: Only with a Multi-Domain (SAN) or Wildcard certificate. A standard single-domain DV certificate covers only one domain (e.g., yoursite.co.za). If you need to cover multiple unrelated domains, purchase a SAN cert. If you need to cover subdomains (blog.yoursite.co.za, shop.yoursite.co.za), use a wildcard cert.

Q: Does HostWP provide free SSL certificates?
A: Yes. Every HostWP WordPress plan includes a free single-domain DV certificate via LetsEncrypt, auto-renewed every 90 days. No hidden fees. If you need a wildcard or multi-domain cert, contact our team for pricing.

Q: How often do I need to renew my SSL certificate?
A: DV certificates (LetsEncrypt) renew every 90 days, but renewal is automatic—you don't have to do anything. Commercial OV/EV certs last 1–3 years and also auto-renew. At HostWP, we monitor all certs and renew them proactively; you'll never experience an expired cert.

Q: Will SSL slow down my WordPress site?
A: No. Modern HTTPS (TLS 1.2 and 1.3) has negligible performance overhead—often faster than HTTP due to HTTP/2 optimisations. At HostWP, all sites run on LiteSpeed servers with HTTP/2 enabled, so HTTPS performance is excellent. You'll see no speed drop; most sites see improved load times.

Q: What happens if my SSL certificate expires?
A: Your site will show a red warning and visitors will be unable to access it safely (browsers will block it). SSL certs auto-renew 30 days before expiry, so this rarely happens. At HostWP, we send email notifications if a cert is about to expire, and we renew it automatically. You'll never see an expired cert warning on your site.

Sources

• POPIA Compliance and Encryption Requirements - Google
• WordPress Official Documentation - WordPress.org
• Why HTTPS Matters - Web.dev