If you’ve ever clicked on a website and had your browser throw up a red warning screen saying “Your connection is not private,” you’ve already run into an SSL problem — from the visitor’s side. Now imagine that’s happening to your site while your customers are trying to pay you.
SSL certificates are one of those things that everyone in hosting talks about but almost nobody actually explains. You’re told you need one. Maybe it gets installed automatically when you sign up. And then it just kind of sits there, quietly doing its job — until it doesn’t, and suddenly Google is flagging your site as unsafe and your contact form submissions disappear.
Here’s what’s actually going on, in plain English.
What “SSL” Actually Means
SSL stands for Secure Sockets Layer. It’s the technology that encrypts the connection between a visitor’s browser and your web server. In practice, what you’ll hear more often today is TLS — Transport Layer Security — which is the modern successor to SSL. The two terms get used interchangeably, and for the purposes of this post, they mean the same thing: encrypted traffic.
When SSL is active on your site, your web address starts with https:// instead of http://. That “s” stands for secure. Browsers also show a padlock icon in the address bar. Both are signals to your visitors that their connection is encrypted and that the site they’re talking to is actually your site — not someone pretending to be you.
Without SSL, everything sent between a visitor’s browser and your server — form submissions, login credentials, credit card numbers, even regular page content — travels as plain, readable text. Anyone positioned between the visitor and your server can intercept and read it. That’s not a theoretical risk. It’s a real one, especially on public Wi-Fi.
The SSL/TLS Handshake — how a secure connection is established
Browser
Server
ClientHello — browser tells the server it wants a secure connection and lists the encryption methods it supports
ServerHello + Certificate — server picks an encryption method and sends its SSL certificate for verification
Key Exchange — browser verifies the certificate, then sends an encrypted session key only the server can read
Finished — server confirms, encrypted channel is open, all traffic is now scrambled end-to-end
What the Certificate Actually Does
An SSL certificate is a small digital file that lives on your server. It does two things: it enables encryption, and it proves identity.
The encryption part is what scrambles the data in transit. The identity part is what stops someone from setting up a fake version of your site and intercepting your customers' traffic. When a browser connects to your site, it checks the certificate to confirm that whoever is running the server actually owns the domain. The certificate is issued and digitally signed by a Certificate Authority — a trusted third party whose job it is to verify these claims.
This is why you can't just generate a certificate yourself and call it a day. A self-signed certificate encrypts traffic, but browsers don't trust it because there's no third party confirming your identity. Visitors will still see a security warning — just a different one.
What Happens Without One
Chrome, Firefox, Safari, and Edge all mark HTTP sites as "Not Secure" in the address bar. On sensitive pages — contact forms, checkout, login — some browsers actively block the page or show a full-screen warning. Google confirmed years ago that HTTPS is a ranking signal, meaning sites without it are at a disadvantage in search results. And any data your visitors submit — contact forms, email addresses, login credentials — travels unencrypted across the internet, readable by anyone positioned to intercept it.
The Types of SSL Certificates
Not all certificates are the same, and the differences matter depending on what kind of site you're running.
Domain Validation (DV)
The most common type. The Certificate Authority verifies that you control the domain — nothing more. Issuance is automated and takes minutes. Let's Encrypt certificates are DV certificates, and they're free. For the vast majority of sites — blogs, business websites, portfolios, informational pages — a DV certificate is completely appropriate. It provides full encryption. Visitors see the padlock. Search engines are happy.
Organization Validation (OV)
The Certificate Authority verifies both domain control and basic business identity — that your organization is real and registered. Takes a few days. These show up in the certificate details as belonging to a verified organization. Used by businesses that want to display a higher level of legitimacy, particularly in B2B contexts.
Extended Validation (EV)
The most rigorous type. The CA verifies the legal, physical, and operational existence of your business through a multi-step process. Historically these displayed the company name in green in the browser address bar — most browsers have dropped that visual indicator, which has reduced EV's appeal somewhat. Still used by large financial institutions and enterprises where trust is paramount.
Wildcard Certificates
Covers a domain and all of its subdomains with a single certificate. So a wildcard for *.hostdango.com would cover hostdango.com, www.hostdango.com, blog.hostdango.com, my.hostdango.com, and any other subdomain. Useful when you're managing multiple subdomains and don't want to deal with individual certificates for each.
"For the vast majority of sites, a free Let's Encrypt certificate is completely appropriate. It provides full encryption. Visitors see the padlock. Search engines are happy."
Let's Encrypt Changed Everything
Before Let's Encrypt launched in 2016, getting an SSL certificate cost money — sometimes a lot of it. Certs ran anywhere from $10 to several hundred dollars per year depending on type and vendor. Smaller sites often went without because the cost felt hard to justify for a blog or small business site.
Let's Encrypt is a nonprofit Certificate Authority that issues DV certificates for free, automatically, and with 90-day renewals that most hosting control panels — including cPanel, which we run — handle without any human involvement. The result is that there's now no good excuse for a site to run without HTTPS. The cost barrier is gone.
Every hosting account we provide at HostDango includes AutoSSL, which uses Let's Encrypt to install and automatically renew certificates for all domains on your account. You shouldn't have to think about it.
Expired Certificates
Certificates don't last forever. Let's Encrypt certificates expire after 90 days; paid certs typically last one to two years. When a certificate expires, browsers immediately start showing warnings — the same full-screen "Your connection is not private" screen that would show up if you had no certificate at all. This is one of the most common SSL support issues we deal with. AutoSSL is supposed to renew before expiry, but it can fail if there's a DNS misconfiguration, a cPanel error, or a domain pointing to a server where the certificate isn't installed. If you ever see a certificate warning on your own site, check the cert's expiry date first — that's usually the culprit.
Mixed Content: The Problem Nobody Warns You About
Here's a trap that catches a lot of people who've already installed an SSL certificate and think they're done: mixed content.
Mixed content happens when your page is loaded over HTTPS but some of the resources it references — images, scripts, stylesheets, embedded videos — are loaded over plain HTTP. Browsers block or warn about this because it defeats the purpose of encrypting the page if part of it is still coming in unencrypted.
This shows up most often when you migrate an existing site from HTTP to HTTPS without updating the internal links. Your database still has http:// URLs scattered through posts and pages. The fix in WordPress is usually a plugin like Better Search Replace that does a database-level find-and-replace, swapping every http://yourdomain.com reference for https://yourdomain.com. You'll also want to make sure your WordPress address settings in Settings → General are updated to use HTTPS.
How to Check Your SSL Status Right Now
The fastest way: open your site in Chrome and look at the address bar. A padlock means you're good. "Not Secure" means you have a problem. Clicking the padlock gives you certificate details including who issued it and when it expires.
For a more thorough check, SSL Labs' SSL Test is the industry standard. Paste your domain in and it grades your SSL configuration A through F, flags issues like weak cipher suites or misconfigured certificate chains, and gives you specific recommendations. It's free and takes about a minute to run. An A or A+ rating is what you're aiming for.
The Bottom Line
An SSL certificate is no longer optional. It's table stakes for anything on the web — browsers flag sites without it, search engines penalize them, and visitors bounce the moment they see a security warning. The good news is that for most sites, a free Let's Encrypt certificate covers everything you need. If your host is handling AutoSSL properly, you shouldn't have to think about it at all. If you're on HostDango, we do. If you're not, it's worth double-checking that your certificate is installed, valid, and set to renew automatically before it expires — because the moment it does, your host probably won't call you to let you know.