RevealTheme logo
Back to Blog

WordPress SSL Setup: Common Issues And Fixes

WordPress SSL Setup: Common Issues And Fixes
The RevealTheme Team

By

··Updated May 27, 2026·4 min read

SSL is standard for WordPress sites in 2026. Most hosting providers include free Let's Encrypt certificates and handle the basic SSL setup automatically. But the WordPress-specific complications around SSL still trip up many sites, producing mixed-content warnings, redirect loops, or asset loading failures.

The most common SSL problems on WordPress aren't with the certificate itself; they're with how WordPress, the theme, and the plugins interact with the protocol switch.

Issue 1: mixed content warnings

The browser console shows warnings like "The page was loaded over HTTPS but requested an insecure resource." The warnings happen because content references in the page (images, scripts, stylesheets) point to HTTP URLs even though the page itself loads over HTTPS.

The most common source is image URLs hardcoded into post content. When a site migrated from HTTP to HTTPS, the post content kept the old http:// image URLs. The fix is a database search-and-replace using WP-CLI:

wp search-replace 'http://example.com' 'https://example.com' --dry-run

The --dry-run flag shows what would change without actually changing. Remove the flag once verified.

Another source is hardcoded URLs in theme template files. If the theme has lines like <img src="http://example.com/wp-content/themes/...">, those need fixing in the theme code. Most properly-built themes use functions like get_template_directory_uri() that respect the site's protocol; older themes sometimes hardcode HTTP.

Issue 2: redirect loops

The site repeatedly redirects between URLs, eventually failing with "too many redirects." This usually happens when: the site URL setting in WordPress doesn't match the URL the host is serving, the .htaccess has a force-HTTPS rule that conflicts with the host's configuration, a caching layer is serving HTTP version of pages that then redirect to HTTPS.

The fix sequence: verify Settings > General has the correct site URL (HTTPS, with or without www matching reality). Verify the .htaccess force-HTTPS rule isn't duplicated by the host's configuration. Clear all caches (CDN, plugin, host-level) after changes.

Issue 3: HSTS misconfiguration

HTTP Strict Transport Security tells browsers to always use HTTPS for the domain, even if a user clicks an HTTP link. The setup is correct but misconfiguration causes problems.

The most common mistake: setting HSTS with a long max-age before the SSL certificate is fully working. If the certificate breaks (expires, gets misconfigured), users can't access the site over HTTP either because the browser refuses to. Recovery requires waiting for the cached HSTS to expire on each affected browser.

The safer pattern: enable HSTS with a short max-age first (300 seconds = 5 minutes), verify everything works, then increase to a longer max-age (31536000 seconds = 1 year) for production.

Issue 4: certificate-host mismatch

The certificate is for example.com but the site is being served as www.example.com (or vice versa). The browser shows a security warning even though SSL is technically enabled.

The fix is to ensure the certificate covers both forms (a SAN certificate with both example.com and www.example.com, or separate certificates for each). Let's Encrypt's free certificates handle this if requested correctly; most hosts handle it automatically.

Issue 5: third-party content over HTTP

An external resource (a YouTube embed, a Google Maps embed, an ad network script) loads over HTTP, triggering mixed-content warnings even though your site code is clean.

The fix is to use the HTTPS version of the third-party resource (most major services support both). For services that don't support HTTPS, the resource has to be either proxied through your site or removed.

For YouTube, Twitter, Vimeo embeds: use the HTTPS embed URL. WordPress's default embed handling does this correctly in current versions; older embedded content might need to be re-pasted.

Issue 6: the WordPress admin over HTTPS but the front end over HTTP

This is a misconfiguration pattern that used to be common when admins set FORCE_SSL_ADMIN but didn't set the site URL to HTTPS. The result: logging in worked over HTTPS, but the front end served over HTTP, and many functions broke because the protocols didn't match.

The fix in modern WordPress: just set the site URL in Settings > General to HTTPS and let WordPress handle the rest. The FORCE_SSL_ADMIN setting is no longer the right approach.

Verification

After fixing SSL issues, run the site through ssllabs.com/ssltest. The grade should be A or A+. Any lower grade points to specific configuration issues (weak cipher suites, missing intermediate certificates, certificate chain problems).

Then check the browser console on a few pages for any remaining mixed-content warnings. Then check that the security padlock appears correctly on the address bar across the site.

The verification takes 10 minutes and catches the issues that would otherwise persist for months.

Subscribe for updates

We do not sell your email. We do not spam.

© 2026 RevealTheme. All rights reserved.