What Are SSL Certificates and How Do They Work?
Website security has become more important than ever over the past few years. In fact, sites that do not provide proper security can often be penalized. Consequently, website security may be something you’ve been concerned about, especially if you’re thinking about taking online payments.
Fortunately, there is a solution for bringing your website up to snuff in terms of security. Secure Sockets Layer (SSL) is a protocol that enables your browser to establish a safe connection between itself and a particular website or server. If a website has an SSL certificate, that means it has been validated by a Certificate Authority. Many managed WordPress hosting providers (including WP Engine) offer SSL certificates as part of their services.
In this article, we’ll cover the ins and outs of website security certificates. We’ll also go over several different kinds and how they are validated. Then we’ll explain how to install a certificate on your own site. Let’s get started!
How SSL Certificates Work
You may have considered enabling Hypertext Transfer Protocol Secure (HTTPS) for your website, but you might not be sure how the entire process works. Therefore, let’s start from the beginning.
The first step is to find a Certificate Authority (CA), which is a body that awards an SSL certificate after verifying the identity of a website. Depending on which type of SSL certificate you opt for, the CA may verify the ownership of the domain that is requesting it. For other, more advanced SSL certificates, the CA may go as far as to verify that the business requesting it is actually registered. We’ll go over these options in detail later.
Once you’ve been issued an SSL certificate, you’ll need to install it through your web hosting provider. Then you will need to enable the HTTPS protocol for either your entire site (which is often the simplest approach), or just those pages that deal with sensitive information.
If you enable HTTPS before installing a certificate, your visitors will receive a warning when they attempt to access your website. The warning itself varies depending on the browser they use, but generally, it will inform them they’re trying to access a website that doesn’t hold a valid certificate.
This can also occur once your certificate expires – how long each one lasts will depend on the CA you use to process it. As a rule of thumb, SSL certificates last around three years at the most, and then you’ll need to renew them.
This process may sound complex if you’re not familiar with online security practices, but rest assured that it’s quite easy to implement. In fact, we’ll discuss how to install SSL for WordPress shortly. Before that, let’s go over some more details about the different components of SSL.
What Does HTTPS Mean? What Does SSL Mean?
Hypertext Transfer Protocol (HTTP) is the foundation upon which the modern internet is built. It represents a set of rules for transferring data and multimedia files, and every website uses it, including this one! HTTPS, as we mentioned previously, is a more secure version of HTTP.
Secure Sockets Layers (SSL) is a protocol that ‘fits over the top’ of HTTP, to create Hypertext Transfer Protocol Secure (HTTPS). This works just like HTTP, except that it encrypts the transmission of data and prevents anyone from accessing it. These two protocols go hand in hand, since the SSL is what makes HTTPS ‘secure’. Let’s take a few minutes to discuss how that process works.
HTTPS vs. HTTP
By default, the data that HTTP connections send is unencrypted. This means that hackers can obtain your data (and that of your website’s visitors) through malicious means. This is obviously not good news for businesses dealing in sensitive personal information, such as credit card and address details.
If a website address begins with HTTPS instead of HTTP, it indicates that all the data you send to and receive from that website is encrypted. Even if the data were to be intercepted by an unauthenticated third party, they wouldn’t be able to decipher it.
To put it simply, if you’re concerned about data security, it’s always good news when the website you’re visiting uses HTTPS instead of HTTP. In order to set up HTTPS, you’ll need to purchase an ‘SSL certificate’, which is linked to your website. This provides an encrypted data stream for the information you send across the web. Next, we’ll go over some of the benefits of using the protocol in case you’re still on the fence about enabling it on your own site.
Why Your WordPress Site Needs SSL
We’ve already touched on some of the reasons why you’d want to switch to HTTPS. To summarize, the primary goal is to protect your users’ personal data from ending up in the hands of hackers and spammers.
Using SSL with WordPress is similar to any other platform. However, this particular Content Management System (CMS) is making a concentrated push to encourage site owners to make the switch. As part of this initiative, its developers are looking to require all web hosts to offer HTTPS.
WordPress powers everything from blogs to eCommerce sites, which means it’s a perfect example of a platform that can benefit from additional security. In short, if you’re a WordPress user, you should certainly consider getting an SSL certificate. It won’t take long to configure the platform to work through HTTPS, and you’ll get plenty of benefits in exchange.
The advantages of using SSL include:
- Enhanced security. SSL certificates secure your visitors’ data by encrypting information as it travels from their web browsers to your server. This ensures that the information shared by your users is safe as it transfers.
- Increased customer trust. Since they can see that your website is secure, thanks to the ‘lock’ icon and the site’s URL, you’re giving both visitors and yourself peace of mind. This encourages more trust when compared to an unsecured website, which may lead to increased conversions.
- PCI compliance. SSL also enables you to maintain Payment Card Industry (PCI) compliance and accept online payments. In fact, an SSL certificate is not just recommended but required in order to meet PCI regulations.
- Improved SEO. The benefits of obtaining an SSL certificate don’t stop with security. In fact, search engines such as Google have made it their mission to incentivize website owners to enable HTTPS whenever possible. To that end, Google marks HTTP sites as Not Secure within browsers and also penalize them in its search engine rankings. In other words, search engines such as Google want to help make sure users are browsing to sites that will keep their data safe. So they rank those sites more highly, in order to encourage their use.
- Easy setup. The good news is that some web hosts will set up SSL for you. Here at WP Engine, we’re particularly mindful about user security, which is one of the reasons we make obtaining SSL certificates simple. If you’re not sure whether or not you have an SSL certificate for your website, you can easily check by looking for the ‘lock’ icon before your site’s URL in the browser address bar.
Now that you know more about how SSL certificates work to secure your website, and the benefits to be had from purchasing one, let’s take a look at the different varieties you can choose from.
Types of SSL Certificates
To fully understand SSL certificates and how best to use them on your website, you’ll want to know about the different kinds that are available. Certificates are classified based on both their validation levels and the number of domains they can secure.
First, let’s take a look at the types that are available based on the number of domains secured:
- Single. This type of certificate will apply only to a single domain or hostname.
- Wildcard. A wildcard certificate can secure any number of subdomains for a given domain name.
- Multi-domain. These are sometimes referred to as Subject Alternative Names (SAN) or Unified certificates, and they can cover up to 100 domains. Multi-domain certificates were designed specifically to save money and time when there’s a need to secure multiple domains on a single server.
Now, let’s take a look at the different levels of validation and what they mean. Validation is how the issuing CA verifies the ownership and legitimacy of the entity requesting the certificate, and there are three types, including:
- Domain Validation (DV). This is the lowest form of validation provided by CAs. It’s typically achieved via email verification in a couple of hours. In general, all you have to do is demonstrate that you have control over the domain you want to secure.
- Organizational Validation (OV). As a moderate level of validation, this option can take a couple of days to complete. It involves the CA verifying ownership of the domain in question. The authority will contact the organization via the information provided in the certificate.
- Extended Validation (EV). As the most strict level of validation, extended validation goes the furthest to verify ownership of the domain. The CA will go to lengths to contact the organization and make sure the owners of the domain know that an SSL certificate was purchased for it. They will also verify that the organization or company is legitimate.
While all levels of validation take some effort to acquire, EV can take a couple of weeks and is the most expensive, as it requires time and human resources. However, the higher levels of validation also provide you with a more secure certificate.
When choosing the right type of SSL certificate for your site, you’ll need to evaluate your needs based on the level of trust and security you require. Also, you’ll want to take into consideration the number of domains you will want the certificate to cover.
Important Things to Know Before Switching to HTTPS
As we’ve demonstrated, making the switch to HTTPS is relatively easy. However, there are still some key aspects you’ll need to think about before you get started. Skipping over these (or finding out about them halfway through the process), can hinder your progress and cause any number of issues.
With that in mind, here are a few important things to do before switching to HTTPS:
- Set up redirects for your site and its links. There are SEO-focused guides available to help with this. To get started, you’ll want to use a tool such as SEO Spider to create a list of URLs that you’ll need to redirect.
- Request indexing for your site. Asking Google to take a look at your newly-updated site is a crucial step, in order to keep traffic disruptions to a minimum. Fortunately, it’s easy to do.
- Update your internal links. This isn’t always necessary. However, sometimes your internal links won’t update correctly, and you’ll have to take care of it manually.
- Update your social and affiliate links. You’ll also need to look at any links featured on social media profiles, and any affiliate links you use, in order to make sure that all your site’s incoming traffic reaches the correct destination.
Switching to HTTPS is simple in theory, but there are a lot of loose ends to tie up. Keeping these considerations in mind will help minimize any underlying issues, and keep your traffic flowing – this time with a layer of encryption protecting all your visitors.
How to Install SSL on a WordPress Site
At this point, you may be wondering how to actually implement HTTPS on your site. There are a number of steps you’ll need to take in order to encrypt your data permanently. The first and most important is to purchase a suitable SSL certificate.
Depending on your hosting provider, setting up an SSL certificate can take minutes or hours. Most reputable web hosts provide you with the option to obtain a certificate through cPanel, but even then, they still require you to enable HTTPS for WordPress manually. This can take some time, depending on your level of comfort with the platform.
Here at WP Engine, we provide you with two certificate options right out of the gate: one free and one premium. Furthermore, we handle all the technical elements for you. This means that once your certificate is ready to go, we’ll enable HTTPS throughout your entire WordPress website without you having to lift a finger.
All you need to do is log into the WP Engine User Portal, choose the WordPress installation you want to certify, select the SSL option, and click on Add Certificates. Then you’ll be able to choose from our existing options. Once you’ve picked the certificate you want (and paid for it, if it’s a premium certificate), we’ll take care of the rest for you.
Migrating From HTTP to HTTPS
If you’re not on WP Engine, you’ll have to take care of the technical implementation. Once you’ve purchased an SSL certificate, you’ll need to swap out the http:// for https:// in your site’s URL. WordPress users can do this easily, as the option can be found within Settings > General in the admin dashboard.
Just change the relevant parts of the URLs under both the WordPress Address and Site Address fields.
Next, you’ll want to ensure that visitors are correctly directed to the new, secure version of your site. In our opinion, the best way to do this is with a WordPress plugin, such as Really Simple SSL.
This plugin does much of the work for you when it comes to implementing SSL and HTTPS, and will also resolve some potential WordPress-specific issues, such as the ‘mixed content’ error. At this point, it’s also a good idea to check and make sure that all your internal links are still working correctly.
Finally, you’ll want to update your settings in Google Analytics and Search Console if you use those tools. Neglecting this step could negatively impact your search rankings.
As you can see, there are a number of things to consider when transferring your WordPress site to HTTPS. Let’s take a look at a few other important aspects of making the switch.
Secure Your Site With WP Engine
Depending on your choice, SSL certificates can be quite expensive. Here at WP Engine, however, we provide you with two accessible choices. As part of our secure WordPress hosting platform, all of our users have access to free Let’s Encrypt certificates – which are recommended for most sites – along with premium alternatives from RapidSSL (starting at $199 per year).
Furthermore, our excellent support team can guide you through the process of setting up your certificate. All you need to do is find the right plan for your needs, and sign up to get a secure site today!