The importance of website security has skyrocketed in the last couple of years. Experienced hackers are getting into websites all around the world and Google is finally putting it’s foot down and saying no to insecure websites.
Every website, whether it be small or large, young or old, simple or complex must be secure. Google says so!
Security is quite an involved topic when it comes to websites, especially WordPress so in this post I will cover what SSL/HTTPS is, why it’s important and how to set it up.
This page contains affiliate links which means I may earn a commission if you use them. I only recommend tools that I use and trust.
WHAT IS HTTP/S?
HTTP stands for Hypertext Transfer Protocol, it is the way information is transferred between the browser and the server your website is hosted on.
HTTPS is exactly the same however the ‘S’ stands for Secure which adds a level of security by encrypting the data. This protocol is a must have if you are asking private and sensitive information from your visitors such as credit card information or personal information so it is encrypted and safe from hackers/scammers!
Instead of sensitive data being transferred between the server and browser as just plain old text, the encryption jumbles up the letters and numbers turning it into a big string of random characters.
All websites are moving towards HTTPS after Google confirmed its importance. They announced in 2016 that there will be a slight ranking boost if your website is using the HTTPS protocol.
WHAT HAPPENS WHEN SWITCHING TO HTTPS?
Nothing actually changes on your website when you switch to HTTPS. What DOES change is the browser bar, especially in Chrome.
As of January 2017, Google Chrome launched a feature that display ‘Not Secure’ in bright red on any websites still using HTTP. This is still a new feature however people are beginning to notice the warning more and more and considering ‘Secure’ websites as more professional and trustworthy.
HOW TO SWITCH TO HTTPS
To switch over to HTTPS, you require a SSL (Secure Sockets Layer) certificate. The certificate provides important information about your business and contains two keys – ‘Private Key’ and ‘Public Key’.
These keys are literally the ‘key’ to having a secure website. Your certificate will then be uploaded to your host’s server which will communicate with your visitor’s browser and ensure an encrypted link is in place.
LET’S ENCRYPT VS. PREMIUM CA (CERTIFICATE AUTHORITY)
The new Let’s Encrypt product has been advertised like crazy recently as it provides a free way to add SSL to your website.
Obviously, as a developer I was curious as to why a company can all of a sudden provide this security for free when we have always had to purchase it in the past.
So I did my research…
LET’S ENCRYPT SSL
Let’s Encrypt is a free, automated and open Certificate Authority (CA). They support the movement to HTTPS and want to make it easy and affordable for all websites to do.
Even though the ‘free’ aspect is what is most appealing about Let’s Encrypt, there are a few limitations I would like to address before you make your decision.
There are multiple types of CA’s that one can purchase for their website and they all mean and do different things.
Currently the only available SSL available through Let’s Encrypt is DCV which stands for Domain Control Validation. This means that the only security check being done before issuing out the certificate is to see if the certificate requestor has access to the domain, which is done by adding a ‘.txt’ file to the root folder of the domain or by adding in the DNS record.
The concern here is that malicious organisations can easily replicate your website now, as they have the ability to obtain an SSL certificate without any personal information required about your business making the ‘stolen’ site look reputable.
Let’s Encrypt currently don’t provide Wildcard certificates, this means that if you have subdomains you will need a certificate for each individual subdomain you want to secure.
You can request up to 20 certificates per domain in a 7 day period, so if you have more than 20 domains you will need to space it out according to their rules.
Premium CA’s include two different validations – Organisation Validation (OV) and Extended Validation (EV). For these types of certifications, owners are required to prove they are the legitimate owner of the website by showing proof of incorporation. EV’s take it even further by carrying out manual checks to ensure that the information provided by the certificate requestor matches everything in the public records.
WHICH ONE SHOULD I CHOOSE?
This depends on the type of business you own. If you are consistently asking for private information such as credit cards through your website, I would recommend purchasing a premium SSL to ensure you have the best level of security.
If your website is purely a simple blog that doesn’t ask for personal information then Let’s Encrypt will do the job. And because of it’s price tag, it is the perfect way to go if you are on a tight budget.
However, in saying that premium SSL’s are a lot more affordable nowadays. Here are a few examples:
Comodo SSL Certificate (DV): $57.33/year
GeoTrust QuickSSL Premium: $81.90/year
HOW TO SETUP YOUR SSL CERTIFICATE
SETTING UP LET’S ENCRYPT
The simplest way is to use a host that has a built in Let’s Encrypt integration. My recommended host is SiteGround, it is a highly popular hosting company that has amazing value for money. This blog is hosted by SiteGround and uses the Let’s Encrypt feature as I don’t ever ask for highly sensitive information and it took me all of 2 minutes to set it up.
To set up Let’s Encrypt through SiteGround you need to begin by going to cPanel and scroll down the ‘Security’ tab. There you will see the ‘Let’s Encrypt’ logo, once you’ve found it, select it and it’ll bring up the Let’s Encrypt interface.
Once you’re there, there is a section that lists all of the installed certificates on your server. If your domain is listed there, all that is required is to switch the ‘Enforce HTTPS’ toggle to ‘On’.
If a certificate is not installed for your domain, you can definitely add one yourself. Further down the page is a section to install a new Let’s Encrypt Certificate. All you need to do is choose your domain you want to install the certificate on, input the best email for that domain and click ‘Install’. You will be shown a ‘Success’ message when it’s complete.
Once it is installed, you will need to go back to the second step I mentioned above and switch the ‘Enforce HTTPS’ to on.
How do I renew my certificates?
Another great thing about Let’s Encrypt on SiteGround is that it is automatically renewed after 90 days. So once it’s installed you never have to worry about it again.
How do I cancel a certificate?
If you wish to cancel a certificate for your domain, you can do this by going to the ‘Let’s Encrypt’ interface, finding your domain in the list of installed certificates and clicking ‘Cancel’.
MANUALLY INSTALLING A PREMIUM SSL CERTIFICATE
This process is slightly different depending on where you purchase your premium SSL certificate from. For this tutorial, I will run through the process of downloading and installing a premium certificate from RapidSSL.
First things first, once you’ve gone ahead and purchased your certificate, you will need to download the ZIP folder RapidSSL gives you.
- Go to the Symantec Trust Center account
- Enter the Username and Password
- Click Sign In
- From the list, select the corresponding certificate to download
- Under the Available Actions section in the bottom of the page, click Pick up your certificate
- Confirm the certificate details, then click the Get Started button
- Select the Server platform and Server version from the drop down menus that the certificate will be installed to
- Click the Download button
- A prompt window will appear to save a .zip file which will contain all necessary certificates and additional documents and/or information for installation
- Select the server platform as cPanel > Versions 10-11 when downloading the certificate.
Next you need to upload the ZIP folder onto your server where your website is hosted and unzip the folder.
Once you’ve done this, go to your cPanel interface and scroll down to the ‘Logs’ or ‘Security’ section and click on the SSL/TLS Manager icon.
The SSL/TLS Manager interface will appear. Under ‘Certificates’ click on the ‘Generate, view, upload, or delete SSL certificates’ link.
From here, you can either choose to copy and paste the contents from the .crt file you downloaded into the textarea provided, or you have the option to upload the .crt file directly. Once you’ve done one of these, click ‘Save’ or ‘Upload’.
Activating Your Certificate:
Now that you’ve installed your premium SSL certificate, you need to activate it on your website. So go back to the ‘SSL/TLS Manager’ interface and under ‘Install and Manage SSL for your site (HTTPS)’ click on the ‘Manage SSL Sites’ link.
Next you will need to choose your domain name from the dropdown and select ‘Autofill By Domain’. This will autofill the certificates information.
This step is optional, however I do recommend completing it. In the ‘Certificate Authority Bundle: (CABUNDLE)’ section, paste the contents of the Intermediate CA file downloaded from your Symantec Trust Center account.
Click on ‘Install Certificate’ and you’re done!
A lot of information was covered in the post so I’ll do a quick recap. If your website is going to be asking for highly sensitive data such as credit card information, I definitely recommend investing in a premium SSL certificate. If your site is along the lines of a simple blog, then by all means utilise the free Let’s Encrypt option.
Just make sure you switch to HTTPS so you aren’t left behind on Google!