The SSL Certificate has been kicking around for a while as yet another tool in the website protection toolbox.
You’ve seen it before, the “s” at the end of “http” and the tiny green lock icon with the word, “Secure” next to it. Those have appeared in the address bar of big sites for a long time and you probably always thought https was just for the most high trafficked ecommerce sites on the Web.
Now, https is showing up everywhere: on small blogs and medium sized business sites, and you’re wondering if your sites should have https too.
The answer is, yes, all web sites should have SSL certificates to give the URL a “https” preface.
What are SSL Certificates?
The acronym “SSL” stands for Secure Sockets Layer, which is a worldwide standard in security technology. SSLs enable communication between a web browser and a web server to be encrypted and is particularly important for protecting sensitive information like credit card numbers, usernames, passwords, emails, etc. from being stolen or tampered with by hackers.
First, the SSL authenticates the identity of the website and guarantees to visitors that they’re not on a bogus site. Then, the SSL encrypts any data being transmitted the site and the visitor.
If you want a cultural reference, SSL creates a “cone of silence” between the website and the user.
To create this secure cone of silence, you need to create a SSL certificate (or “digital certificate”) and install it on your web server.
Not all SSL Certificates are created equal. There are three different types of SSL.
- Single – secures one fully-qualified domain name or subdomain name
- Wildcard – covers one domain name and an unlimited number of its subdomains
- Multi-Domain – secures multiple domain names
The level of SSL validation also varies depending on the amount of investigation into the site’s owners. And money.
This level is the cheapest SSL and it covers basic encryption and verification of the ownership of the domain name registration.
In addition to basic encryption of the site’s content and verification of ownership of the domain name registration, Organization Validation also authenticates personal details of the owner.
This provides the highest degree of security because of the thorough examination it requires. In addition to ownership of the domain name registration and entity authentication, the legal, physical and operational existence of the entity is verified.
Extended Validation also give your site the added perk of having the site name featured in the URL in a bright green font.
Why your site should have a SSL
The most fundamental reason a site needs a SSL Certificate is because it collects and stores personal and sensitive information. Those could be:
Usernames and passwords
Credit card numbers
Social security numbers
So you say to yourself, my little blogsite doesn’t sell anything, and all the name and emails I collect are stored on the secure servers of Mailchimp or AWeber. Why does my site need an https?
This brings us to the peripheral, but more crucial reason to obtain SSL certification:
Google demands https
Since August of 2014, Google has used HTTPs as a signal for ranking in its search engine.
“For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
That bit about “over time”? Well, the time is now.
In September of 2016, Google said:
“Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”
Imagine how a warning like that would affect your traffic, as well as your users’ confidence in your site?
As for getting a SSL bump, I noticed more traffic to this site last fall after getting a https prefix, so there’s that.
Where to get SSL
There are a number of SSL Certificate Authorities authorized to issue digital certificates to people and companies, both free and paid.
You can find and compare them at SSL Shopper.
While the certificate may be the same across the board, each provider will have different levels of products, prices and customer support on offer.
According to SSL Shopper, the cheapest Single Domain Name SSL Certificate appears to be $17 for 3 years from GeoTrust.
But, if you like free things, there’s a new SSL kid in town and it’s name is Let’s Encrypt.
According to their About page:
“Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.”
Let’s Encrypt is offered through almost all the major web hosting providers. This particular site receives Let’s Encrypt support through our host, Cloudways.
Free SSLs are also offered by Cloudflare. They offer a shared SSL certificate on their free plan.
And coming soon for individuals and businesses is FreeSSL, a free SSL certificate project from Symantec.
After the SSL is installed
Once your SSL Certificate is installed and confirmed through a tool like SSL Checker, there are still some tasks to complete.
If you’re building a brand new site and SSL was the third thing you did after registering the domain name and opening a hosting account, you’re in for smooth sailing. Build on!
But if you’re switching an existing site to https, there are a few more miles to go before you sleep.
You’ll need to change the addresses on your General Setting pages from “http” to “https.”
To reconfigure all your blogsite’s pages and posts to the SSL protocol, install a plugin like Really Simple SSL, which automatically detects your settings and configures your website to run over https.
Google Analytics will need a new account. This time, pull the dropdown to “https” during registration. Take the new code snippet and replace the old code with it in your Theme Header.
In your dashboard you’ll have both accounts visible. The old http account will drop off and the new https will begin tracking at the time of installation.
Webmaster Tools needs a new account as well, fronted by the “https” prefix. Do what you did before to verify it.
WordPress has just updated to version 4.7.3 and you know what that means. A security fix.
So please update your site now.
Stay safe out there.
Subscribe to Blogsite Studio and get my new ebook!
Secure Your WordPress Website: How to Protect Yourself from Hackers, Spammers, Scrappers, and Imbeciles
A field guide to stopping evildoers from breaking into your website, stealing data, and injecting malware.
Plus, what to do after a hack!