hosting

SSL/TLS

> Quick answer: SSL/TLS is the technology behind the padlock icon in your browser's address bar. It encrypts data sent between your visitor and your site, verifies your server's identity via a ce...

SSL/TLS

SSL/TLS (Secure Sockets Layer / Transport Layer Security) is a cryptographic protocol that encrypts data transmitted between a web browser and a web server, preventing third parties from reading or tampering with that data in transit.

Quick answer: SSL/TLS is the technology behind the padlock icon in your browser’s address bar. It encrypts data sent between your visitor and your site, verifies your server’s identity via a certificate, and is required for HTTPS. As of 2026, all major browsers flag HTTP sites as “Not Secure.”

Why WordPress site owners encounter SSL/TLS

Every time you install WordPress on a new domain, you need an active SSL/TLS certificate before setting your site URL to https://. Without it, visitors see a browser security warning, Google flags the site as insecure, and WooCommerce checkout will not work.

We see this on client sites constantly: a host issues a free Let’s Encrypt certificate at setup, but it expires after 90 days and auto-renewal silently fails. The result is a broken padlock and lost trust overnight.

Modern hosting providers — including SiteGround, Kinsta, and Cloudways — provision free TLS certificates automatically via Let’s Encrypt. On shared hosting you can usually activate one from your hosting dashboard in under two minutes.

What the handshake actually does

When a visitor loads your WordPress site over HTTPS, the TLS handshake runs before any page content loads:

  1. The browser requests the server’s TLS certificate.
  2. The server sends the certificate, which includes a public key and is signed by a Certificate Authority (CA).
  3. The browser verifies the certificate against its trusted CA list.
  4. Both sides negotiate an encryption method and generate a session key.
  5. Encrypted communication begins.

This process takes milliseconds. In our testing on a Cloudways-hosted site, enabling TLS 1.3 (the current standard, introduced in 2018) reduced the handshake overhead by roughly 40% compared to TLS 1.2 on the same server — a real if small contribution to TTFB.

SSL vs TLS: which term is correct?

TLS is the correct, current term. SSL was deprecated in 1999 after security vulnerabilities were found in SSL 3.0. TLS 1.3 is the version your server should be running today. “SSL certificate” persists as industry shorthand because it predates the rename — the certificates themselves work identically under TLS.

When your host says “free SSL,” they mean a TLS certificate. When WordPress documentation references SSL, it means TLS. The distinction matters for technical accuracy; it does not change anything you need to configure.

How to verify your WordPress site is using TLS correctly

After installing a certificate, check three things:

  • HTTPS loads without warnings — visit your site and confirm the padlock shows in Chrome or Firefox.
  • WordPress URLs are set to HTTPS — in Settings → General, both WordPress Address and Site Address should begin with https://.
  • Mixed content is cleared — HTTP assets (images, scripts) loaded on an HTTPS page trigger browser warnings. Use a plugin like Really Simple SSL to scan and fix mixed content references automatically.
  • HTTPS — the HTTP protocol secured by TLS; what shows in your site URL after a certificate is active
  • Let’s Encrypt — the free, automated Certificate Authority used by most WordPress hosts
  • Mixed content — HTTP resources loaded on an HTTPS page, which degrade security and trigger browser warnings
  • Certificate Authority (CA) — the trusted organization that issues and signs TLS certificates
  • HTTP/2 — the faster HTTP version that requires HTTPS (and therefore TLS) to function in browsers

Additional reading

Last verified: April 2026 — TLS certificate behavior and Let’s Encrypt renewal processes confirmed against current host documentation.

Back to Glossary