A Beginner’s Guide To SSL Certificates

They’ve become a necessary security protocol for certain sites, specifically sites that transfer and/or store personal data, such as ecommerce sites. They’ve become a vital component in the machine that keeps the Internet secure, so much so that Google announced they started using it as a ranking factor at the 2014 Google I/O conference.

As far as WordPress goes with SSL and HTTPS, Matt Mullenweg published a blog post on December 1, 2016 stating this:

We’re at a turning point: 2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available. Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face.

What is an SSL certificate?

First things first, you need to understand what SSL is before you can begin to understand what an SSL certificate is. SSL stands for “secure sockets layer,” but that’s not what you need to know. Here’s the official definition from SSL.com, if you’re curious:

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

An SSL certificate is what’s required to form this connection. Without this protection, a hacker could potentially steal or “intercept” your data before it makes it to the server. This is why SSL and HTTPS are a must for any website that processes any type of personal data from users, such as ecommerce sites that accept payments from customers.

As a user, you can tell if the page you’re visiting is encrypted with SSL by seeing if the URL in the address begins with “https.” We’ll talk more about the different types of certificates in the next section, but there’s a specific type of certificate that gives you the green text and padlock. You can click on this padlock to see where the certificate came from.

You can even click on Certificate Information to see when it expires.

Note: In July 2018, a new version of Chrome was launched and now displays the ‘Not Secure’ label for any website that does not use SSL. This is regardless of whether they take payments or have any forms.

Here’s the good news: most web hosts now offer free SSL via Let’s Encrypt and it’s easier than ever to install.

How do you get an SSL certificate?

There are two main ways to obtain an SSL certificate:

• Your host.
• An SSL certificate provider, commonly known as a “certificate authority.”

Here’s a quick list of WordPress hosts that include SSL certificates in some of their plans:

• SiteGround (official WordPress hosting partner)
  • SSL certificates included in all plans.
• WP Engine
  • SSL certificates included in all plans.
• Kinsta
  • SSL certificates included in all plans.
• Priority Web Services
  • SSL certificates included in the higher tier WordPress hosting plans.
  • SSL certificate included in the higher tier of shared hosting plans.
• DreamHost (official WordPress hosting partner)
  • SSL certificates included in all WordPress hosting plans.
  • SSL certificates included in all shared hosting plans.
  • SSL certificates included in all VPS hosting plans.
• Bluehost (official WordPress hosting partner)
  • SSL certificates included in all WordPress hosting plans.
  • SSL certificate included in the highest tier of shared hosting.
  • SSL certificate included in the highest tier of cloud hosting.

So, if your host doesn’t offer SSL certificates or one isn’t included in the plan you have, you need to obtain one from a third party. Here’s a list of services that sell SSL certificates:

• DigiCert
• GeoTrust
• Priority Web Services

You can also receive a free certificate from open-source CA Let’s Encrypt. You must have shell access (SSH) to use a certificate from Let’s Encrypt, and you must install your certificate manually if your host doesn’t do so for you. You can learn more about how to do that with this Certbot guide.

No matter where you get your SSL certificate from, prices vary greatly based on the type of certificate you purchase and the level of protection that certificate offers. Prices can be as low as free to as high as $800+.

What are the different types of SSL certificates?

When you visit these sites or try to install an SSL certificate from your host, you’ll see a lot of different names pop up. There’s “DV certificates,” “EV certificates,” “wildcard certificates,” and more.

Here’s a quick rundown of the different types of SSL certificates that exist.

Domain Validation (DV)

This is the cheapest type of SSL certificate. It’s ideal for blogs and websites that do not process any form of personal information from users as it only offers basic encryption. It requires you to validate domain ownership, but the validation process only takes a few hours at most.

Organization Validation (OV)

OV certificates are a little more premium than DV certificates. They’re the minimum level of protection required by ecommerce sites and any type of website that processes personal data from users.

DV certificates are validated by yourself. OV certificates, on the other hand, are validated by what we already explained are “certificate authorities.” DigiCert is an example of a certificate authority. Validation also typically takes longer than the validation process associated with DV certificates.

Extended Validation (EV)

This is the type of SSL certificate that gives you the green text and padlock icon, as stated before. It’s a more premium certificate than either DV or OV. It’s also the most popular certificate out there, especially among ecommerce sites.

Following the trend with the previous two types of certificates, the process for validating an EV certificate is a lot more strict than the process for validating DV or OV certificates.

SAN

SAN certificates allow you to encrypt multiple domains with a single certificate. They’re typically a lot more expensive than single-domain DV, OV or EV certificates.

Wildcard

Wildcard certificates allow you to encrypt an unlimited number of subdomains under a single domain.

Do you need an SSL certificate?

This may seem like something that you need only if you’re taking payments but it’s much more than that…

Like we discussed towards the beginning of this post, SSL is a way of securing data sent between your website and a users device.

This doesn’t make your website more secure exactly, but it’s still important from a security standpoint.

For example, if a user is browsing the internet using public wi-fi or a hijacked router – SSL is designed to stop information being intercepted. It’s an important step in protecting our users and it improves trust.

So, with how easy and cheap it is to get an SSL certificate these days, there’s no good reason to avoid switching over to https.

Installing an SSL certificate

This is where things get a little complicated, and maybe even a little vague. The process for obtaining and installing an SSL certificate on your server varies between hosts. For example, a host like SiteGround allows you to install an SSL certificate on your site through cPanel. All you need to do is enter your cPanel dashboard, scroll to the security section, select Let’s Encrypt, and install it.

Read through all of the tutorials and knowledgebase articles your host has published about getting, installing, and configuring an SSL certificate. Ask them directly if you can’t find the information.

We’ll get to how to enable SSL on a WordPress site with code in a minute, but let’s go over a simpler way first. That way is a plugin called Really Simple SSL. After you install an SSL certificate on your server, all you need to do is install and activate this plugin to properly configure SSL on your site.

What does this plugin do exactly? Here’s a rundown:

• Changes your Site URL and Home URL to HTTPS for you.
• Redirects incoming requests to HTTPS via .htaccess or JavaScript.
• Fixes insecure content and changes it to HTTPS.
• Configures server issues that may occur when you first enable SSL on a WordPress site.

If you don’t want to use a plugin and are adding SSL to an existing site, add this bit of code to your .htaccess file:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

Replace “example.com” with your URL. Also, remove the “www” if your URL doesn’t use it.

If you have a multisite network and want to encrypt the admin area and login pages with SSL, add this bit of code to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

If you’re using WooCommerce

You still need to use Really Simple SSL or add that snippet of code to your .htaccess file, but there’s one additional step to take if you’re running a WooCommerce site.

Go to WooCommerce → Settings → Checkout, select Force Secure Checkout, and save your changes. Refer to this page if you run into any issues after this.

Additional steps to take to secure SEO rankings

Using a plugin like Really Simple SSL helps immensely, but there’s often a lot more that needs to be done to migrate from HTTP to HTTPS without having a negative impact on your site’s Google rankings.

Here are a few additional steps you can take to prevent your site’s SEO rankings from dropping too much:

• Update hard-coded links – Hard-coded URLs may not redirect properly. Use a plugin like Better Search Replace to search for “http://yourdomain.com” and replace it with “https://yourdomain.com”.
• Migrate CDN from HTTP to HTTPS – If you are serving some of your content with a CDN, you’ll want to migrate it from HTTP to HTTPS. You’ll need to refer to your CDN’s documentation to do this. Once you do, open the settings area of the WordPress plugin you’re using for your CDN integration, and switch the CDN URL to HTTPS.
• Fix mixed/not secure content – Some content from your site may send mixed content or not secure content warnings to browsers, which your users will see. Use a tool like SSL Check to scan your site for mixed content.
• Update Google Search Console – Create a new profile in Google Search Console for the HTTPS version of your site, and use it to re-submit your sitemap. Make sure you download the HTTP version of any disavow files you have from a penalty and submit them under the HTTPS profile.

Keep an eye on your rankings. You will likely see a slight drop when you first migrate from HTTP to HTTPS, but they should eventually improve. Go a little deeper to see if there’s anything you may have missed if your rankings never improve.

Conclusion

That concludes our write up on SSL certificates. Enabling this security protocol on your site can be difficult, but we hope we simplified the process for you.

Here’s a quick wrap up of everything you need to know about SSL certificates and WordPress:

• Understand what SSL encryption is and the importance of it for certain sites, such as ecommerce sites.
• Learn the differences between the different types of SSL certificates, and determine which SSL certificate is right for you.
• Find out if your host provides SSL certificates, or look for a Certificate Authority if they don’t.
• Install your SSL certificate on your server.
• Configure SSL in WordPress via a plugin or manual code.
• Configure your ecommerce platform if you’re using one for WordPress.

Let us know if you have any questions or need help setting up your SSL.  Priority Web Services is always here to help.