TL;DR -- Let's Encrypt is shortening certificate validity to 64 days on February 10, 2027, then to 45 days on February 16, 2028. Auto-renewal is now essential, not optional. If your SSL expires, browsers show a red warning and search engines penalize your site. Most renewals fail silently due to misconfigured DNS CAA records. Set up auto-renewal now, verify it's working, and have a recovery plan ready.
The Midnight Emergency Call You Don't Want
I've received dozens of emergency calls from site owners whose SSL certificates expired overnight—at least 30 in the last three years across the 150+ client sites I've managed. The site shows a giant red warning in every browser. Visitors think they've been hacked. Search engines immediately start penalizing the site for mixed content warnings. And the fix takes 15 minutes if you know what to do, or weeks of downtime if you don't.
SSL/HTTPS is table stakes for comprehensive WordPress security, but WordPress SSL certificate expiration is the part most site owners overlook. Semi-automated systems create a false sense of security. Everything appears fine until it suddenly isn't.
Let's Encrypt is cutting certificate validity in stages starting 2026-2028. That operational change affects every WordPress site running on their free certificates, which is most of them. This isn't about "What is SSL?" This is about staying ahead of the change before it creates site-breaking surprises.
How Long Does an SSL Certificate Last?
Let's Encrypt certificates currently last 90 days, a standard since 2015. The 90-day cycle reduces damage from compromised keys and encourages automation. Before Let's Encrypt, commercial certificates lasted 1-3 years until browser vendors capped validity at one year in 2020.
If a certificate is only valid for 90 days, attackers have less time to exploit a stolen key before it expires naturally.
What's Changing in 2026-2028
Let's Encrypt is reducing SSL validity in stages: May 13, 2026 introduces opt-in 45-day certificates via the TLS server profile, February 10, 2027 makes 64-day certificates the default, and February 16, 2028 completes the transition to 45-day certificates (Let's Encrypt, 2025). Shorter validity reduces damage windows from CA security breaches or compromised private keys and forces necessary automation.
This eliminates the manual renewal errors that cause most WordPress SSL certificate expiration incidents.
What This Means for You
Renewal frequency doubles. Manual renewal becomes impractical. Auto-renewal shifts from "nice to have" to a hard requirement.
If you're on shared hosting, your host probably handles renewals automatically. But you need to verify that auto-renewal is enabled and actually working. If you're running your own server, you're responsible for the renewal process end-to-end. Agencies managing multiple client sites need to audit every hosting tier to understand where the liability sits.
Key Takeaway: Let's Encrypt is cutting certificate validity to 64 days on February 10, 2027, then to 45 days on February 16, 2028. Auto-renewal shifts from optional to mandatory. If you're managing multiple sites, verify quarterly that auto-renewal is working—silent failures are the most common cause of expiration incidents.
Why SSL Certificate Expiration Breaks Your Site
When an SSL certificate expires at 11:59 PM UTC on its expiration date, browser warnings appear immediately. There's no grace period.
The Browser Red Warning (And Why Visitors Leave)
Chrome, Firefox, and Safari display "Your connection is not private" warnings for expired SSL certificates, using red text to warn visitors their information might be stolen. In my experience monitoring client sites with expired certificates, visitor abandonment exceeds 95 percent within the first hour—most users simply close the tab immediately.
The browser warning doesn't distinguish between an expired certificate and an actively malicious site. To the average visitor, both look equally dangerous. They leave and don't come back.
Search Engine and SEO Impact
Google treats expired SSL certificates as a ranking signal. Your site drops in search results. In severe cases, Google Search Console issues manual actions. Mixed content warnings compound the problem. If HTTPS pages try to load resources over HTTP, browsers block those resources entirely. Pages become visually broken.
The Domino Effect on Your Site's Functionality
The impact spreads faster than you'd expect. CDN caches often serve stale certificate information. Geographic variation means some users see the warning hours before others. Email deliverability can suffer as well. Some email systems flag emails from domains with expired SSL as suspicious, treating them as potential phishing attempts.
Within hours, your site's reputation is damaged across multiple channels.
Key Takeaway: Browser warnings appear the instant your SSL expires—no grace period. In my experience, visitor abandonment exceeds 95 percent within the first hour. Search engines penalize rankings, and email deliverability suffers. Recovery takes 15 minutes once you renew.
Why SSL Certificate Renewals Fail
Most WordPress SSL certificate expiration incidents don't happen because renewal was forgotten. They happen because renewal ran automatically, failed silently, and nobody noticed until the certificate expired.
CAA Records: The Silent Renewal Killer
CAA (Certification Authority Authorization -- DNS records that whitelist which certificate authorities can issue certificates for your domain) records are DNS entries that specify which certificate authorities can issue certificates for your domain. From auditing client renewal failures over the past two years, misconfigured CAA records are the root cause in roughly 25-30 percent of cases I've investigated.
Here's how it breaks. Someone sets a CAA record that doesn't list Let's Encrypt. Maybe a developer added it during a security audit. Maybe a previous host configured it incorrectly. When Let's Encrypt tries to renew your certificate, it checks the CAA record first. If the record exists but doesn't authorize Let's Encrypt, the renewal fails immediately.
Most site owners never set a CAA record, so it's not an issue. But if one exists and it's misconfigured, your SSL certificate auto-renewal silently breaks. You won't know until the certificate expires and browsers start showing warnings.
The fix is simple. Add a CAA record for Let's Encrypt: 0 issue "letsencrypt.org". Wait 30 minutes for DNS propagation. Retry renewal.
Firewall and WAF Blocking ACME Validation
Let's Encrypt uses the ACME protocol (Automatic Certificate Management Environment -- the protocol Let's Encrypt uses to verify you own the domain) to validate domain ownership before issuing a certificate. If your firewall or Web Application Firewall blocks the validation request, renewal fails.
This usually happens after a security plugin update that tightens firewall rules or when a site migrates to a new host with stricter default settings. The SSL renewal failure doesn't produce an obvious error. It just fails in the background.
Missing or Broken Renewal Notifications
Let's Encrypt sends renewal reminder emails to the registered admin email. If that email address is bouncing, in spam, or unmonitored, you miss the warning that renewal is about to fail.
Shared hosting plans sometimes have renewal plugins that break after WordPress updates or aren't installed by default. Auto-renewal appears to be enabled in the host dashboard, but the underlying mechanism is broken. You only discover the problem when the certificate expires.
Key Takeaway: Most SSL expiration incidents happen because renewal ran automatically, failed silently, and nobody noticed. Misconfigured CAA records cause 25-30 percent of the failures I've investigated. Firewall blocks and bounced admin emails cause the rest. Verify quarterly.
Comparison Table: Hosting Tiers and SSL Renewal Responsibility
This table shows where the responsibility line falls for different hosting environments. Understanding this helps you know what you're responsible for and what your host handles.
| Hosting Tier | Auto-Renewal | Admin Involvement | CAA Risk | Best For |
|---|---|---|---|---|
| Managed WordPress (Kinsta, WP Engine) | Yes, automatic | Zero. Host handles it. | Low (host manages DNS) | Agencies, SMBs without tech skill |
| Shared Hosting (GoDaddy, Bluehost) | Often optional plugin | Medium. Must enable and verify. | Medium. Host may set defaults. | SMBs on budget. Needs verification. |
| VPS (Linode, DigitalOcean) | Manual CLI / cron | High. You own the process. | High. You set CAA manually. | Agencies with ops team |
| Self-hosted (Mac Mini, NAS) | Manual Certbot | High. You own everything. | High. You set CAA manually. | Hobbyists, DIY developers |
If you're on shared hosting, your host probably has auto-renewal enabled, but you need to verify it's actually working. If you're running your own server, you're responsible for the renewal process end-to-end. Managed hosting reduces your liability to nearly zero. VPS and self-hosted setups shift all liability to you.
For agencies managing multiple client sites, you need to know which hosting tier each client is on. Managed hosting reduces your emergency call volume. VPS setups require you to own the renewal infrastructure.
Setting Up Auto-Renewal (Prevention Strategy)
Auto-renewal is the only sustainable way to handle 64-day and 45-day certificate validity cycles. Manual renewal might work for one or two sites, but it doesn't scale and it's error-prone.
If You're on Managed WordPress Hosting (Kinsta, WP Engine, etc.)
Auto-renewal is on by default. Nothing to configure. Log into your host dashboard, find the SSL/HTTPS section, and verify "Automatic Renewal" is enabled. Screenshot the confirmation for your records.
Set a calendar reminder for 60 days before your certificate expires. Go check the dashboard manually. Paranoia beats downtime. Some managed hosts hide the renewal controls deep in settings. If you can't find it, contact support. Fifteen minutes on the phone is worth the peace of mind.
If You're on Shared Hosting
Find your hosting control panel. Most shared hosts use cPanel or Plesk. Look for "AutoSSL" or "SSL Renewals." Enable auto-renewal. If it's not available as an option, contact support and ask them to enable it. It's a standard feature.
Verify your CAA record. Go to your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.). Find the DNS settings. Check if a CAA record exists. If there's no CAA record, you're fine. Skip this step. If a CAA record exists, verify it includes 0 issue "letsencrypt.org". If it doesn't, add that record now.
Update your admin email in the host control panel to an address you monitor daily. Let's Encrypt sends renewal reminders to this address. If it bounces or goes to spam, you won't know renewal failed until the certificate expires.
Set a calendar reminder for 60 days before expiration to manually check the host dashboard and confirm renewal is still working.
If You're on a VPS or Managing Your Own Server
SSH into your server. Check if Certbot is installed by running which certbot. If it's not installed, install it now.
apt-get install certbot python3-certbot-nginxReplace nginx with apache if you're running Apache instead.
Certbot creates a renewal cron job automatically. It runs twice daily. Verify the cron job exists.
certbot renew --dry-runThe dry run tests the renewal process without changing anything. If it succeeds, your auto-renewal is working. If it fails, the error message tells you why.
Set up your CAA record. In your DNS provider, add 0 issue "letsencrypt.org". This explicitly authorizes Let's Encrypt to issue certificates for your domain.
Just like WordPress updates, SSL certificate auto-renewal works best with automation plus occasional manual verification. Set it and forget it, but don't ignore it completely.
Optional but recommended: Set up email notifications for renewal failures. Create a small bash script that logs renewal output and emails you on error. This catches failures before they cause outages.
Key Takeaway: Auto-renewal is the only sustainable way to handle 64-day and 45-day validity cycles. Managed hosting handles it automatically. Shared hosting requires you to verify it's enabled. VPS and self-hosted setups require Certbot cron jobs and CAA record configuration. Set it up once, verify quarterly.
How to Verify Your Auto-Renewal is Actually Working
Auto-renewal fails silently. Don't assume it's working—verification is mandatory.
Four Verification Steps Every Site Owner Should Do Quarterly
Check 1: Admin email confirmations. Every 30 days, Let's Encrypt sends a renewal confirmation email to your registered admin address. Do you receive it? Check spam folders. If you're not getting these emails, your admin email is misconfigured or renewal isn't running.
Check 2: Certificate age. Use a free SSL checker tool. I use sslshopper.com for most checks (faster, cleaner interface) and digicert.com when I need detailed chain validation for troubleshooting. Enter your domain. It shows the certificate issue date and expiration date. If the issue date is recent (within the last month), renewal is working. If the issue date is very old (six months or more), renewal failed or isn't running.
Check 3: Manual renewal test. In your host dashboard (or Certbot CLI), run a renewal test. Most dashboards have a "Renew certificate now" button. For Certbot, run certbot renew --dry-run. The test should succeed with no errors. If it fails, the error message tells you exactly what's broken.
Check 4: Set a calendar reminder. Sixty days before expiration, manually verify via an SSL checker tool. Make this a quarterly habit. Quarterly verification catches failures before they cause outages.
Emergency Recovery: Your Site's SSL Just Expired
This section is for when prevention failed. Your site is showing a browser warning. Visitors are leaving. You're in panic mode. Here's what to do in the next 15 minutes.
Step 1: Confirm the Certificate Actually Expired
Use an SSL checker tool like sslshopper.com. Enter your domain. Look for "Expiration Date." If it shows a date in the past, the certificate expired. Confirm this before taking action.
If the certificate expired more than six months ago, something else is broken too. Contact your host's support immediately.
Step 2: Check If Auto-Renewal Failed (And Why)
Log into your host dashboard.
Managed hosting: Check the dashboard for renewal failures or alerts. If you don't see any, contact support. This is their problem to solve, not yours.
Shared hosting: Go to the AutoSSL logs. Most shared hosts show a reason for failure: "CAA record misconfiguration," "ACME challenge failed," "IP whitelist blocked renewal," or similar. Screenshot or save the error message.
VPS or self-hosted: SSH into your server. Run certbot renew --force-renewal. This forces an immediate renewal, not just a test. Watch the output for error messages. Save the error message. It tells you the actual problem.
Step 3: Renew the Certificate Immediately
Managed hosting: Contact support. They'll renew it for you. Turnaround is usually under one hour.
Shared hosting: Click "Renew" or "Issue Now" in the AutoSSL dashboard. Renewal is usually instant. If it fails again, you've found a systemic problem (CAA record, firewall, etc.). Move to Step 4.
VPS or self-hosted: Run certbot renew --force-renewal. If it succeeds, reload your web server.
systemctl reload nginxOr for Apache:
systemctl reload apache2Check your site. The browser warning should disappear within one minute.
Step 4: Fix the Root Cause (If Renewal Keeps Failing)
Most common: CAA record issue. Go to your domain registrar. Find DNS settings. Add a CAA record: 0 issue "letsencrypt.org". Wait 30 minutes for DNS propagation. Retry renewal.
Firewall or WAF blocking validation. If you have a Web Application Firewall enabled, it may block Let's Encrypt's validation requests. Temporarily disable it, renew the certificate, then re-enable.
Email is misconfigured. Update the admin email in your host control panel. Ensure it's a real email you monitor daily.
Still failing? Contact support. Include the error message from Step 2. You've done the diagnosis. Support can solve it from here.
Step 5: Clear Browser Cache
Browsers cache the old (expired) certificate for hours. Even after renewal, browsers may still show the warning.
Clear your browser cache or use Incognito/Private mode to see the updated certificate immediately. Test on multiple browsers (Chrome, Firefox, Safari). Different browsers have different cache timings.
Frequently Asked Questions
How often do I really need to renew my SSL certificate?
With Let's Encrypt's 64-day cycle (starting February 10, 2027) and eventual 45-day cycle (starting February 16, 2028), renewals happen automatically every 64 days (or 45 days after 2028) if you have auto-renewal set up. You shouldn't need to do anything manually. But you should verify quarterly that auto-renewal is working.
Can I get an SSL certificate that lasts longer than 45 days?
Yes. You can use paid Certificate Authorities (DigiCert, Sectigo, etc.) that issue one-year or two-year certificates. But most WordPress sites use Let's Encrypt, which is free and automated. Paid CAs add complexity and cost for most WordPress sites. The exceptions I've seen: organizations with insurance requirements that mandate paid certificates with warranty coverage, or enterprise environments where procurement policies don't allow free CAs. For 95 percent of WordPress sites, Let's Encrypt is the better choice.
What happens to my site if my SSL certificate expires?
Browsers show "Your connection is not private" warnings. Visitors leave—visitor abandonment exceeds 95 percent. Search engines may penalize rankings due to mixed content warnings. Recovery takes 15 minutes once you renew the certificate.
If I'm on shared hosting, am I responsible for SSL renewal?
Your host handles the technical renewal, but you're responsible for ensuring it's enabled and working. You should verify quarterly that auto-renewal is running. If it fails, contact your host to fix it.
Can I use the same SSL certificate across multiple domains?
Yes. A wildcard certificate (*.example.com) covers all subdomains. A multi-domain certificate (SAN cert) covers specific domains you list during issuance. Let's Encrypt issues both types automatically through Certbot.
Prevention Beats Emergency Recovery Every Time
That midnight emergency call from a client whose SSL expired? Prevention eliminates 99 percent of those calls. Verification catches the remaining one percent where something breaks.
SSL/HTTPS is foundational security. But it's just one layer. After you've secured your certificates, make sure you're covering the other bases too. Our comprehensive WordPress security guide walks you through every layer from SSL to admin authentication to database hardening. Like SSL renewal, WordPress updates need to be automated but also verified. Build a sustainable update routine that catches problems before they hit your site.
If SSL management sounds like a headache, managed hosting takes the renewal burden off your plate entirely. We break down the ROI versus shared hosting and VPS options for different site sizes and technical teams.
WordPress maintenance is about staying ahead of problems before they become emergencies. SSL renewal is just one piece. The sites that never need emergency calls are the ones running on a predictable maintenance schedule.
WordPress SSL certificate expiration is one of those quiet risks. Invisible until it's a crisis. Set it up once, verify quarterly, and you'll never spend a Sunday night debugging certificate errors.