What Is SSL? A Beginner’s Guide To SSL Certificates And WordPress

You may or may not be familiar with SSL certificates, but you’ve definitely seen them in action. They’re what’s required to turn an HTTP URL into an HTTPS URL.

They’ve become a necessary security protocol for certain sites, specifically sites that transfer and/or store personal data, such as ecommerce sites. They’ve become a vital component in the machine that keeps the Internet secure, so much so that Google announced they started using it as a ranking factor at the 2014 Google I/O conference.

However, it should be noted that this ranking factor affects “fewer than 1% of global queries” and it carries “less weight than other signals such as high-quality content.”

They did conclude by saying:

But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

As far as WordPress goes with SSL and HTTPS, Matt Mullenweg published a blog post on December 1, 2016 stating this:

We’re at a turning point: 2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available. Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face.

According to Matt, WordPress’ future with SSL begins by only partnering with web hosts that offer SSL certificates as defaults for their WordPress hosting services. The team will also assess which features, “would benefit the most from SSL and make them only enabled when SSL is there.” Matt uses API authentication as an example.

As you can see, influencers are pushing this security protocol, but what exactly is it, and how do you use it with WordPress? Let’s talk about that.

What is an SSL certificate?

First things first, you need to understand what SSL is before you can begin to understand what an SSL certificate is. SSL stands for “secure sockets layer,” but that’s not what you need to know. Here’s the official definition from SSL.com, if you’re curious:

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

You can think of an SSL connection on the checkout page of an ecommerce site as driving from the store to your home during a nasty storm. Your body represents the personal data (your shipping and payment information) you’re sending to the website. The store represents your browser, your home represents the site’s server, and the rain, hail, and flying debris represent hackers.

Your car, however, represents the SSL connection. It’s protecting you from all that rain, hail, and flying debris just as an SSL connection protects your personal data from hackers.

An SSL certificate is what’s required to form this connection. Without this protection, a hacker could potentially steal or “intercept” your data before it makes it to the server. This is why SSL and HTTPS are a must for any website that processes any type of personal data from users, such as ecommerce sites that accept payments from customers.

As a user, you can tell if the page you’re visiting is encrypted with SSL by seeing if the URL in the address begins with “https.” We’ll talk more about the different types of certificates in the next section, but there’s a specific type of certificate that gives you the green text and padlock. You can click on this padlock to see where the certificate came from.

You can even click on Certificate Information to see when it expires.

A site that is not encrypted with SSL will have a simple paper icon next to it in Chrome. This area will be blank in Firefox. If you click the paper or “i” icon in either of these browsers, you’ll find a message telling you your connection to the site is not secure.

If a page the browser feels should be encrypted is not encrypted, Firefox will display a yellow warning icon or a red diagonal line in front of the lock symbol.

This may mislead ill-informed Internet users into thinking your website has been hacked or contains spam/malicious data intended to steal their personal details.

How do you get an SSL certificate?

There are two main ways to obtain an SSL certificate:

• Your host.
• An SSL certificate provider, commonly known as a “certificate authority.”

Here’s a quick list of web hosts that include SSL certificates in their hosting plans:

• WPX Hosting
• Cloudways
• SiteGround (official WordPress hosting partner)
• WP Engine
• Kinsta
• Flywheel (official WordPress hosting partner)
• InMotion Hosting
• DreamHost (official WordPress hosting partner)
• Bluehost (official WordPress hosting partner)

This is not an exhaustive list by any means. The good news is that you’ll likely find free SSL certificates offered on even the cheapest of shared hosts.

However, if your host doesn’t offer SSL certificates or one isn’t included in the plan you have, you need to obtain one from a third party. Here’s a list of services that sell SSL certificates:

• DigiCert
• GeoTrust
• NameCheap

You can also receive a free certificate from open-source CA Let’s Encrypt. You must have shell access (SSH) to use a certificate from Let’s Encrypt, and you must install your certificate manually if your host doesn’t do so for you. You can learn more about how to do that with this Certbot guide.

Fortunately, many web hosts, including a few of the ones mentioned above, are offering free SSL certificates via Let’s Encrypt as a standard feature in their hosting packages, negating the need for you to install a Let’s Encrypt certificate manually.

Here’s a short list of them:

• SiteGround
• Cloudways
• WP Engine
• Kinsta
• WPX Hosting
• Flywheel
• DreamHost

No matter where you get your SSL certificate from, prices vary greatly based on the type of certificate you purchase and the level of protection that certificate offers. Prices can be as low as free to as high as $800+.

What are the different types of SSL certificates?

When you visit these sites or try to install an SSL certificate from your host, you’ll see a lot of different names pop up. There’s “DV certificates,” “EV certificates,” “wildcard certificates,” and more.

Here’s a quick rundown of the different types of SSL certificates that exist.

Domain Validation (DV)

This is the cheapest type of SSL certificate. It’s ideal for blogs and websites that do not process any form of personal information from users as it only offers basic encryption. It requires you to validate domain ownership, but the validation process only takes a few hours at most.

Organization Validation (OV)

OV certificates are a little more premium than DV certificates. They’re the minimum level of protection required by ecommerce sites and any type of website that processes personal data from users.

DV certificates are validated by yourself. OV certificates, on the other hand, are validated by what we already explained are “certificate authorities.” DigiCert is an example of a certificate authority. Validation also typically takes longer than the validation process associated with DV certificates.

Extended Validation (EV)

This is the type of SSL certificate that gives you the green text and padlock icon, as stated before. It’s a more premium certificate than either DV or OV. It’s also the most popular certificate out there, especially among ecommerce sites.

Following the trend with the previous two types of certificates, the process for validating an EV certificate is a lot more strict than the process for validating DV or OV certificates.

SAN

SAN certificates allow you to encrypt multiple domains with a single certificate. They’re typically a lot more expensive than single-domain DV, OV or EV certificates.

Wildcard

Wildcard certificates allow you to encrypt an unlimited number of subdomains under a single domain.

Do you need an SSL certificate?

This may seem like something that you need only if you’re taking payments but it’s much more than that…

Like we discussed towards the beginning of this post, SSL is a way of securing data sent between your website and a users device.

This doesn’t make your website more secure exactly, but it’s still important from a security standpoint.

For example, if a user is browsing the internet using public wi-fi or a hijacked router – SSL is designed to stop information being intercepted. It’s an important step in protecting our users and it improves trust.

Then there’s technology that improves website performance (http/2 and Brotli compression, for example). We all want faster websites, right?!

And now Chrome will label all websites without SSL as “not secure.”

So, with how easy and cheap it is to get an SSL certificate these days (thanks Let’s Encrypt!), there’s no good reason to avoid switching over to https.

That said, if you can get a better SSL certificate than Let’s Encrypt – it’s well worth doing.

Installing an SSL certificate

This is where things get a little complicated, and maybe even a little vague. The process for obtaining and installing an SSL certificate on your server varies between hosts. For example, a host like SiteGround allows you to install an SSL certificate on your site through cPanel. All you need to do is enter your cPanel dashboard, scroll to the security section, select Let’s Encrypt, and install it.

Read through all of the tutorials and knowledgebase articles your host has published about getting, installing, and configuring an SSL certificate. Ask them directly if you can’t find the information.

How to use SSL certificates with WordPress

Alright, so you’ve determined you need an SSL certificate, you’ve purchased one and you’ve installed it on your server. There’s only one problem. Your site hasn’t switched over to HTTPS.

Unfortunately, a few more steps are required to properly enable SSL on a WordPress site. Let’s go through them.

If the site is new

Your job is really easy if the site is new. All you need to do is go to Settings → General, and enter the HTTPS URL for your site in the WordPress Address (URL) and Site Address (URL) boxes. Click Save Changes once you’re done.

If that fails or your site isn’t new

We’ll get to how to enable SSL on a WordPress site with code in a minute, but let’s go over a simpler way first. That way is a plugin called Really Simple SSL. After you install an SSL certificate on your server, all you need to do is install and activate this plugin to properly configure SSL on your site.

If it doesn’t take effect, go to Settings → SSL to see if the plugin detects and enables SSL on your site. Enable it, if not.

What does this plugin do exactly? Here’s a rundown:

• Changes your Site URL and Home URL to HTTPS for you.
• Redirects incoming requests to HTTPS via .htaccess or JavaScript.
• Fixes insecure content and changes it to HTTPS.
• Configures server issues that may occur when you first enable SSL on a WordPress site.

If you want to go the manual route

If you don’t want to use a plugin and are adding SSL to an existing site, add this bit of code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
</IfModule>

Replace “example.com” with your URL. Also, remove the “www” if your URL doesn’t use it.

If you want to encrypt multisite admin pages

If you have a multisite network and want to encrypt the admin area and login pages with SSL, add this bit of code to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

If you’re using WooCommerce

You still need to use Really Simple SSL or add that snippet of code to your .htaccess file, but there’s one additional step to take if you’re running a WooCommerce site.

Go to WooCommerce → Settings → Checkout, select Force Secure Checkout, and save your changes. Refer to this page if you run into any issues after this.

If you’re using Easy Digital Downloads

Similar to WooCommerce, you still need to use Really Simple SSL or add that code to your .htaccess file if you use EDD. However, there’s still one final step to take.

Go to Downloads → Settings → Misc → Checkout Settings, select Enforce SSL on Checkout, and save your changes.

Additional steps to take to secure SEO rankings

Using a plugin like Really Simple SSL helps immensely, but there’s often a lot more that needs to be done to migrate from HTTP to HTTPS without having a negative impact on your site’s Google rankings.

Here are a few additional steps you can take to prevent your site’s SEO rankings from dropping too much:

• Update hard-coded links – Hard-coded URLs may not redirect properly. Use a plugin like Better Search Replace to search for “http://yourdomain.com” and replace it with “https://yourdomain.com”.
• Migrate CDN from HTTP to HTTPS – If you are serving some of your content with a CDN, you’ll want to migrate it from HTTP to HTTPS. You’ll need to refer to your CDN’s documentation to do this. Once you do, open the settings area of the WordPress plugin you’re using for your CDN integration, and switch the CDN URL to HTTPS.
• Fix mixed/not secure content – Some content from your site may send mixed content or not secure content warnings to browsers, which your users will see. Use a tool like SSL Check to scan your site for mixed content.
• Update Google Search Console – Create a new profile in Google Search Console for the HTTPS version of your site, and use it to re-submit your sitemap. Make sure you download the HTTP version of any disavow files you have from a penalty and submit them under the HTTPS profile.

Keep an eye on your rankings. You will likely see a slight drop when you first migrate from HTTP to HTTPS, but they should eventually improve. Go a little deeper to see if there’s anything you may have missed if your rankings never improve.

Final thoughts

That concludes our write up on SSL certificates and WordPress. Enabling this security protocol on your site can be difficult, but we hope we simplified the process for you.

Here’s a quick wrap up of everything you need to know about SSL certificates and WordPress:

• Understand what SSL encryption is and the importance of it for certain sites, such as ecommerce sites.
• Learn the differences between the different types of SSL certificates, and determine which SSL certificate is right for you.
• Find out if your host provides SSL certificates, or look for a Certificate Authority if they don’t.
• Install your SSL certificate on your server.
• Configure SSL in WordPress via a plugin or manual code.
• Configure your ecommerce platform if you’re using one for WordPress.

Now it’s up to you. Good luck!

Related Reading:

• The Best Website Monitoring Tools: Check Uptime & More