What is an SSL Certificate?

An SSL certificate (technically a TLS certificate, since SSL was replaced by TLS years ago) is a small data file that sits on your web server and establishes an encrypted connection between the server and your visitors' browsers. When a certificate is properly installed, your site loads over HTTPS instead of HTTP, and browsers display the padlock icon in the address bar to signal that the connection is secure.

How TLS/SSL Encryption Actually Works

When someone types your URL and hits enter, their browser and your server go through a process called the TLS handshake. It happens in milliseconds, but quite a lot is going on behind the scenes:

1. Hello: The browser sends a "Client Hello" message to the server, listing which encryption methods it supports.
2. Certificate: The server responds with its TLS certificate, which contains the server's public key and information about the certificate authority (CA) that issued it.
3. Verification: The browser checks the certificate against its built-in list of trusted CAs. It verifies the certificate has not expired, matches the domain name, and has not been revoked.
4. Key exchange: The browser and server agree on a shared session key using asymmetric encryption (public/private key pairs). This session key will be used to encrypt the actual data.
5. Encrypted communication: From this point on, all data flowing between the browser and server is encrypted with the session key using symmetric encryption, which is much faster than asymmetric encryption.

The takeaway: the public/private key pair is used only to establish the connection securely. The actual page content, form submissions, and cookies are encrypted with a temporary session key that is unique to each connection.

Types of SSL/TLS Certificates

Certificates come in three validation levels, and the differences are about trust and verification, not encryption strength. The encryption itself is equally strong across all types.

• Domain Validation (DV): The CA only verifies that you control the domain, usually by having you set a DNS record or respond to an email at the domain. This takes minutes and is often free (Let's Encrypt, for example). DV certificates are perfectly fine for most WordPress sites, blogs, and small business websites.
• Organization Validation (OV): The CA verifies the legal existence of your organization. This involves checking business registration documents and typically takes a few days. OV certificates display the organization name in the certificate details (though not visibly in the browser bar). They are more common for corporate websites and SaaS platforms.
• Extended Validation (EV): The strictest verification process. The CA conducts a thorough vetting of the organization, including legal status, physical address, and authorized contacts. EV certificates used to display the company name in a green bar in the browser, but most browsers have removed this visual distinction in recent years. They are still used by banks, financial institutions, and large e-commerce sites, though their practical value has decreased.

Let's Encrypt and Free Certificates

Let's Encrypt changed the SSL landscape when it launched in 2015. Before that, even basic DV certificates cost money and required manual installation. Let's Encrypt provides free, automated DV certificates that are valid for 90 days and can be renewed automatically.

Today, virtually every hosting provider supports Let's Encrypt. Many include it as part of their hosting packages and handle installation and renewal automatically. If your host does not offer automatic SSL, tools like Certbot can manage the certificate lifecycle for you on your server.

There is genuinely no reason to run a WordPress site without HTTPS in 2025. The certificate is free, the setup is automated, and the benefits (security, SEO, user trust) are significant.

Wildcard Certificates

A standard certificate covers a single domain (e.g., example.com) and sometimes www.example.com as well. If you run multiple subdomains (shop.example.com, blog.example.com, app.example.com), you would normally need a separate certificate for each one.

A wildcard certificate covers all subdomains under a single domain. It uses a *.example.com pattern and secures any subdomain at that level. Let's Encrypt supports wildcard certificates, but they require DNS-based validation instead of the simpler HTTP validation method. Most managed hosting providers handle this automatically if you need it.

Certificate Expiration and Renewal

Every TLS certificate has an expiration date. Let's Encrypt certificates expire after 90 days, while commercially purchased certificates typically last one year (the maximum allowed since 2020). When a certificate expires, browsers display a full-page warning that prevents most visitors from proceeding to your site. This is a serious issue that can cut off your traffic entirely.

Automatic renewal is critical. If you are using Let's Encrypt through your hosting provider, renewal usually happens in the background without any action on your part. If you manage your server directly, make sure Certbot or your ACME client is configured to renew certificates automatically, and test that it actually works. A common problem is a cron job that was set up for renewal but silently fails because of a permission issue or a changed server configuration.

How to Check Your SSL Certificate

There are several ways to verify your certificate is working correctly:

• Browser padlock: Click the padlock icon in your browser's address bar. You can see the certificate issuer, expiration date, and the domain it covers.
• SSL Labs (ssllabs.com/ssltest): The industry-standard online tool for testing your SSL configuration. It checks not just the certificate but also the TLS protocol versions, cipher suites, and known vulnerabilities. Aim for an A or A+ rating.
• Command-line tools: openssl s_client -connect example.com:443 shows detailed certificate information for technical debugging.

WordPress and HTTPS

Installing a certificate on your server is only half the job. You also need to make sure WordPress uses HTTPS consistently:

• Site URL settings: In WordPress Settings > General, both "WordPress Address" and "Site Address" should use https://. Getting this wrong causes redirect loops and login problems.
• Force SSL: Add define('FORCE_SSL_ADMIN', true); to your wp-config.php to ensure the admin area always uses HTTPS.
• 301 redirects: Set up server-level redirects (via .htaccess on Apache or server block on Nginx) to redirect all HTTP requests to HTTPS. This ensures visitors and search engines always land on the secure version.
• Mixed content: After switching to HTTPS, you may have images, scripts, or stylesheets that are still loaded over HTTP. Browsers block or warn about these insecure resources. Use a plugin like "Better Search Replace" to update old HTTP URLs in your database, and check your theme for hardcoded HTTP references.
• HSTS header: The Strict-Transport-Security header tells browsers to always use HTTPS for your site, even if someone types http:// in the address bar. This eliminates the brief moment where a visitor could connect over HTTP before being redirected.

Why "SSL" Is Actually TLS

The term "SSL certificate" has stuck around even though the SSL protocol itself has been deprecated since 2015. SSL 3.0 was the last version, and it had known security vulnerabilities (the POODLE attack, among others). The replacement is TLS (Transport Layer Security), which is currently at version 1.3. Modern browsers do not support SSL at all anymore; they only use TLS 1.2 and TLS 1.3.

When hosting providers, certificate authorities, or WordPress plugins talk about "SSL," they actually mean TLS. The terms are used interchangeably in practice, even though they are technically different protocols. If your server still supports TLS 1.0 or 1.1, you should disable those as well, since they are also considered insecure.

What InspectWP Checks

InspectWP verifies whether your WordPress site has a valid TLS certificate, checks the certificate expiration date, and detects mixed content issues where HTTP resources are loaded on HTTPS pages. It also examines your security headers, including HSTS, to confirm that your HTTPS setup is complete and properly configured.