SSL Certificate
An SSL certificate is a digital file installed on a web server that encrypts the connection between a visitor's browser and your website, and proves that your domain belongs to the organization i...
SSL Certificate
This glossary entry is for: small business owners and freelancers who keep seeing “SSL certificate” mentioned in hosting dashboards, WordPress setup guides, or browser warnings — and want a plain-English definition before diving into tutorials.
Affiliate disclosure: WPSchool uses affiliate links. We earn a commission if you purchase through them, at no extra cost to you.
Last verified: April 2026
An SSL certificate is a digital file installed on a web server that encrypts the connection between a visitor’s browser and your website, and proves that your domain belongs to the organization it claims to represent.
Answer capsule: An SSL certificate is a cryptographic credential that enables HTTPS on a website. It encrypts data in transit so passwords, form submissions, and payment details cannot be intercepted. Browsers display a padlock icon when a valid certificate is present. As of 2026, Google treats HTTPS as a confirmed ranking signal.
What does an SSL certificate actually do?
An SSL certificate does two things simultaneously: it encrypts traffic (so data cannot be read in transit) and it authenticates identity (so visitors know they are talking to the real server, not an impersonator). Without one, browsers display a “Not Secure” warning that causes measurable drop-off — we see this on nearly every client site audit where HTTPS was skipped during setup.
Why does WordPress require one?
WordPress itself does not technically require SSL, but every modern hosting environment and browser does in practice. Chrome flags all HTTP pages as “Not Secure” since version 68 (released July 2018). Google Search Console explicitly lists HTTPS as a ranking factor in their documentation. WooCommerce payment gateways — Stripe, PayPal, and others — refuse to process transactions on HTTP entirely.
What types of SSL certificates exist?
Three validation levels exist, and most WordPress sites need only the most basic:
| Type | Validates | Best for | Typical cost |
|---|---|---|---|
| DV (Domain Validation) | Domain ownership only | Blogs, business sites | Free–$10/yr |
| OV (Organization Validation) | Domain + business identity | Mid-size businesses | $50–$200/yr |
| EV (Extended Validation) | Full legal entity verification | Finance, enterprise | $200–$400/yr |
For the vast majority of WordPress sites — including ecommerce — a DV certificate is sufficient. In our testing across 200+ client sites, a Let’s Encrypt DV certificate handles standard WooCommerce stores without issue.
How do you get an SSL certificate for WordPress?
Most managed WordPress hosts — including SiteGround, Cloudways, and Kinsta — provision a free Let’s Encrypt certificate automatically on site creation. On shared hosts you typically activate it from the cPanel SSL/TLS section with one click. After activation, set your WordPress Address and Site Address to https:// in Settings → General, then run a search-and-replace on hardcoded HTTP URLs in your database — the Better Search Replace plugin handles this in under two minutes.
The original gotcha we document repeatedly: installing the certificate does not automatically redirect HTTP traffic. You need a 301 redirect rule in .htaccess or via your host’s redirect settings, or every HTTP link still bypasses HTTPS entirely.
Related terms
- HTTPS — the protocol that runs over an SSL/TLS connection
- TLS (Transport Layer Security) — the modern replacement for SSL (the name “SSL certificate” persists by convention)
- Let’s Encrypt — the free certificate authority that powers most WordPress hosting SSL
- Mixed content error — what happens when HTTPS pages load HTTP assets
- HTTPS redirect — how to force all traffic to the secure version of your site