SSL issues in WordPress fall into 3 common patterns: the browser shows a “not secure” warning even though an SSL certificate is installed (mixed content), the certificate expired and needs renewal, or switching to HTTPS created a redirect loop that locks you out of your site. Each has a distinct cause and fix.
Mixed content: the “not secure” warning when SSL is active #
Your SSL certificate is valid and installed, but Chrome or Firefox still shows a “not secure” warning or a broken padlock. This means some resources on the page (images, scripts, stylesheets) are loading over plain HTTP instead of HTTPS. The browser treats a page with any unencrypted resource as insecure even if the page itself is HTTPS.
The fastest fix is the Really Simple SSL plugin (free, WordPress.org). After activating it, it rewrites HTTP resource URLs to HTTPS at the browser level and adds the HTTPS redirect. For a more thorough fix, especially if your site has a long history of HTTP URLs stored in the database, use the Better Search Replace plugin to find and replace http://yourdomain.com with https://yourdomain.com across the database. Run a dry-run first before committing the changes.
Expired certificate #
SSL certificates have expiry dates. Free certificates from Let’s Encrypt expire every 90 days and should auto-renew through your hosting provider. Paid certificates from certificate authorities have longer terms. When a certificate expires, browsers show a hard warning that blocks most users from reaching your site. Renew through your hosting control panel: most providers have a one-click renewal path. If auto-renewal was supposed to happen but didn’t, check whether your hosting account’s Payment Method is current.
HTTPS redirect loop #
You switched WordPress URLs to HTTPS (in Settings > General) and now the site redirects endlessly, often blocking access to wp-admin. This usually means the WordPress URL settings and the server’s HTTPS configuration are creating a loop.
Fix by adding these 2 lines to wp-config.php above the “That’s all, stop editing!” comment:
define('WP_HOME', 'https://yourdomain.com');define('WP_SITEURL', 'https://yourdomain.com');
This overrides the database values and forces WordPress to use HTTPS directly. After the loop stops, confirm that your SSL certificate is active in your hosting panel before relying on this configuration long-term.
How Loupely helps with SSL errors #
The HTTPS redirect that mixed content or URL mismatches produce often appears as an authentication failure in Loupely’s capture (because cookies set on one URL variant don’t transfer to another). If a Loupely diagnosis returns session or authentication failure data without an obvious functional cause, check your WordPress URL settings and the SSL status of your site. The browser network panel (accessible in Chrome via F12) will show which resources are loading over HTTP and producing the mixed content warning.