What Are SSL Certificates and How Do They Work?
Website security has become more important than ever over the past few years. In fact, sites that do not provide proper security can often be penalized. Consequently, website security may be something you’ve been concerned about, especially if you’re thinking about taking online payments.
Fortunately, there is a solution for bringing your website up to snuff in terms of security. Secure Sockets Layer (SSL) is a protocol that enables your browser to establish a safe connection between itself and a particular website or server. If a website has an SSL certificate, that means it has been validated by a Certificate Authority. Many managed WordPress hosting providers (including WP Engine) offer SSL certificates as part of their services.
In this article, we’ll cover the ins and outs of website security certificates. We’ll also go over several different kinds and how they are validated. Then we’ll explain how to install a certificate on your own site. Let’s get started!
How SSL Certificates Work
You may have considered enabling Hypertext Transfer Protocol Secure (HTTPS) for your website, but you might not be sure how the entire process works. Therefore, let’s start from the beginning.
The first step is to find a Certificate Authority (CA), which is a body that awards an SSL certificate after verifying the identity of a website. Depending on which type of SSL certificate you opt for, the CA may verify the ownership of the domain that is requesting it. For other, more advanced SSL certificates, the CA may go as far as to verify that the business requesting it is actually registered. We’ll go over these options in detail later.
Once you’ve been issued an SSL certificate, you’ll need to install it through your web hosting provider. Then you will need to enable the HTTPS protocol for either your entire site (which is often the simplest approach), or just those pages that deal with sensitive information.
If you enable HTTPS before installing a certificate, your visitors will receive a warning when they attempt to access your website. The warning itself varies depending on the browser they use, but generally, it will inform them they’re trying to access a website that doesn’t hold a valid certificate.
This can also occur once your certificate expires – how long each one lasts will depend on the CA you use to process it. As a rule of thumb, SSL certificates last around three years at the most, and then you’ll need to renew them.
This process may sound complex if you’re not familiar with online security practices, but rest assured that it’s quite easy to implement. In fact, we’ll discuss how to install SSL for WordPress shortly. Before that, let’s go over some more details about the different components of SSL.
What Does HTTPS Mean? What Does SSL Mean?
Hypertext Transfer Protocol (HTTP) is the foundation upon which the modern internet is built. It represents a set of rules for transferring data and multimedia files, and every website uses it, including this one! HTTPS, as we mentioned previously, is a more secure version of HTTP.
We introduced SSL earlier as the acronym for Secure Sockets Layer. These two protocols go hand in hand, since the SSL is what makes HTTPS ‘secure’. Let’s take a few minutes to discuss how that process works.
HTTPS vs. HTTP
If a website address begins with HTTPS instead of HTTP, it indicates that all the data you send to and receive from that website is encrypted. Even if the data were to be intercepted by an unauthenticated third party, they wouldn’t be able to decipher it.
To put it simply, if you’re concerned about data security, it’s always good news when the website you’re visiting uses HTTPS instead of HTTP. Next, we’ll go over some of the benefits of using the protocol in case you’re still on the fence about enabling it on your own site.
Why Your WordPress Site Needs SSL
Using SSL with WordPress is similar to any other platform. However, this particular Content Management System (CMS) is making a concentrated push to encourage site owners to make the switch. As part of this initiative, its developers are looking to require all web hosts to offer HTTPS.
WordPress powers everything from blogs to eCommerce sites, which means it’s a perfect example of a platform that can benefit from additional security. In short, if you’re a WordPress user, you should certainly consider getting an SSL certificate. It won’t take long to configure the platform to work through HTTPS, and you’ll get plenty of benefits in exchange.
The advantages of using SSL include:
- Enhanced security. SSL certificates secure your visitors’ data by encrypting information as it travels from their web browsers to your server. This ensures that the information shared by your users is safe as it transfers.
- Increased customer trust. Since they can see that your website is secure, thanks to the ‘lock’ icon and the site’s URL, you’re giving both visitors and yourself peace of mind. This encourages more trust when compared to an unsecured website, which may lead to increased conversions.
- PCI compliance. SSL also enables you to maintain Payment Card Industry (PCI) compliance and accept online payments. In fact, an SSL certificate is not just recommended but required in order to meet PCI regulations.
- Improved SEO. The benefits of obtaining an SSL certificate don’t stop with security. In fact, search engines such as Google have made it their mission to incentivize website owners to enable HTTPS whenever possible. To that end, sites with HTTPS connections can receive a boost in rankings on Search Engine Results Pages (SERPs).
- Easy setup. The good news is that some web hosts will set up SSL for you. Here at WP Engine, we’re particularly mindful about user security, which is one of the reasons we make obtaining SSL certificates simple. If you’re not sure whether or not you have an SSL certificate for your website, you can easily check by looking for the ‘lock’ icon before your site’s URL in the browser address bar.
Now that you know more about how SSL certificates work to secure your website, and the benefits to be had from purchasing one, let’s take a look at the different varieties you can choose from.
Types of SSL Certificates
To fully understand SSL certificates and how best to use them on your website, you’ll want to know about the different kinds that are available. Certificates are classified based on both their validation levels and the number of domains they can secure.
First, let’s take a look at the types that are available based on the number of domains secured:
- Single. This type of certificate will apply only to a single domain or hostname.
- Wildcard. A wildcard certificate can secure any number of subdomains for a given domain name.
- Multi-domain. These are sometimes referred to as Subject Alternative Names (SAN) or Unified certificates, and they can cover up to 100 domains. Multi-domain certificates were designed specifically to save money and time when there’s a need to secure multiple domains on a single server.
Now, let’s take a look at the different levels of validation and what they mean. Validation is how the issuing CA verifies the ownership and legitimacy of the entity requesting the certificate, and there are three types, including:
- Domain Validation (DV). This is the lowest form of validation provided by CAs. It’s typically achieved via email verification in a couple of hours. In general, all you have to do is demonstrate that you have control over the domain you want to secure.
- Organizational Validation (OV). As a moderate level of validation, this option can take a couple of days to complete. It involves the CA verifying ownership of the domain in question. The authority will contact the organization via the information provided in the certificate.
- Extended Validation (EV). As the most strict level of validation, extended validation goes the furthest to verify ownership of the domain. The CA will go to lengths to contact the organization and make sure the owners of the domain know that an SSL certificate was purchased for it. They will also verify that the organization or company is legitimate.
While all levels of validation take some effort to acquire, EV can take a couple of weeks and is the most expensive, as it requires time and human resources. However, the higher levels of validation also provide you with a more secure certificate.
When choosing the right type of SSL certificate for your site, you’ll need to evaluate your needs based on the level of trust and security you require. Also, you’ll want to take into consideration the number of domains you will want the certificate to cover.
How to Install SSL on a WordPress Site
Depending on your hosting provider, setting up an SSL certificate can take minutes or hours. Most reputable web hosts provide you with the option to obtain a certificate through cPanel, but even then, they still require you to enable HTTPS for WordPress manually. This can take some time, depending on your level of comfort with the platform.
Here at WP Engine, we provide you with two certificate options right out of the gate: one free and one premium. Furthermore, we handle all the technical elements for you. This means that once your certificate is ready to go, we’ll enable HTTPS throughout your entire WordPress website without you having to lift a finger.
All you need to do is log into the WP Engine User Portal, choose the WordPress installation you want to certify, select the SSL option, and click on Add Certificates. Then you’ll be able to choose from our existing options. Once you’ve picked the certificate you want (and paid for it, if it’s a premium certificate), we’ll take care of the rest for you.
Secure Your Site With WP Engine
Depending on your choice, SSL certificates can be quite expensive. Here at WP Engine, however, we provide you with two accessible choices. All of our users have access to free Let’s Encrypt certificates – which are recommended for most sites – along with premium alternatives from RapidSSL (starting at $199 per year).
Furthermore, our excellent support team can guide you through the process of setting up your certificate. All you need to do is find the right plan for your needs, and sign up to get a secure site today!