WordPress SSL Certificate Expired? Here's How to Never Let It Happen Again

The warning your visitors see before they leave

You open your WordPress site on your phone. Instead of your homepage, you see a full-screen warning from Chrome:

"Your connection is not private. Attackers might be trying to steal your information from yourdomain.com."

Below it, the error code: NET::ERR_CERT_DATE_INVALID. There is an "Advanced" link that technically lets visitors proceed, but it requires clicking through two more warnings. Almost nobody does. They close the tab and go to your competitor instead.

Firefox is even more dramatic. It shows "Warning: Potential Security Risk Ahead" with a large yellow warning icon. Safari tells visitors "This Connection Is Not Private." Every modern browser treats an expired SSL certificate as a serious security issue — because it is.

If you run a WooCommerce store, the damage goes further. Payment gateways like Stripe and PayPal refuse to process transactions on a site without a valid SSL certificate. Your checkout is completely broken. Not slow, not glitchy — completely non-functional. Every minute your SSL is expired, you are losing orders.

And here is what makes this particular outage so frustrating: you set up auto-renewal. You were told it would handle itself. You trusted the automation. The automation failed silently, and nobody told you.

Why Let's Encrypt auto-renew fails silently

Let's Encrypt is the certificate authority behind the majority of WordPress SSL certificates. It issues free certificates that are valid for 90 days and are designed to renew automatically around day 60. The renewal process works through a tool called Certbot (or a similar ACME client) that runs on your server.

When everything is configured correctly, renewal is invisible. Certbot runs, verifies you still own the domain, downloads the new certificate, and restarts the web server. You never notice.

The problem is that this process depends on multiple things going right simultaneously. When any one of them breaks, the renewal fails — and Certbot does not send you a push notification. It logs the failure to a file on your server that you probably never check.

1. DNS records changed after initial setup

Let's Encrypt verifies domain ownership through a challenge. The most common is HTTP-01, which places a temporary file on your server and then checks that it can access it via your domain. If you changed your DNS provider, moved to Cloudflare, pointed your domain to a new server, or changed your A record for any reason, the challenge can fail because the request goes to the wrong server.

The DNS-01 challenge has its own version of this problem. If you switched DNS providers and the API credentials Certbot uses to create the TXT record are now wrong, the challenge fails silently.

2. Server migration broke the renewal cron job

You migrated your WordPress site to a new hosting provider. Your theme, plugins, database, and files all transferred correctly. But the Certbot installation, its cron job, and the renewal configuration did not come with them. Your old server was handling the renewal. Your new server has no idea it needs to.

This is one of the most common causes of unexpected SSL expiry. The site works perfectly for 90 days — however long the existing certificate has left — and then the certificate expires because nothing on the new server is configured to renew it.

3. File permissions changed on the certificate directory

Certbot needs write access to the directory where it stores certificates — typically /etc/letsencrypt/. A security hardening script, a hosting provider update, or a manual permission change can remove Certbot's ability to write to this directory. Renewal fails with a permission denied error that sits in the log file unread.

4. Web server configuration blocks the ACME challenge

The HTTP-01 challenge requires that /.well-known/acme-challenge/ is accessible via HTTP on port 80. A security plugin, an .htaccess rule, a firewall rule, or a redirect-everything-to-HTTPS configuration can block this path. Your site works perfectly on HTTPS, but the renewal challenge cannot complete because port 80 is blocked or redirected before the challenge file can be served.

This is particularly common after installing security plugins that add blanket redirect rules to .htaccess, or after enabling Cloudflare's "Always Use HTTPS" setting which redirects the HTTP challenge request to HTTPS before Certbot can verify it.

5. Hosting provider managed SSL broke without notice

Many managed WordPress hosts handle SSL automatically through their own systems. You never installed Certbot — the host takes care of it. But hosting providers have their own infrastructure problems. Their SSL provisioning system can break, their automation can have bugs, or their renewal process can fail during scheduled maintenance.

You assumed the host was handling it. The host assumed their automation was working. Nobody checked. The certificate expired.

What an expired SSL does to your SEO

Google has used HTTPS as a ranking signal since 2014. When your SSL expires, the impact on search visibility depends on how long it stays expired and how frequently Google crawls your site.

If Google's crawler hits your site during the SSL outage, it cannot establish a secure connection. The crawl fails. If the outage lasts long enough for Google to retry and fail again, your pages may be temporarily deindexed. Even after you renew the certificate, it can take days for Google to recrawl and restore your rankings.

For high-traffic sites that Google crawls frequently, even a few hours of SSL expiry can cause a noticeable ranking drop. For smaller sites that Google crawls less often, the impact may be delayed but it still arrives. The longer the expiry, the longer the recovery.

Beyond Google, browsers like Chrome will mark your site as "Not Secure" in the address bar even after you renew the certificate — at least until the visitor clears their browser cache. The trust damage lingers.

How to check if your SSL certificate is about to expire

Before setting up monitoring, check your current certificate status. There are two ways to do this.

Check manually via your browser

Click the padlock icon in your browser's address bar. In Chrome, click "Connection is secure" then "Certificate is valid." You will see the expiry date under "Valid to." If the date is within 30 days, you should investigate whether auto-renewal is working.

Check instantly with Uptrue's free SSL Checker

Go to uptrue.io/tools/ssl-checker and enter your domain. The tool shows your certificate issuer, expiry date, certificate chain status, and any configuration issues — all in a single scan. No signup required.

How to fix an expired SSL certificate on WordPress

Option 1: Force renewal via Certbot

If you have SSH access to your server, run:

sudo certbot renew --force-renewal

This forces Certbot to request a new certificate immediately, regardless of the expiry date. If the renewal fails, Certbot will print the specific error — usually a challenge failure, a DNS issue, or a permission problem. Fix the reported error and run the command again.

After successful renewal, restart your web server:

sudo systemctl restart nginx or sudo systemctl restart apache2

Option 2: Reinstall SSL through your hosting panel

If you are on shared hosting without SSH access, log into your hosting control panel — cPanel, Plesk, or your host's custom panel. Look for "SSL/TLS" or "Let's Encrypt" in the security section. Most panels have a button to issue or reissue a certificate for your domain. Click it, wait for the verification to complete, and your certificate should be active within minutes.

If the panel shows an error during issuance, it is usually because the domain's DNS is not pointing to the server. Verify your A record points to your hosting server's IP address.

Option 3: Cloudflare Universal SSL

If your site is behind Cloudflare, you can use their Universal SSL certificate. In the Cloudflare dashboard, go to SSL/TLS and ensure the mode is set to "Full (strict)." Cloudflare issues and renews the edge certificate automatically. You still need a valid origin certificate on your server — Cloudflare offers free origin certificates valid for up to 15 years.

Be careful with the "Flexible" mode. It encrypts the connection between the visitor and Cloudflare but sends unencrypted traffic from Cloudflare to your server. This can also cause redirect loops with WordPress — see our guide on WordPress redirect loops for details.

How to detect SSL expiry before it happens with Uptrue

Fixing an expired certificate is straightforward. The problem is knowing it expired in the first place. Most site owners find out from a customer complaint, a drop in Google Search Console, or stumbling onto their own site on a phone. By then, the damage is done.

Uptrue's SSL monitoring checks your certificate on every scan and warns you well before it expires — so you fix the renewal problem before your visitors ever see a warning.

Step 1: Add an SSL monitor for your domain

1. Sign up at uptrue.io/signup (free plan available)
2. Click Add Monitor from your dashboard
3. Select SSL Certificate as the monitor type
4. Enter your domain name
5. Set the check interval to every hour
6. Configure alert thresholds: 30 days, 14 days, and 7 days before expiry
7. Choose your alert channels — Slack, email, or Microsoft Teams

Uptrue checks the certificate on every scan and tracks the days remaining until expiry. When the count hits your thresholds, you get an alert. Three separate warnings — at 30, 14, and 7 days — give you plenty of time to investigate and fix the renewal issue.

Step 2: Add an HTTP monitor as a safety net

1. Click Add Monitor again
2. Select HTTP/HTTPS as the monitor type
3. Enter your homepage URL with https://
4. Set expected status to 200
5. Set check interval to 1 minute

If the SSL certificate expires despite the warnings and your site starts returning errors, the HTTP monitor catches it immediately. Browsers and HTTP clients refuse to complete HTTPS connections with expired certificates, so the monitor detects the failure within 60 seconds.

Step 3: Monitor certificate chain and configuration issues

Uptrue's SSL monitor does not just check the expiry date. It also validates:

• Certificate chain completeness — missing intermediate certificates cause warnings in some browsers but not others, making the problem intermittent and hard to diagnose
• Domain name mismatch — the certificate was issued for a different domain or is missing a www variant
• Certificate revocation — the certificate was revoked by the issuing authority
• Protocol support — the server is using outdated TLS versions

Step 4: Set up alerts that reach you immediately

SSL expiry warnings are only useful if you see them in time. Configure alerts to go where you will act on them:

• Slack — instant notification in your ops channel
• Microsoft Teams — same idea, different platform
• Email — fine for the 30-day warning, too slow for the 7-day warning
• Webhook — integrate with PagerDuty, Opsgenie, or your own incident management system

Preventing SSL expiry permanently

Monitoring catches the problem before it affects visitors. But these steps reduce the chances of it happening in the first place.

Verify your renewal cron job is running

On most Linux servers, Certbot installs a cron job or systemd timer to handle renewal. Check that it exists and is active. Run sudo systemctl status certbot.timer for systemd-based systems or check /etc/cron.d/certbot for cron-based setups. If neither exists, auto-renewal is not configured and your certificate will expire in 90 days.

Test renewal without actually renewing

Run sudo certbot renew --dry-run to simulate the renewal process. This tests the entire chain — domain verification, certificate generation, web server restart — without actually changing your certificate. If the dry run fails, the real renewal will fail too. Fix the issue now while you have time.

Ensure port 80 is accessible for HTTP-01 challenges

Even though your site runs on HTTPS, the Let's Encrypt HTTP-01 challenge needs to access /.well-known/acme-challenge/ on port 80. Make sure your firewall, .htaccess rules, and security plugins do not block or redirect this path. Check the Let's Encrypt challenge types documentation for details on how each verification method works.

After every migration, verify SSL renewal works

Every time you move your WordPress site to a new server, add "verify SSL renewal" to your migration checklist. Run the dry-run test on the new server. Set up monitoring before you consider the migration complete. The certificate from the old server might have weeks left, giving you a false sense of security.

Consider longer-validity certificates for critical sites

Let's Encrypt certificates are free but expire every 90 days. For business-critical sites, a paid certificate from a commercial CA valid for one year reduces the frequency of renewals and the number of opportunities for renewal to fail. The cost is minimal compared to the revenue lost during an SSL outage.

Stop trusting auto-renew blindly

Auto-renewal is a sensible default. But it is not a guarantee. DNS changes, server migrations, permission changes, hosting updates, and firewall rules can all break the renewal process without any visible sign that anything went wrong.

You will not see the failure in your WordPress dashboard. You will not see it in your hosting panel. You will see it when a customer tells you they got a security warning — or when your Google rankings drop because the crawler could not access your site.

Uptrue monitors your SSL certificate on every check. It warns you 30, 14, and 7 days before expiry. It validates your certificate chain, checks for configuration issues, and alerts you on Slack, Teams, email, or webhook. If auto-renewal fails, you know about it weeks before your visitors do.

Frequently asked questions