Secure Your Domain With SSL

An SSL certificate protects the privacy and security of you and your website visitors, ensuring your website loads with an HTTPS instead of HTTP. This guide will show you how to view your domain’s SSL cert, which we include for free with all domains on WordPress.com.

SSL (Secure Sockets Layer) is the global standard in encrypted online security technology. An SSL certificate reduces the risk of malicious players (hackers or identity thieves) stealing sensitive information like credit card numbers and passwords from a website visitor or the website itself. Essentially, it provides safe, encrypted communication between your computer and the website you’re visiting.

SSL certificates on WordPress.com come from the Let’s Encrypt Certificate Authority. All certificates on WordPress.com use the same Common Name, tls.automattic.com, and store the unique domain names (grouped in batches of about 50) in the SubjectAltName attribute. All modern browsers honor this attribute, so you and your visitors will not encounter any security warnings on your site.

TLS is the upgraded version of SSL, although the terms SSL and TLS are often used interchangeably. WordPress.com supports TLS versions TLSv1.2 and TLSv1.3.

WordPress.com also sends a Strict-Transport-Security (HSTS) header with all our HTTPS responses, ensuring your site is accessed via https instead of the less-secure http.

On WordPress.com-hosted sites, SSL is provided free of charge and automatically provisioned (installed) for you. It is not possible (or necessary) to install an SSL certificate from another source — we automatically encrypt all domains used with a WordPress.com website. Although it’s common for WordPress site owners to install (and pay for) their own SSL certificate, we take care of this for you on WordPress.com.

Our automated process adds an SSL certificate shortly after the domain is registered, transferred, or connected to your WordPress.com site. It may take up to 72 hours for the SSL certificate to appear on your site. For domains connected to WordPress.com from other registrars, SSL certificates are added after you complete the connection process.

To make sure your domain has an active SSL certificate, take the following steps:

1. Visit your site’s dashboard.
2. Navigate to Upgrades → Domains (or Hosting → Domains if using WP-Admin).
3. Click on your domain.
4. Scroll down to the “Domain security” section. (If this section is missing, ensure your domain name is correctly set up.)
5. If your SSL certificate is active, you will find the text “SSL certificate active”:

Because we provision the SSL certificate for you, there is no toggle or setting to modify the certificate. Our system automatically provides the SSL.

You can also check if a site has a working SSL by checking the URL in your browser’s address bar when visiting the website as a normal visitor. Browsers typically show a lock icon, safety seal, or a green URL bar to indicate a secure connection.

If, instead, your Domain security shows “SSL certificate pending,” you will find a list of DNS configuration issues preventing us from adding SSL. Here are some error messages that may prevent us from adding the SSL certificate to your domain:

This domain has CAA DNS records that do not allow Let's Encrypt to issue a certificate. Please update or remove the CAA DNS records.

This domain has a mixture of both WordPress.com and external name servers. Please update the NS records.

This domain has DNSSEC validation errors. You may need to remove or update the DS Record data at your registrar.

The next section of this guide shares some common steps to take if your domain is missing an SSL certificate and showing any problems with HTTPS.

Once you resolve the issues, you can click the “Provision certificate” button. This action will request the SSL certificate for your domain.

If your domain displays your WordPress.com site, we will automatically generate the SSL certificate. But if SSL is missing and your website loads with HTTP instead of HTTPS, review your domain’s DNS records to ensure the domain can display your WordPress.com site (and receive the SSL).

Example errors you might see when visiting your site include NET::ERR_CERT_COMMON_NAME_INVALID, or Your connection to this site is not secure.

Depending on how your domain is used with your WordPress.com site, you can use the steps in the following sections to fix SSL and HTTPS errors.

If your domain is connected from another registrar, ensure you have completed the domain connection to receive the WordPress.com SSL certificate. For domains connected with our name servers, also ensure that DNSSEC is disabled.

For domains registered with WordPress.com or transferred to WordPress.com, check your DNS is correctly configured with the following steps:

1. From your site’s dashboard, navigate to Upgrades → Domains (or Hosting → Domains if using WP-Admin).
2. Click on your domain name.
3. Click on the “Name Servers” section and ensure the option to “Use WordPress.com name servers” is in the ON position.
4. Click on the “DNS Records” section and click the “Manage” button.
5. Ensure that your domain’s A and CNAME records are set to the default values for WordPress.com by:
   1. Clicking the ellipses (three dots) at the top right of your screen.
   2. Clicking “Restore default A records” and/or “Restore default CNAME record”:

Once you have completed these steps, your WordPress.com site will appear on your domain within a few hours, and SSL applied shortly after.

Your domain’s SSL certificate is renewed automatically when you renew your domain — no need to renew SSL separately. Your SSL certificate will stay active as long as the domain is connected to a WordPress.com site.

We consider strong encryption so crucial that we do not allow you to compromise the security of your website by disabling SSL. We also 301 redirect all insecure HTTP requests to the secure HTTPS version.