1. What Is HTTPS?
“HTTP” or “HTTPS” appears at the beginning of every website URL in a web browser. HTTP stands for Hyper Text Transfer Protocol, and the S in HTTPS stands for Secure. In general, this describes the protocol over which data is sent between your browser and the website you are viewing.
HTTPS ensures that all communication between your browser and the website you are viewing is encrypted. That means it’s secure. Only the receiving and sending computers can see information in the transfer of data (others could potentially access it but would not be able to read it). On secure sites, the web browser shows a padlock icon in the URL area to notify you.
HTTPS should be on any website that collects passwords, payments, medical information or other sensitive data. But what if you could get a free and valid SSL certificate for your domain?
2. How Does Website Security Work?
You need to install an SSL (Secure Socket Layer) certificate in order to enable HTTPS. The certificate contains a public key, which is needed to begin the session securely. When an HTTPS connection to a web page is requested, the website will send the SSL certificate to your web browser. Your browser and the site then initiate the “SSL handshake,” which involves the sharing of “secrets” to establish a secure connection between your browser and the website.
Standard vs Extended SSL
If the website is using a standard SSL certificate, you will see a padlock icon in the URL area of the browser (see screenshot). If it’s using an extended validation (EV) SSL certificate, the address bar or the URL will be green. EV SSL standards surpass those of SSL. EV SSL provides identity assurance of the owner of the domain. Obtaining an EV SSL certificate also requires applicants to go through a rigorous evaluation process to confirm their authenticity and ownership.
3. Why Should I Get an SSL Certificate?
Even if your website does not take in and transmit sensitive data, there are a few reasons you might want to have a secure website and pursue a free and valid SSL certificate for your domain.
- Performance. SSL may improve the time it takes to load a page.
- Search engine optimization (SEO). Google’s intention is for the internet to be a secure and safe experience for everyone—not just those who use Google Chrome, Gmail and Drive, for example. The company has stated that security will be a factor in how they rank sites in search results. For now, it’s a small one. However, if you have a secure website and your competitors don’t, your website could rank higher, which may be the edge needed to get that click from the search results page.
- Trust. If your website is not secure and it collects passwords or credit cards, then users of Chrome version 56 (released in January 2017) will see a warning that the site is not secure (see screenshot below). Non–tech-savvy visitors (the majority of website users) may become alarmed upon seeing this and leave your site, simply because they don’t understand what it means. On the other hand, if your site is secure, this could put visitors at ease, making it more likely that they will fill out a registration form or leave a comment on your site. Google has a long-term plan to show all HTTP sites as non-secure in Chrome.
4. Where Do I Get a Free SSL Certificate?
You obtain an SSL certificate from a certificate authority. Some reliable free sources are:
- Let’s Encrypt: certificates valid for 90 days, recommended renewal at 60 days
- Cloudflare: free for personal websites and blogs
- FreeSSL: free for nonprofits and startups at the moment; cannot be a Symantec, Thawte, GeoTrust or RapidSSL customer
- StartSSL: certificates valid for 1 to 3 years
- GoDaddy: certificates free for open-source projects, valid for 1 year
Type of certificate and length of validity vary by authority. Most authorities offer standard SSL certificates free and charge for EV SSL certificates, if they provide those. Cloudflare offers free and paid plans and various add-on options.
5. What Do I Need to Consider When Getting an SSL Certificate?
Google recommends a certificate with a 2048-bit key. If you already have a 1024-bit certificate, which is weaker, they recommend upgrading it.
You will need to decide if you need a single, multi-domain or wildcard certificate:
- A single certificate would be for a single domain (e.g., www.example.com).
- A multi-domain certificate would be for multiple well-known domains (e.g., www.example.com, cdn.example.com, example.co.uk).
- A wildcard certificate would be for a secure domain with many dynamic subdomains (e.g., a.example.com, b.example.com).
6. How Do I Install an SSL Certificate?
Your web host may install the certificate free of charge or for a fee. Some hosts actually have a Let’s Encrypt installation option in their cPanel dashboard, making it easy to do yourself. Ask your current host or find one that offers direct support for Let’s Encrypt. If your host doesn’t provide this service, your website maintenance company or developer could install the certificate for you.
You should expect to have to renew the certificate every so often. Check the timeframe with the certificate authority.
7. What Else Do I Need to Do?
After obtaining and installing the SSL certificate, you need to force SSL on the site. Again, you can ask your web host, maintenance company or developer to do this. However, if you prefer to do it yourself and your website is in WordPress, you can do this by downloading, installing and using a plugin.
When using a plugin, be sure to check its compatibility with your version of WordPress, the reviews and installation instructions. Two popular plugins for forcing SSL are:
Be sure to back up your site first and be very careful when executing this. If you misconfigure something, it could have dire consequences:
- visitors not being able to see your website,
- images not displaying,
- scripts not loading, which would affect how some things on your site function,
- typography and colors not appearing properly.
Set up server-side 301 redirects
You need to redirect users and search engines to the HTTPS pages via 301 redirects in the .htaccess file in the root folder on the server. The .htaccess file is an invisible file, so be sure your FTP program is set to display hidden files. In FileZilla, for example, go to Server > Force showing hidden files (see screenshot).
Before you add the redirects, it would be a good idea to back up your .htaccess file. On the server, temporarily rename the file by removing period (which is what makes it invisible in the first place), download the file (which will be visible on your computer now as a result of removing the period), then add the period back in to the one on the server.
Change Analytics Settings
After taking these steps, you will need to change the preferred URL in your Google Analytics account to show the HTTPS version of your domain. Otherwise, your traffic stats will be off because the HTTP version of the URL is seen as a completely different website from the HTTPS version.
Google Search Console treats HTTP and HTTPS as separate domains too, so add the HTTPS domain in that account.
Keep in mind when you switch from HTTP to HTTPS, if you have social sharing buttons enabled on your site, the number of shares will reset.
And that’s how you go about installing a free and valid SSL certificate for your domain and encrypting your data to keep it safe. SSL certificates are part of the future of WordPress security, so get yours or get left in the stone age.