Author’s Note: Install The SSL Certificate is the second chapter of my free ebook, “Create Your Business Website With WordPress.” Each day I will release a chapter from the book onto my site.
The second step in creating a business website with WordPress is to install the proper Secure Sockets Layer (SSL) certificate onto the website. This step can be completed without the website being fully functional yet.
If the reader doesn’t know what a SSL certificate is, or how to find the proper one for a business website, because I will explain the process in this chapter. Depending on the needs of the website, individuals can use free SSL certificates or will have to purchase one.
I’ve met some business owners who think they do not need to secure their entire website, but only the login page or the cart/checkout page. That line of thinking is wrong. The entire website needs protection.
A Secure Socket Layer (SSL) Certificate encrypts website traffic, transforming it from HTTP (unsecured) to HTTPS (secured). Also, this certificate protects sensitive information (like credit card numbers or protected health information) from bad actors like hackers.
This certificate protects websites from bad actors through Public-key cryptography. Think of this protection as house addresses. These are public information and anyone can come to those houses. That is the public key in Public-key cryptography. However, there are locks on those houses’ doors, which keeps strangers from entering those houses. Only those individuals with the proper key can enter. That’s the private key used in Public-key cryptography.
When a person obtains a SSL certificate there is a public and private key with it. A web browser receives the public key upon connecting with the website, which allows it to create an encrypted connection. If the browser isn’t able to receive the correct public key then the encrypted connection won’t occur.
Finally, a SSL certificate proves the domain name actually belongs to the website. This is done through domain validation, which I will discuss later in this chapter.
This is a quick overview about SSL certificates. To learn more I suggest reading this knowledge article from Cloudflare. It explains the technology in more detail, and it’s easy to understand.
The entire business website needs a SSL certificate because not having one affects the following:
- Search Engine Optimization (SEO) ranking.
- Visitors’ trust.
Google, Bing, Duck Duck Go, and other search engines takes web security seriously. They don’t want to provide their customers search results that lead them to dangerous sites that may install malware on their computer or steal their data. Thus, search engines give websites with better security higher rankings in their searches over insecure websites. Neil Patel did an extensive write-up on his website showing the data proving Google favors websites employing entire website security. If a business owner only secures parts of their website instead, that will hurt the site’s SEO rankings. In turn, that will hurt the business’ profits because it’s not going to reach as many customers.
Finally, having a SSL certificate installed for the entire website puts visitors’ minds at ease. If someone visits a website and sees the homepage isn’t secure that visitor may leave the site immediately. Or that visitor could stick around but choose not to purchase any product or service from the site.
There are three types of SSL certificates:
- Domain Validated (DV)
- Organization Validated (OV)
- Extended Validation (EV)
While each certificate provides the same type of encryption, they differ on how the Certificate Authority (CA) verify the website’s owner before they issue the certificate. The CA is the company generating and granting SSL certificates.
DV certificates have the least checks done as the CA only checks if the owner has the right to use a specific domain name. This is usually done by having the owner add a specific record to the Domain Name System (DNS) settings at their web hosting company. The CA doesn’t check to make sure the owner is the actual owner, or checks the owner’s identity.
The reason websites use DV certificates because they are inexpensive, good for simple websites (like personal blogs), and have quick delivery.
The CA does more checks on OV certificates, verifying the owner has the right to use the domain name. In addition, the CA verifies some of the information about the organization or business. Visitors can view that information by viewing the security icon in their browser.
Unlike DV certificates, OV certificates have a longer delivery time due to the checks the CA has to perform. These certificates are great for Ecommerce sites, or any website accepting sensitive customer data like credit cards.
As for EV certificates the CA performs an extensive verification process for the website’s owner. They check the legal, physical, and operational existence of the business. Then the CA verifies the identity the owner provides to what is on official records. Finally the CA checks the owner or organization initiated the certificate issuance. Like OV certificates, EV are great for Ecommerce sites, or a website accepting sensitive customer data.
Just like domain names, SSL certificates do expire after a set period of time. Usually that period of time is one year after electing or purchasing the certificate. Also like domain names, users will get several notifications from their web hosting company regarding the upcoming expiration date. If the user doesn’t renew the SSL certificate in time the website will show as insecure. Also, the site will show a message in the browser before loading that the SSL certificate is either expired or doesn’t match what’s on file with the CA.
Customers can purchase multi-year SSL certificates. However, the certificates still usually expire each year, but a new certificate may install automatically until the multi-year duration ends. It depends on the web hosting company, and if the reader has any questions about that procedure I suggest reaching out to technical support for assistance.
Many web hosting companies offer free SSL certificates when customers sign up for a web hosting plan. Depending on the company, the free SSL could be for the life of the plan, or only for the first year. Yet, there is a CA offering forever free SSL certificates: Let’s Encrypt.
According to its homepage Let’s Encrypt is a nonprofit CA providing SSL certificates to 300 million websites. The organization receives it funds from major Technology companies, which is why it is able to provide forever free SSL certificates. The group’s mission is to to secure the Web and provide more privacy to the Web’s users.
Here’s how this service works:
- If the user’s web hosting company already has Let’s Encrypt enabled on the hosting plan then the user has to opt into the service.
- One can check the web hosting companies using Let’s Encrypt here.
- The software installs a SSL onto the website and it’s valid for 90 days.
- Every 90 days the software renews the certificate automatically.
Now, if the user’s web hosting company doesn’t have Let’s Encrypt enabled on the hosting plan the user may be able to install it if the user has root access on the server. If that’s not the case then that person can’t use Let’s Encrypt.
This service is good for personal blogs or simple websites as this CA can only issue DV certificates. And the service has no plans to offer OV or EV certificates.
The reader can purchase SSL certificates from their web hosting company, but they can also purchase them directly from the CA. Which option is best? I suggest purchasing the certificate from the web hosting company if possible because the following reasons:
- Easier installation procedure.
- Certificate Authority certificates are more expensive.
This company the largest Certificate Authority in the world, as 36% of Fortune 1000 companies purchase their SSL certificates from ComodoCA. The CA sells all three types of certificates and provide the following:
- 24/7 customer service.
- 30-day money back guarantee.
- $1,000,000 warranty.
- Trusted seal to put on the website.
With all these benefits comes a hefty price tag. An OV SSL certificate for a single domain costs $179 per year. Yet, on Namecheap (the web hosting company I personally use) I can purchase a similar certificate for $79 per year. The only difference is the warranty, which is $250,000 instead of $1,000,000.
Once the individual has the proper SSL certificate for their site, the next move is to install it. The procedure for this action depends on whether the user bought the certificate from their web hosting company or from an outside CA.
If it’s the former then the person should follow the instructions from their web hosting company. Those instructions are usually available on the hosting company’s Help Page or their Knowledge Base. Sometimes those instruction also come via email. Finally, some web hosting companies will automatically install the SSL certificate so the user doesn’t have to do anything.
If the person bought the certificate from an outside CA usually the CA will provide some basic instructions on how to install it. However, it’s best to check with the web hosting company for the proper installation procedure.