SSL is not optional for a WooCommerce store. Any site that collects payment information must encrypt data in transit, full stop. But having an SSL certificate installed on your domain and having SSL properly enforced across your store are two different things. This guide covers both, plus what to do when things go wrong.
PCI-DSS (the Payment Card Industry Data Security Standard) requires that all cardholder data is transmitted over encrypted connections. Even if you use a hosted gateway like Stripe or PayPal where card details never hit your server, the checkout page itself must be served over HTTPS. Failure to do so puts you in breach of your merchant agreement.
Beyond compliance, browsers are blunt about it. Chrome and Firefox mark HTTP pages as "Not Secure" in the address bar, and on checkout pages, that warning kills conversions. Customers notice. Google also uses HTTPS as a ranking signal, so there is an SEO cost to running without SSL as well.
The good news is that Let's Encrypt has made SSL free. Every decent hosting provider now includes free SSL certificates via Let's Encrypt or similar. Getting a certificate installed is no longer the hard part, enforcing it correctly across your store is where most stores fall short.
WooCommerce has a built-in setting to force SSL on checkout. Go to WooCommerce > Settings > Advanced and look for the "Force secure checkout" option. Enable it and save. This tells WooCommerce to redirect any HTTP request to the checkout page to its HTTPS equivalent.
However, this only covers the checkout page by default. For a fully secure store, you want HTTPS enforced site-wide, not just at checkout. That means updating your WordPress core URLs as well.
Go to Settings > General in WordPress and update both the WordPress Address (URL) and Site Address (URL) fields to use https:// instead of http://. Save changes. This is the canonical way WordPress knows its own address, and it affects every URL WordPress generates internally, including those in emails, feeds, and admin links.
After switching to HTTPS, the most common issue is mixed content, where the page loads over HTTPS but some resources (images, scripts, stylesheets) are still referenced via HTTP URLs. Browsers block or flag these, and you lose the padlock in the address bar even though your certificate is valid.
The quickest fix is the Really Simple SSL plugin. Install it from the WordPress plugin repository, activate it, and it will handle most mixed content warnings automatically by rewriting HTTP references on the fly. It also handles the WordPress URL updates mentioned above if you haven't done those manually.
For a manual approach, you need to find HTTP references in your database. Use a search-replace plugin like Better Search Replace to replace all instances of http://yourdomain.com with https://yourdomain.com in your database tables. Always take a backup before running a database search-replace. The wp_posts and wp_postmeta tables are where most hardcoded URLs live.
Hardcoded HTTP URLs in your theme's functions.php or child theme stylesheets also need to be updated manually. Check any custom code that constructs URLs explicitly rather than using WordPress functions like get_site_url() or home_url().
If you use a caching plugin, LiteSpeed Cache, WP Rocket, W3 Total Cache, cached pages generated before the SSL migration may still contain HTTP references. After updating your URLs, purge all caches completely. In LiteSpeed Cache, go to LiteSpeed Cache > Toolbox > Purge All. In WP Rocket, hit "Clear Cache" from the admin bar or the WP Rocket dashboard.
If you use Cloudflare in front of your site, check your SSL/TLS mode in the Cloudflare dashboard. It should be set to Full (Strict) if your origin server has a valid certificate, which it should if you have Let's Encrypt installed. Avoid "Flexible" mode: it creates an HTTP connection between Cloudflare and your server, which means data is unencrypted on that leg and can cause redirect loops with WordPress's HTTPS enforcement.
Server-level redirects should also be in place. Your hosting provider or a rule in your .htaccess file should redirect all HTTP traffic to HTTPS before it even reaches WordPress. Many hosts configure this automatically when you install an SSL certificate, but it is worth verifying.
Start with the browser padlock. Navigate to your checkout page in an incognito window and confirm the padlock appears in the address bar. Click it to view certificate details, verify the certificate is issued to your domain and is not expired.
Use Why No Padlock (whynopadlock.com) or the browser's DevTools (F12, then the Console or Security tab) to identify any mixed content warnings. The browser will log every insecure resource it detected on the page.
Test your redirect: navigate to http://yourdomain.com and confirm you land on https://yourdomain.com with a 301 redirect. You can verify the redirect status code using a tool like RedirectChecker.org or curl in a terminal: curl -I http://yourdomain.com.
Also confirm that your www and non-www variants both redirect correctly and consistently to whichever version you have set as canonical in WordPress settings.
Let's Encrypt certificates expire every 90 days and should auto-renew. If renewal fails, your site will show a certificate error and browsers will warn visitors away, which is catastrophic for a store.
In cPanel, you can manually renew your certificate by going to cPanel > SSL/TLS Status and clicking "Run AutoSSL". If AutoSSL keeps failing, check the domain's DNS is pointing to your hosting server and that no CAA records are blocking Let's Encrypt from issuing certificates for your domain.
If you're using Cloudflare with a proxied DNS record (orange cloud), make sure your Cloudflare SSL mode is not set to "Off" or "Flexible". These settings can interfere with Let's Encrypt's domain validation process. Switch temporarily to "DNS only" (grey cloud) if you need Let's Encrypt to reissue a certificate, then switch back once it's renewed.
Set a calendar reminder to check certificate expiry monthly. Or use a monitoring service that alerts you when a certificate is within 30 days of expiry, UptimeRobot and StatusCake both include SSL expiry monitoring on free plans.
Run through this once after any SSL migration or new store setup: SSL certificate installed and valid; WordPress Address and Site Address both set to HTTPS in Settings > General; WooCommerce "Force secure checkout" enabled in WooCommerce > Settings > Advanced; server-level HTTP-to-HTTPS redirect in place; all caches purged; no mixed content warnings in browser DevTools; Cloudflare SSL mode set to Full (Strict) if applicable; certificate auto-renewal confirmed working.
SSL setup is a one-time investment of about 30 minutes. Getting it right from the start saves you from firefighting certificate errors, conversion drops, and compliance headaches down the line.
HostBible's hosting is optimised for WooCommerce with LiteSpeed, SSD storage, and free SSL on every plan.
View Hosting Plans