Giving away our personal information online has become the norm. Whether you’re streaming music, booking flights, checking your bank account, or simply sending an email, it’s impossible to use the web without exchanging some kind of personal data.
This is why SSL is so important. SSL is the technology that powers HTTPS and has become an essential technology for protecting the transmission of online data, so much so that Google is enforcing HTTPS for Chrome users from July 2018.
In this post, we’ll take a look at what SSL is, why you need to make it a priority ASAP (or risk losing visitors after July!), and how to get hold of and install an SSL certificate on your site.
Not sure if your site is secure? Look out for the green padlock.
What is SSL?
Let’s start with the SSL.com definition:
“SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.”
Basically, when a visitor enters their information into a website, whether it’s filling in a contact form or making a purchase with credit card details, the information is sent in plain text. This means it can be easily intercepted by hackers if the site is unsecure and doesn’t use HTTPS.
This form of hacking is known as “man-in-the-middle” or “eavesdropping” and can happen in any form of online communication, including email, social media, and general web surfing.
I really like this analogy from GlobalSign:
“Imagine being brought back to the days of old when snail mail was rife. Jerry writes a letter to Jackie expressing his love for her after years of hiding his feelings. He sends the letter to the post office and it’s picked up by a nosy mailman. He opened it and, just for the hell of it, he decided to rewrite the letter before delivering the mail to Jackie. This results in Jackie hating Jerry for the rest of her life after “Jerry” called her a fat cow. The moral of the story is the mailman is a jerk, and so are hackers.”
A modern example would be a hacker placing some kind of undetected listening program on the server of a particular website, which then activates when a user enters their information, capturing their login credentials or even financial information.
How SSL Works
SSL works by encrypting information passed between a website’s server and a user’s browser. So instead of data sending and receiving that’s plain text, it’s transformed into a seemingly random string of illegible characters.
In order to create a secure SSL connection for your website, you need to get an SSL certificate from an issuing company, or Certificate Authority. Once issued, your site gets public and private keys.
The public key doesn’t need to be secret and is placed into a Certificate Signing Request (CSR), a data file also containing your details. The private key, however, is secret. Both keys are cryptic strings of characters that fit together like a lock and key.
Once installed, the next time someone visits your website, their browser will form a connection with your web server, look at your SSL certificate, and then create a secure connection that hackers can’t intercept.
What is TLS?
TLS was introduced as the successor to SSL 3.0 in 1999. It was designed to resolve insecurities in the SSL protocol. There’s no difference at all between the technologies other than the different names.
Why You Need SSL ASAP
HTTPS has been a Google search ranking signal for years, but from July it will become a mandatory feature of Chrome. Google is getting ready to release Chrome 68, which will start labeling all websites that aren’t running HTTPS as “not secure” in the address bar.
This is a big deal because Chrome has about 58% market share. So when this update is rolled out, it will immediately impact a significant number of websites across the web.
This means that if you don’t have an SSL certificate installed on your site by July, chances are you’ll see a dramatic drop in traffic.
Installing an SSL Certificate
Getting an SSL certificate for your site involves a few different steps, which vary depending on your web host and where you buy your SSL certificate from.
Generating a CSR (certificate signing request)
First, you need to generate a CSR (certificate signing request). This identifies which server will use your certificate, as well as the domain name you’ll use for your SSL certificate. How you go about generating a CSR will depend on your web host, so check with them for specific instructions.
As an example, here are the instructions for GoDaddy users.
Requesting an SSL certificate
Next, you need to request a certificate. Your first port of call should be your web host. Many managed WordPress hosts like SiteGround and Kinsta provide free Let’s Encrypt SSL certificates and help with installation.
Alternatively, your web host may offer third-party SSL certificates at a cost, which is worth considering if you want to avoid the hassle of manual setup.
If your web host doesn’t offer SSL certificates, or if you want to go down the manual route, you may want to check out these Certificate Authorities:
- Let’s Encrypt – Free, instant and unlimited SSL certificates with automated renewals.
- Comodo – Affordable option with a free 90-day trial for DV (Domain Validation) certificates.
- Symantec – Enterprise-level option with increased security, including daily malware scans and 100% compatibility with browsers.
- Digicert – Mid-range option that provides a comprehensive range of certificates along with free certificate re-issues.
Before getting a certificate, it’s important to determine what kind of SSL certificate you need. There are essentially two types of SSL certificate, which can be group based on:
- Validation level, and
- Number of secured domains/subdomains.
This means you need to work out what level of protection you need for your site as well as how many individual websites you want to secure. Key things to consider here include cost, the kind of business you run online (i.e. you may want greater security for an eCommerce site), and how many websites you want to protect in your network.
Installing your SSL certificate
There is no one-size-fits-all set of instructions for installing an SSL certificate – how you go about doing it depends entirely on your web host and server setup. So get in touch with your web host for specific instructions.
To give you an idea of what is involved, here are the instructions for GoDaddy users.
Setting Up WordPress to recognize your new HTTPS status
Once you’ve installed your SSL certificate, the last step is to tell WordPress to use HTTPS.
To do this, log in to your WordPress site and go to Settings > General. Scroll down to the “WordPress Address (URL)” and “Site Address (URL)” fields and replace “http://” with “https://”
Once you save your changes you’re done! SSL is ready to go on your new website.
However, if you’re setting up SSL for an existing website, there’s one more step:
You need to set up your WordPress site to redirect from HTTP to the more secure HTTPS version of your site. To do this, open the .htaccess file in the root directory of your site using cPanel or FTP and paste in the following code above anything else that might already be in the file:
HTTPS should now be working on your site. It “https://” appears in your URL with a green padlock next to it, your SSL certificate has been correctly installed and your site is now secure.
Configuring SSL and WordPress with Plugins
If you would rather use a plugin to configure your WordPress settings and file manually, there are a few great plugins that can do the heavy lifting for you:
1. Really Simple SSL – This plugin automatically detects your settings and configures your website to run over HTTPS. The premium version enables you to verify there are no warnings on your site.
2. SSL Insecure Content Fixer – If your site has any hard-coded references to “http,” such as image files, this handy plugin can help you find and fix any errors.
3. WordPress HTTPS (SSL) – This all-in-one solution fixes “partially encrypted” errors, forces SSL per page and provides a secure admin panel.
4. WP Force SSL – This plugin helps you redirect HTTP traffic to HTTPS without having to touch any code.
Using WP Rocket and SSL
WP Rocket has been designed with SSL in mind, but there are a few steps you need to follow to ensure it works smoothly.
1. Change your site settings to HTTPS – Make sure the “WordPress Address (URL)” and “Site Address (URL)” fields both include the HTTPS URL for your website.
2. Make sure all assets use HTTPS – After setting up your SSL certificate, there may be some links in your site that still use HTTP. In order to avoid “Mixed Content” warnings and ensure WP Rocket can properly cache your content, WP Rocket recommends using Interconnectit’s Search and Replace script if you’re a developer, or Better Search and Replace or Go Live Update URLS if you’d prefer to use a plugin.
3. Redirect all HTTP traffic to HTTPS – You need to make sure all links pointing to the HTTP version of your site are automatically redirect to HTTPS version. So update your .htaccess file as in the example code above, or use the Really Simple SSL to enable this for your site.
After you’ve followed the above three steps, don’t forget to enable SSL cache in WP Rocket.
Using Cloudflare SSL
With SSL now installed on your WordPress site, you need to make sure that your CDN – if you use one – is also be SSL-enabled. Otherwise, you’ll run into problems with CSS and other files not loading because the browser blocks them.
You can check if your CDN has SSL enabled by visiting your CDN URL. If you get a security warning similar to the one below, if means SSL isn’t enabled on your CDN.
The best thing to do is get in touch with your CDN provider and ask them to enable SSL for your account.
If you’re a Cloudflare user, you can choose to set up free Cloudflare Flexible SSL. In the Crypto settings for your site, choose “Flexible” in the drop-down box. It’ll take about 24 hours for the flexible certificate to be issued to you.
Cloudflare’s Flexible SSL isn’t all that WordPress-friendly. So to avoid/resolve redirect loops, install the free Cloudflare Flexible SSL plugin.
Also, for redirecting non-HTTPS traffic, you can use this Cloudflare-specific rewrite rule in your .htaccess file:
Don’t forget to replace https://www.example.com with your own domain name in the second line.
Google has been pushing us towards an HTTPS future for years and with the upcoming release of Chrome 68 set to enforce it, it’s time to make SSL a priority for your website if you haven’t already.
Whether you run a basic blog, an eCommerce store or even a Multisite network, HTTPS will ensure any information visitors enter into your site is protected from nasty hackers who might attempt to intercept it.
So check with your web host how you can go about getting an SSL certificate and make sure your website displays the “Secure” label by July.