In the last hour, I checked my bank account, paid off my credit card, and purchased a couple of books from Amazon.
It is interesting to note that we give away our personal and private information on the Internet so easily nowadays that we don’t think twice about it.
But we should.
This blog post looks at adding SSL to WordPress. Specifically, we’ll look at what SSL is and why you need it on your website.
In just the past few months, we’ve been besieged with news articles about corporations being hacked and sensitive personal details aired to the public, money being stolen, and lives being ruined.
So protecting sensitive user information is of critical importance and, if you have a WordPress site that contains sensitive customer information, you are obligated to step up and secure your site as best as you can. And not just for legal reasons but for ethical reasons as well.
The best security is always layered security and there are numerous aspects you need to consider when securing customer information on your site. Enough to fill many books, in fact, but in this particular article, I just want to talk about one layer of protection, that is, Secure Sockets Layer or more commonly known as SSL.
However, before we get down to the gritty details of adding SSL to a WordPress site, let’s cover some SSL basics…
What is SSL
According to the FAQ on SSL.com, the informal definition is:
“SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and is used by millions of websites in the protection of their online transactions with their customers.”
In layman’s terms, SSL is translating the information sent back and forth from your website to your website visitor into a secret language that only your website and your visitor’s web browser knows and that no one else can understand.
Why You Want to Use SSL
Putting aside any legal or personal issues on whether you should protect your customer’s data that is sent over the Internet as viewable by anyone or not, there is a strong psychological issue you must consider when you have a website.
When you have a website, it doesn’t matter if you are selling products or you are providing some kind of free information or service, the moment a person comes to your site, a trust relationship springs up between you and them.
And strangely, it’s not the actual security of your page that matters to site visitors as most of them have little-to-no technical understanding of security or SSL encryption or how it works. In fact, it is the perceived security that’s of importance to these visitors.
Web browsers give visual cues, such as showing HTTPS in the web address, a lock icon or a green bar, to make sure visitors know when their connection is secured. This means that they will trust your website more when they see these cues and will be more likely to interact with the site or buy from you.
And if that doesn’t encourage you start using SSL, Google announced in 2014 that adding a SSL 2048-bit key certificate on your site will give your website a minor ranking boost.
Finally, effective January 2017, any site collecting sensitive data such as passwords or credit card information that is not under SSL will have a NOT SECURE warning display in a visitor’s browser. So if that is the case with your website, you need to convert to HTTPS now to avoid your website being slapped with a warning that may alarm your visitors.
Now SSL is merely a very small factor in the overall ranking algorithm so relevancy the content of your site still matters a LOT. But Google does want to encourage all website owners to switch from HTTP to HTTPS to keep everyone’s communications safer on the web. So there are rumors they will increase the weight of SSL in their ranking algorithm. How much more? Nobody but Google knows.
How SSL Works
I can go on and on about Public Keys, Private Keys, Certificate Signing Requests and other technical terms but this article is really for the non-technical person so I’ll keep this simple.
When you use SSL, anything being sent from the site visitor’s web browser to your website is encrypted, in that “secret language” I mentioned above before it is sent; this is particularly important for things like credit card numbers, passwords, and other information that is considered sensitive.
Also, when using SSL, anything being sent from your website to your site visitor is also encrypted in that “secret language.”
What is a SSL Certificate
To use SSL as it is set up today, a SSL certificate is required to make sure that only your website can encrypt and read encrypted information.
A “certificate” is an official verification given to a website – by a recognized certificate authority (CA) – that is used to establish the secure, encrypted connection between your visitor and your website.
It basically says this site is who they say they are, and have undergone some verification steps to prove it.
Getting Your Own SSL Certificate
To get a SSL certificate you have to pay an annual fee and go through some verification that you are real and the rightful owner of the website. Note that some hosting companies will provide free certificates but not all of those certificates will be from a recognized CA. If they aren’t, then your website visitors may see a warning message if they try to go to your web pages (more on this below.)
Before you get your certificate there are a few questions you need to ask yourself.
1. Who is the Certificate Authority?
As mentioned above, the certificate authority (CA) is the company that issues your SSL certificate and is the one that will be validating your certificate each time a visitor comes to your website.
While there are many SSL certificate providers on the market with varying prices and features, the number one thing you should consider when vetting certificate authorities is whether or not they have certificates on the list of “trusted” certificate authorities; these lists come pre-installed on the all popular web browsers.
This is critical because if the certificate authority that issues your SSL certificate isn’t on that trusted list then the site visitor will be prompted with a warning that says the site’s security certificate and the site itself are not trusted.
Of course, this doesn’t mean that your website is illegitimate or dangerous — it just means your certificate authority (CA) isn’t on the list yet and so the visitor’s web browser can’t verify if your site is real or a dangerous site; the web browsers err on the side of being overly cautious as a security measure.
This will be a problem for you because most people coming to your website (including yours truly) won’t bother reading the warning or researching the unrecognized CA. They’ll probably just panic and click away.
So for that reason alone, always buy certificates from trusted names like Verisign, Go Daddy, Thawte, Geotrust, Entrust, DigiCert or Comodo. For a list of trusted CAs used by the Firefox web browser, click here and for a list of trusted CAs used by Apple, click here.
You can also look in your own browser’s settings to see which trusted certificate authorities are on their list.
For Google’s Chrome, go to Settings –> Show advanced settings… –> Manage Certificates.
For Mozilla’s Firefox, go to Tools –> Options –> Advanced –> View Certificates.
For Microsoft’s Internet Explorer, go to Internet Options –> Content –> Certificates.
For Opera, go to Settings –> Privacy and Security –> Manage Certificates.
For Apple’s Safari, go to Applications–> Utilities –> KeyChain Access and click System.
2. Do you want a Shared SSL or a Private SSL?
Some web hosts offer a shared SSL service, which is often more affordable (sometimes even free) than a private SSL.
Other than price, the benefit of a shared SSL is that you don’t need to get a private IP address or dedicated host.
The disadvantage is that you don’t get to use your own domain name.
Instead, the secure URL of your site will look something like:
Compare that to the web address of a private SSL certificate:
For eCommerce sites, shared SSL certificates are obviously a bad idea, since it seems like your site visitors are being redirected from your main site just when they are ready to complete a purchase; this should certainly make them nervous and less likely to complete the sale.
But, for areas that aren’t usually viewed by the general public, such as a mail system or an administrator area, then a shared SSL may be good enough if you are on a very tight budget.
3. How Important is a Trust Seal to You?
Many certificate authorities let you place a trust seal on your webpage after you’ve signed up for one of their certificates. You probably seen some of them around when you’re shopping online.
Clicking the Trust Seal provides information about your site and sometimes the type of data encryption used.
Adding a trust seal to your site is not required, nor does it amplify your security, but it gives your visitors the warm comfort of knowing a trusted authority has issued the SSL certificate and this has been shown time and again to increase conversion rates.
Free SSL Certificates
Now let’s talk about free SSL certificates.
Who wouldn’t want to get for free something that some people pay a few hundred dollars for? But like all free things, it comes with a price.
There are two kinds of free SSL certificates available: (1) SSL certificates that are offered as a free trial (Both VeriSign and GeoTrust have 30-day free trials) and (2) self-signed SSL certificates.
These have two very different purposes. A free trial is for evaluation purposes, or for people with limited means who don’t mind hopping from one CA to the next every month.
A self-signed SSL certificate is free forever.
With a self-signed certificate, you are your own CA but, because you are not a trusted CA, your visitors will get that big scary warning message that the certificate is not trusted.
You can imagine how well that goes over when your customers have their credit card out ready to make a purchase.
So obviously, if you have an e-commerce or financial web sites, don’t even think about using a free SSL certificate.
Not only that, but self-signed CA can be less reliable and slower. Because of their business model, they have fewer resources to keep their servers fast. So your site would load significantly slower. And in this day and age, sometimes that few extra seconds does matter.
A third type of free SSL certificate has been available to small business owners since 2016 through Let’s Encrypt. Many web hosts are offering and installing Let’s Encrypt for free so it might be worthwhile to check that out with your hosting company.
Where to Get a SSL Certificate
You can either purchase it from your host, from third party sources like a registrar (e.g., GoDaddy) or directly from a Certificate Authority (e.g., Verisign). Or as mentioned earlier, if your SSL needs are simple, you can have your host install Let’s Encrypt for free.
Purchasing your SSL from your host means everything is done by the host, including installation and configuration. Sometimes they might include a one-time installation fee but it is one thing less to stress over since everything is taken care of by the professionals.
But this only works great if you really like your hosting company and have no plans of ever moving your site anywhere else. Also not all hosts allows you to install third party SSL certificates.
I had an, shall we say, “interesting” experience with 1&1 recently where they adamantly refused to install any SSL certificate not purchased through them.
If you do want to install a third party SSL certificate, and you have CPanel/Web Host Manager (WHM) running on your server, it is not as hard as you think it is.
This article does a pretty good job explaining how to do it. But if you do not have access to WHM, you will have to ask your host to install the certificate for you.
That is all the nuts and bolts you need to know when it comes to SSL.
Part Two explains how to setup your WordPress site once your SSL certificate is installed.
Part Three is an SSL case migration study that details what we encountered when adding SSL to WordPress.
I want to thank my partner David Husnian for his assistance in reviewing, proof reading and suggestions.