You may or may not be familiar with SSL certificates, but you’ve definitely seen them in action. They’re what’s required to turn an HTTP URL into an HTTPS URL.
If you’re using Chrome 56 (or above), you might have noticed that some HTTP pages are marked as non-secure. This was introduced in January 2017, but only for pages that collect passwords or credit card data. It’s part of Google’s plan to move to a more secure web. Eventually, they want to label all HTTP pages as “non-secure” and change the HTTP security indicator to the red triangle that is used for broken HTTPS connections.
Google also announced that they started using SSL as a ranking factor at the 2014 Google I/O conference. However, it should be noted that this ranking factor affects “fewer than 1% of global queries” and it carries “less weight than other signals such as high-quality content.”
What is HTTPS?
HTTPS stands for HyperText Transfer Protocol Secure. The most obvious difference with HTTP is the “secure” part. The connection is encrypted, which prevents data from being read if it’s intercepted.
In order for this secure connection to work, both the sender and receiver use a code to encrypt or decipher the message. This process is done via an SSL certificate.
What is SSL
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
Types of SSL Certificates
At the moment there are three types of SSL certificates:
- Domain Validation SSL
- Organization Validation SSL
- Extended Validation SSL
A Domain Validation SSL is the most basic version. It checks whether the SSL-holder has the right to use a specific domain. It’s relatively easy to use and doesn’t require extensive paperwork.
The Organization Validation SSL is based on the Domain Validation SSL, with the addition of some vetting of the organization. This information is shown when a user clicks the padlock in the address bar of his/her browser.
An Extended Validation SSL provides the highest security. The checks for this type of SSL certificate are very thorough (based on the strict EV Guidelines), and include:
- Verification of the legal, physical and operational existence of the entity.
- Verification of whether the identity of the entity matches official records.
- Verification of whether the entity has exclusive right to use the domain specified in the EV SSL Certificate.
How do you get an SSL certificate?
There are two main ways to obtain an SSL certificate:
- Your host.
- An SSL certificate provider, commonly known as a “certificate authority.”
Here’s a quick list of WordPress hosts that include SSL certificates in some of their plans:
- SiteGround (official WordPress hosting partner)
- SSL certificates included in all plans.
- WP Engine
- SSL certificates included in all plans.
- Kinsta
- SSL certificates included in all plans.
- Flywheel (official WordPress hosting partner)
- SSL certificates included in all plans.
- InMotion Hosting
- SSL certificates included in all WordPress hosting plans.
- DreamHost (official WordPress hosting partner)
- SSL certificates included in all WordPress hosting plans.
- SSL certificates included in all shared hosting plans.
- SSL certificates included in all VPS hosting plans.
- Bluehost (official WordPress hosting partner)
- SSL certificates included in all WordPress hosting plans.
- SSL certificate included in the highest tier of shared hosting.
- SSL certificate included in the highest tier of cloud hosting.
So, if your host doesn’t offer SSL certificates or one isn’t included in the plan you have, you need to obtain one from a third party. Here’s a list of services that sell SSL certificates:
You can also receive a free certificate from open-source CA Let’s Encrypt. You must have shell access (SSH) to use a certificate from Let’s Encrypt, and you must install your certificate manually if your host doesn’t do so for you. You can learn more about how to do that with this Certbot guide.
Fortunately, many web hosts, including a few of the ones mentioned above, are offering free SSL certificates via Let’s Encrypt as a standard feature in their hosting packages, negating the need for you to install a Let’s Encrypt certificate manually.
Here’s a short list of them:
- SiteGround
- WP Engine
- Kinsta
- Flywheel
- DreamHost
The Cost of SSL Certificates
SSL certificates can be bought from several vendors (named “Certificate Authorities”), such as Godaddy. They cost anywhere from $150 per year to more than $1,000 per year, based on the type of certificate and warranties.
But there’s good news: you can get a free SSL certificate from Let’s Encrypt.
Do you need an SSL certificate?
Google would obviously love to see the day where every site is encrypted with SSL, but do you actually need one? Eventually, Yes!
Some sites would not benefit much from an SSL certificate. These include blogs and sites with static content that do not require users to log in or provide personal and payment information.
If either of those describe your site, you don’t need to make acquiring an SSL certificate a priority, but you should look into it. Google is only going to move forward in its drive to use SSL as a ranking factor, so if your host provides one free of charge or you have the funds to purchase a basic DV certificate, consider getting one for your site.
If you have some type of membership site where users sign in but don’t necessarily buy anything, such as a forum, you should strongly consider installing an SSL certificate on your site. This will ensure their account information and any private information they’ve shared with the site are encrypted. DV and OV certificates are fine for this.
If you will be accepting payments on your site or processing similar types of personal information, you must install an SSL certificate, preferably an EV certificate. This will help keep your customers safe and encourage them to instill trust in your site.
In short, everyone should be adding SSL certificates to their website, regardless of the type of business they run.
To learn more about why Google is so adamant about securing the internet, watch Google Webmaster’s “HTTPS everywhere” video.