What Is An SSL Certificate & Why Does Your WordPress Website Need One?
Google punishes websites without SSL certificates and an HTTPS connection. Here’s what you need to know to avoid having your website publicly shamed.
Oops! We could not locate your form.
Google punishes websites without SSL certificates and an HTTPS connection. Here’s what you need to know to avoid having your website publicly shamed.
Update – Originally written in 2017 but updated in October 2022 to ensure accuracy.
SSL (Secure Sockets Layer) is a standard security technology that protects data being transferred between a website server and a browser. The SSL encrypts data passed between the servers and browsers to ensure that sensitive data remains private and out of the hands of criminals.
You’ll have noticed either a green or locked padlock symbol appearing next to most websites in the URL bar. This indicates that the website is protected by SSL. If you see a red padlock or a warning icon, you’ve guessed it, the site doesn’t have an SSL certificate in place.
Clicking on this padlock symbol will reveal the SSL certificate information. In the Chrome browser, it also allows you to see the cookies a website uses, edit your browser settings for that particular website, and control whether the website can send you notifications. In some cases, it will even display information about the website pulled from the web (much like the knowledge panel in search).
HTTPS (Hyper Text Transfer Protocol Secure) is a secured version of HTTP, which is a protocol and syntax for transferring data requests and responses online. It is secured by SSL, which encrypts all data being transferred.
HTTPS appears in a website’s URL if a website is secured by an SSL certificate, along with the padlock symbol representing that the site is secured.
In past years SSL certificates weren’t required for every business. It was predominately only e-commerce websites and those taking payments that needed one. You’d often see SSL-protected logos on their website at the checkout page, to reassure their users that the website was secure and their payment details safe.
You may be familiar with some of these logos.
However, with online security and data protection becoming more important in recent years, it’s not only websites that process payments that now require SSL certificates. Web users are savvier now and demand that their data be protected and their browsing experience secure. A website without SSL protection will prompt many to leave and go elsewhere, to a website that shows more regard for their security.
From late October 2017, Google began penalising websites without an SSL certificate by making visitors aware if they lack one. This is achieved by displaying messages to users in the browser, to warn them if the website they’re about to view is not secure. The red padlocks or warning symbols that we mentioned previously.
Google rightfully consider websites with HTTPS pages/SSL encryption as more trustworthy than their HTTP counterparts. So this became a ranking factor meaning that websites with a properly implemented SSL Certificate and no mixed content will likely rank better than those without.
This makes having a valid SSL certificate and ensuring you don’t have mixed content on your website an important SEO factor.
It is Google’s way of looking after its customers, setting a precedent that all websites should offer a secure and encrypted connection.
An SSL certificate provides browsers and users with a website’s security information. Allowing them to view:
i) The name of the certificate holder
ii) A serial number and expiry date
iii) A copy of the certificate holder’s public key
iv) The issuer or who has verified the SSL certificate
The diagram below shows how the web server and the user’s browser communicate several times before providing a secure connection for the website’s data transfer.
As well as having important SEO repercussions, having SSL protection is a requirement to meet certain standards, and also provides important trust-building. It lets your visitors know that you take security seriously.
In order to accept credit card information on your website, you must pass certain audits that show that you are complying with the Payment Card Industry (PCI) standards. One of the requirements is properly using an SSL Certificate.
SSL protection reassures visitors that browsing your website is safe, and secure. That you are providing them with another wall of protection against cybercriminals.
Anyone visiting your website will clearly see a secured padlock.
Now, this may not seem that important, but for anyone considering sharing sensitive data (card details, usernames, passwords etc) or personal information on your website it could be the deciding factor.
The browser flagging your website as untrustworthy if you lack an SSL certificate could lose you that hard-earned prospect or brand credibility.
If you are unsure whether you have SSL on your WordPress website, simply type your URL into a browser and look for the padlock.
Green or Locked Padlock & HTTPS = Good
Red Padlock or Warning Symbol & HTTP = Bad
SSL certificates can be purchased online and you can find loads with a quick Google search.
A few providers are listed below to save your fingers the trouble.
GoDaddy
Digicert
GlobalSign
Comodo
Let’s Encrypt
Thawte
If you’re a technical wizard then you may be able to implement this yourself. If you’re not that comfortable making these kinds of changes then your IT department, your website host or your website agency will be able to do this for you.
In our Unlimited WordPress Support plans the implementation of an SSL is included – food for thought.
As with everything, there are both free and paid options.
You can visit a website called Let’s Encrypt. They have issued 100 Million certificates worldwide, and although free still provides the level of security you need to protect most websites.
If you are taking payments online or have a membership/subscription website that stores personal data, a paid SSL might serve you better.
Paid SSL certificates carry further liability protection compared to their free counterparts. Paid variants also provide options for Organisation Validation (OV) and Extended Validation (EV). OV validates the actual company behind the website. whilst EV allows the company’s name to appear next to the padlock icon in the address bar.
A paid SSL is charged and renewed yearly, and you should be looking to pay between £100-500. Depending on the provider and level of the certificate (i.e. Wildcard). Some may appear cheaper, however, please check the renewal fees. As some companies run discounts on the first year and then hike the price at the renewal stage.
Another benefit of a paid SSL is the Wildcard option.
Basically, www.impactmedia.co.uk would be protected under a standard SSL. But if a user types blog.impactmedia.co.uk or impactmedia.co.uk this wouldn’t be secured under a single SSL certificate.
A wildcard SSL would basically provide multiple certificates, to cover all subdomains, sites, and IP addresses under a single hostname.
Generally, wildcard certificates are not available for free, although Let’s Encrypt may be offering them, as this was their plan back in 2018.
To achieve the same effect as a wildcard certificate with most free options, you’d need to implement an individual certificate for each variant mentioned above. Quite a bit of legwork.
Although the SSL will encrypt data whilst in transit, it won’t protect your website from being hacked. Adding additional security including a solid DNS level firewall to your website will help prevent your website from being compromised. Whilst also providing constant monitoring for and reporting.
If you’re looking for additional protection, an SSL, and ongoing support and maintenance for your WordPress or WooCommerce website, consider our Unlimited Support plans.
You can download our Support Brochure to see our current plans, inclusive features and pricing.
Hopefully, this post has helped to answer any questions you had regarding SSL certificates and why it is so important to have one. If you need help implementing an SSL certificate on your website then please feel free to get in touch.
If you’re capable of implementing it yourself, check out the list we provided above of paid and free SSL certificate options again. If you do get stuck or want to ask any questions drop us a message and we’ll be happy to help.