2k Views inWordpress

What is an SSL Certificate (and Why You Need One) – The Beginner‘s Guide

As an experienced WordPress webmaster with over 15 years in the industry, I‘ve helped hundreds of sites get set up with SSL certificates for optimal security. This beginner‘s guide will provide you a detailed overview of SSL certificates – what they are, why you need one, and how to install it on your WordPress site.

What is an SSL Certificate?

SSL (Secure Sockets Layer) certificates are small data files that digitally bind a cryptographic key to the details of an organization. When installed on a web server, it activates the padlock and HTTPS protocol and allows for secure transmission of data between the site and end user.

SSL padlock

Without SSL installed, data is transmitted plain text and can be intercepted along the way – like sending a postcard instead of a letter in an envelope.

SSL encrypts and scrambles the data during transmission so no one can read it. It‘s like putting your letter in a locked box that only the recipient has the key for.

According to Trustwave‘s 2020 SSL report, over 80% of web traffic is now encrypted by default. That number rises above 90% for ecommerce websites.

As per Google Transparency Report, over 90% of Google‘s own sites use HTTPS as well.

This widespread adoption is why SSL certificates are a requirement for any professional website today.

Why You Need an SSL Certificate

Here are some key reasons why your WordPress site should be secured with SSL:

Data Security

SSL encryption prevents hackers from stealing sensitive user data like passwords, names, addresses, credit card numbers and more.

Over 50% of shopping cart abandonment is due to trust and security concerns. SSL certificats establish trust with your site visitors by securing their data during transmission.

SEO Ranking Boost

Google prioritizes sites with SSL installed by giving them a ranking boost in search results.

Pages served over HTTPS are also given more crawl budget by Googlebot.

Having SSL will improve your SEO and increase organic traffic to your site.

Browser Warnings

Chrome and Firefox now displays "Not Secure" warnings on pages served over HTTP. These warnings scare visitors away from submitting any sensitive data to your site.

Not Secure browser warning

With SSL installed, the browser will display a padlock or "Secure" label instead, reassuring visitors.

PCI Compliance

If your website accepts credit card payments, then you are required to comply with the PCI Security Standards. This includes using SSL for transmitting cardholder data.

Trust and Credibility

The SSL padlock and HTTPS protocol provide visual trust signals. Visitors know they can submit sensitive data safely to your site.

An SSL certificate also validates the legal identity of your business and establishes credibility.

How Does SSL Work?

SSL certificates use public key encryption to secure data in motion between two systems. Here is how it works at a protocol level:

  1. A browser requests access to a secure page on a web server which has an SSL certificate installed.

  2. The web server sends over its SSL certificate which contains its public key.

  3. The browser verifies that the SSL certificate is valid and trusted. A handshake process starts.

  4. The browser generates a symmetric session key and encrypts it with the server‘s public key, then sends it back.

  5. The server decrypts the symmetric key with its private key to complete the handshake.

  6. Both systems now encrypt all transmitted data with the one-time symmetric key for that session.

  7. The SSL session ends when the connection is closed, discarding the symmetric key.

This allows for secure two-way encryption between the server and browser without exposing the private key, which remains on the server side only.

How To Get an SSL Certificate

There are four main ways to get an SSL certificate for your WordPress site:

Your Web Host

Many managed WordPress hosts like Bluehost, SiteGround and WP Engine include free SSL certificates with their web hosting plans.

For example, Bluehost‘s shared hosting plans include a free certificate from Let‘s Encrypt. This is the easiest option if you‘re on a budget.

Certificate Authority

You can purchase SSL certificates directly from CAs like DigiCert, Entrust, GlobalSign, and Comodo.

Prices vary based on the type of validation level – Domain ($~10/year), Organization ($~50-100/year) or Extended Validation ($~150+/year).

We recommend DigiCert or Comodo as affordable options for small to medium sites.

CDN Providers

Content Delivery Networks (CDNs) like Cloudflare offer free shared SSL across their distributed servers. However, this doesn‘t cover the connection from origin server to CDN edge location.

Self-Signed Certificates

You can create your own self-signed SSL certificate for free. But this will trigger security warnings in browsers as the certificate is not signed by a trusted CA authority.

For maximum browser compatibility and trust, we recommend purchasing from a reputable CA like DigiCert or Comodo. The annual cost is well worth it for the added security and trust it provides your visitors.

How to Install an SSL Certificate on WordPress

Once you have an SSL certificate for your domain, follow these steps to activate it on WordPress:

  1. Install the certificate on your web server or CDN. Your hosting provider or CA will provide instructions on this.

  2. Log in to your WordPress dashboard. Go to Settings → General. Change both WordPress Address (URL) and Site Address (URL) to HTTPS.

Switching to HTTPS in WordPress

  1. Update hardcoded URLs. Use a plugin like Velvet Blues Update URLs to change all http links to https across your site.

  2. Flush permalinks. Go to Settings → Permalinks and click Save to flush rewrite rules. This avoids 404 errors.

  3. Force HTTPS through your .htaccess file or a plugin like Really Simple SSL. This redirects all http traffic to https.

  4. Update XML sitemaps and submit them to Google Search Console.

Your WordPress site is now fully secured with HTTPS SSL! Just make sure to renew your certificate before expiry.

Troubleshooting issues

When moving to HTTPS, some common SSL issues you may encounter include:

  • Mixed content warnings – Fix by updating all resources loaded over HTTP to HTTPS.

  • Browser warnings about issuer or certificate chain – This means your root CA certificate is missing or not trusted. Check with your host or CA.

  • HTTPS redirection loops – Flush permalinks and site caches. Disable HTTP caching plugins before migrating.

  • Site broken after migration – Revert changes and investigate. Activate debug mode and check for fatal errors.

  • Images not loading – Clear browser cache and re-upload images. Use a CDN so images load over HTTPS.

  • SSL expiry and renewal – Set calendar reminders for expiry date. Renew the certificate at least a month prior.

  • Website downgrade to HTTP – Double check that .htaccess redirect and WordPress HTTPS settings are still in place.

Reach out to your web hosting support, SSL provider or the WordPress forums if you need help troubleshooting.

WordPress SSL Recommendations

Besides the SSL certificate itself, we recommend taking these additional measures for optimal security:

  • Install a firewall like Wordfence to protect against threats like DDoS.
  • Limit login attempts with plugins like Limit Login Attempts to prevent brute force attacks.
  • Use strong passwords with random characters, numbers and special symbols.
  • Leverage two-factor authentication using Google Authenticator for all admin accounts.
  • Disable file editing from within WordPress admin to prevent injected malware.
  • Regularly update WordPress core, plugins and themes to the latest versions.
  • Limit resource usage by restricting plugins and removing unused themes on live sites.
  • Follow WordPress hardening guides like this one for additional measures.

Taking the time to properly secure your WordPress site beyond just SSL will significantly reduce your risk and prevent compromise.

WordPress SSL Certificate – Conclusion

Here are the key takeaways from this beginner‘s guide on SSL certificates:

  • SSL encrypts data during transmission between the browser and server to prevent interception and theft.

  • SSL certificates are mandatory for any professional WordPress site, especially those collecting user information.

  • Free SSL certificates are available from some web hosts and CAs like Let‘s Encrypt.

  • Paid certificates provide maximum credibility and compatibility when issued by trusted CAs like DigiCert.

  • Switching to HTTPS requires updating URLs and flushing permalinks in WordPress settings.

  • Additional security measures like firewalls and backups are recommended beyond just SSL.

I hope this WordPress SSL guide was useful for you. Let me know if you have any other questions in the comments! I‘m always happy to help fellow webmasters implement best practices.

Written by Jason Striegel

C/C++, Java, Python, Linux developer for 18 years, A-Tech enthusiast love to share some useful tech hacks.