So after all this EU GDPR stuff (you have been paying attention we hope), we have been again asked about this SSL Certificate thingy. Where these SSL certificates are not as exciting as designing your first small business website, they are enormously important nowadays.
You’ve probably heard of SSL certificates, we certainly hope so, and even if you don’t know exactly what they are and what they do we want to make sure you know what’s what.
In this articel, we’ll explore whether your small business needs an SSL certificate, and explain how you can go about getting one for your website.
What exactly is this SSL certificate thing?
“SSL” stands for “Secure Sockets Layer”, but on its own that doesn’t shed much light on what an SSL certificate is and what it does.
Put simply, an SSL certificate ensures that any data transmitted between a website visitor and the website they’re visiting is secure.
It does this through encryption, and the best thing is once a WordPress website owner has properly configured their SSL it all happens in the background, no further work needed, providing a seamless process for website visitors.
That’s probably as much as the average small business owner needs to know about how a SSL certificate functions, but if you’re REALLY hungry for more knowledge (and have a touch of insomnia), you can read this Wikipedia article on the history and function of SSL, and it’s transformation into TLS.
Do I honestly REALLY need an SSL certificate for my small business WordPress website?
Truth is that the chances are you’re asking your site visitors to send you at least one form of sensitive personal information via your website in one way or another.
This personal information includes names (first & second), postal or actual addresses, email address and if you are lucky 🙂 payment details. If you have a “logged in” or “members” area of your website, then this escalates it all as this will include all sorts of sensitive personal information and needs to be protected.
Put simply, if your WordPress website has a contact form (and who doesn’t), or you accept payments via your website (if you are lucky!), then you need to ensure that all this information is secure going to and from the users browser to your website server, and having an SSL Certificate is an excellent way to do that.
And now have the Google Chrome and SSL to deal with
Another reason that you may wish to strongly consider getting an SSL certificate is an upcoming change to Google Chrome.
When July 2018 rolls around, new versions of Google Chrome will stop makring secure sites as “SECURE” in green, and will start marking websites without SSL as “NOT SECURE” in red.
So your website visitors who are using an up to date version of Google Chrome will see a warning, which may put them off.
This is all part of Google’s ongoing efforts to make the web more secure, and it’s a useful reminder to you to make sure that your visitor’s data is always protected.
SSL and EU GDPR
Unless you’ve been under a rock (and a heavy one), you’ll have already heard about the ‘new’ EU GDPR and how it may affect your small business. (check out our guide to GDPR)
As a quick reminder, EU GDPR is all about data protection and data access. As you’ve probably already know, this data includes all those things we’ve already talked about above –all that juicy payment information, names and addresses, and email addresses.
Where having an SSL certificate isn’t a specific requirement under EU GDPR, it does require you to keep data transmitted via your website secure. Therefore, using an SSL Certificate is a great start to ensure your website complies with this aspect of EU GDPR.
So how do I get an SSL for my small business website?
There are now a good number of ways to get yourself an SSL Certificate for your website. Some are simple plug and play (which you tend to pay for) and others which a little bit of tech to install and get working. It must be said that SSL installation is not just some plugin install in WordPress, and needs a bit more tech knowledge.
The 3 ways we are recommending and covering here are:
- But an SSL Cetificate from you host and have them install it
- Use Cloudflare service flexible SSL (and get some bonuses)
- Use Let’s Encrypt free wildcard SSL Certificate
1. But an SSL Certificate from you host and have them install it
The easiest way to get an SSL certificate for your small business website is to simply purchase one from your host. You can buy SSL certificates from GoDaddy, and our product page will help you decide which kind of SSL is most suitable for your website.
Once you’ve chosen and purchased an SSL Certificate, you need to install it on your website.
If your website has been created in another way, you can follow this guide to install an SSL certificate.
Installing an SSL is a technical process, so if you’ve used a web designer to build your site, you may wish to ask them to install it for you.
We have used Cloudflare to allow SSL on many websites. We feel f you are not collecting payment or credit card info, then we use this system.
Simply follow this list:
- Sign up to Cloudflare
- Select the free plan
- Follow the step for adding your domain name
- When you have registered and set up your domain name, click on your domain
- At the top there will be a row of icons click on Crypto
- The first option will be SSL, select flexible SSL
You have now requested a Flexible SSL Certificate from Cloudflare and will normally take around 15 minutes to issue you one. Cloudflare will tell your Flexible SSL is active by displaying a green active box below.
IMPORTANT – In your WordPress backend leave your WordPress Address (URL) and Site Address (URL) as HTTP. Leave them alone!
Next, you will have to install these plugins:
Activate them both and follow instructions in regards to signing up and authorising.
Instruct CloudFlare to deliver our content via HTTPS
- Next go back to Cloudflare and set some page rules.
- Go back to Cloudflare
- Select your domain
- In the row of icons at the top select Page Rules
- Add a rule with URL *yourdomain.com/*
- Turn “always use HTTPs” on
- Click add rule and activate
- Go back to your WordPress website and turn on SSL using Really Simple SSL (which will prompt you)
Check your Cloudflare Flexible SSL is working
That should be you setup with your new free Cloudflare Flexible SSL Certificate. Just visit your website in a browser and check to see if the green lock is showing on the top left of your address bar
3. Use Let’s Encrypt free wildcard SSL Certificate
To enable HTTPS on your website using the Let’s Encrypt system, you need to get a certificate (a type of file) from Let’s Encrypt is a Certificate Authority (CA). In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.
To figure out what method will work best for you, you will need to know whether you have shell access (also known as SSH access) to your web host. If you manage your website entirely through a control panel like cPanel, Plesk, or WordPress, there’s a good chance you don’t have shell access. You can ask your hosting provider to be sure.
With Shell Access
We recommend that most people with shell access use the Certbot ACME client. It can automate certificate issuance and installation with no downtime. It also has expert modes for people who don’t want autoconfiguration. It’s easy to use, works on many operating systems, and has great documentation. Visit the Certbot site to get customized instructions for your operating system and web server.
If Certbot does not meet your needs, or you’d like to try something else, there are many more ACME clients to choose from. Once you’ve chosen ACME client software, see the documentation for that client to proceed.
Without Shell Access
The best way to use Let’s Encrypt without shell access is by using built-in support from your hosting provider. If your hosting provider offers Let’s Encrypt support, they can request a free certificate on your behalf, install it, and keep it up-to-date automatically. For some hosting providers, this is a configuration setting you need to turn on. Other providers automatically request and install certificates for all their customers.
Check our list of hosting providers to see if yours is on it. If so, follow their documentation to set up your Let’s Encrypt certificate.
If your hosting provider does not support Let’s Encrypt, you can contact them to request support. We do our best to make it very easy to add Let’s Encrypt support, and providers are often happy to hear suggestions from customers!
If your hosting provider doesn’t want to integrate Let’s Encrypt, but does support uploading custom certificates, you can install Certbot on your own computer and use it in manual mode. In manual mode, you upload a specific file to your website to prove your control. Certbot will then retrieve a certificate that you can upload to your hosting provider. We don’t recommend this option because it is time-consuming and you will need to repeat it several times per year as your certificate expires. For most people it is better to request Let’s Encrypt support from your hosting provider, or switch providers if they do not plan to implement it.
In reality this SSL certificate is a crucial and vital part of running a secure website, and the chances are that your small business will need one to ensure your customers are protected.
Remember, if you have any questions about buying and installing an SSL, we are here to help.