Skip to content

What Is SSL? Like, Really… Plus Why Your WordPress Site Needs It and How to Get It Installed for Free

What is SSL is a question that you probably kind of know the answer to. Most people dealing with websites do. Or, at least, they pretend they do. 🤔

It’s okay. These things have a level of complexity to them, and all these three-letter abbreviations do require some time getting used to.

So here’s an all-you-need-to-know guide to SSLs and all things related. We also tell you how to enable SSL on WordPress step by step.

What Is SSL - WordPress

What is SSL? Like, really…

Okay, so you know what SSL stands for. That would be, “Secure Sockets Layer.”

In simple terms, what is SSL can be answered by saying that it is a way to encrypt the connection between a website and its visitor. When this encryption takes place, it means that only that specific website and that specific visitor can read the information they’re sending back and forth.

Without the SSL in place, virtually anyone can eavesdrop on the data transfer. And I do mean anyone!

The traditional way in which HTTP communication is handled on the web is by sending plain packets that can be read by third parties while on their way between the source and the destination. This is not such a problem when you’re just browsing 9gag, but it can be a serious threat when you’re trying to buy something online and have just input your credit card number.

In other words, here’s what happens when you visit a website that does not use SSL:

no ssl

The guy in the middle can read the entire communication purely because it’s all happening in the open with no encryption whatsoever.

Imagine talking to someone in a busy cafe. It’s kind of like that.

Now with SSL running:

with ssl

The communication is encrypted. While people can still intercept it as it’s traveling through the interwebs, decrypting it is near impossible.

Imagine sitting in the same busy cafe, but now you’re speaking Klingon, backwards.

How does SSL work?

It’s all quite simple when we get to the mechanics:

Again, SSL encrypts all data being transferred between the visitor and the website.

For a website to use SSL, they need to obtain an SSL certificate. That certificate is a proof that the website is a legit one and that the SSL encryption they’re using is correct, plus the certificate also holds the information about the public key used for encryption (more on that later).

Here’s what’s going on step by step when a person visits an SSL-powered website:

Phase 1: 🧐

The visitor’s browser checks if the SSL certificate of the website is valid.

This is done to make sure that the certificate is not fake and that the website is what it claims to be.

The browser checks the certificate to make sure it’s not an imposter site. However, the browser doesn’t do this on its own but instead checks with a certificate authority – a third party company that issues certificates.

If the validation goes well, the browser lets you know by showing this familiar padlock:

padlock

Phase 2: 🔑

The browser uses the certificate when communicating with the website.

This is done by taking the public key that’s part of the certificate and using it to encrypt all data sent to the website.

That data is then transmitted to the website in its encrypted form.

Phase 3: 🔐

The website uses its own private key to decrypt the message and then processes it.

That private key is known only to the website, and it’s also the only key that can decrypt the message correctly. This means that only the website can read the information that the user is sending.

This becomes crucially important when the data being sent is stuff like credit card numbers.

Phase 4: 🔏

The website sends a response to the visitor and adds a unique signature to it using the private key.

The signature can be verified on the user’s end by using the public key of the website. In other words, only the website itself could produce that specific signature since only it has the private key.

At this stage, we’ve come full circle, from establishing a secure connection to sending data to the website and then receiving a response. This is how communicating through SSL is done.

The public-private key pair is a simple concept, but it’s all that’s required to establish a secure channel of communication and to make sure that the party you’re communicating with is what they claim to be.

💡 In simple terms, you can think of the public key as the padlock and the private key as the actual secret combination that can be used to open the padlock.

What’s the difference between SSL and TLS

In a word, there’s no difference.

Okay, to be more specific, there is. But a simple one for all we need to know. TLS (Transport Layer Security) is an updated version of SSL. It’s more secure, and it’s actually what all of us use these days instead of SSL.

Yes, you read that right, whenever you get a – what you think is – an SSL certificate for your website, you’re actually getting a TLS certificate. So when you ask what is SSL, you’re in effect asking what is TLS.

We still refer to it as SSL because it’s a more commonly used and understood term.

What’s HTTPS?

HTTP is a protocol used for communicating over the internet. It’s using this protocol how a website sends you its contents/data and how you can interact with it and send data back.

HTTPS is a secure version of the protocol. That’s what the “S” at the end stands for.

With HTTPS, the communication itself is done pretty similarly with the only difference being that it’s encrypted using an SSL certificate, making it secure.

Types of SSL/TLS certificates

Not all SSL certificates are created equal. Based on what type of certificate you get for your website and how you configure it, your visitors will see different notifications in their browsers.

Most commonly, certificates are grouped based on two things:

  • (a) what the validation level of the certificate is
  • (b) how many domains can be secured using a single certificate

Under the first group (a), we have:

  • certificates validating just the domain name itself – the certificate authority simply validates that the company has control of their domain name
  • certificates validating the organization owning the domain – this one validates not only the domain name but also the information included in the certificate about the organization, such as name and address
  • certificates offering extended validation – this is the highest level of a certificate where the certificate authority verifies the ownership of the domain, the information about the organization, their physical location, and even legal existence of the company

In order to make your site correctly integrated with SSL, you need to opt for either standard domain validation or organization validation. The third level is usually something only the big players opt for, such as PayPal, Airbnb, etc.

You can see the level of SSL certificate in the browser window.

 

Domain and organization validated certificates appear as:

padlock
 
 

While extended certificates have an additional bar around the padlock and the company name:

What is SSL - SSL extended
 

In the second group (b), we have:

  • single-domain certificates
  • wildcard certificates
  • multi-domain certificates

These are all pretty straightforward. Single-domain certificates allow you to validate one website under one domain name.

For example, if your main site runs on YOURSITE.com and your blog runs on YOURSITE.com/blog then you can have those under one single-domain certificate.

However, if your site is on YOURSITE.com but your blog runs on blog.YOURSITE.com then you’ll need a wildcard SSL.

With the wildcard certificate, you can basically validate a single domain name plus an unlimited number of subdomains under that main domain. Basically, there’s a wildcard character in the certificate – *.YOURSITE.com, hence the name.

The last type of certificate, multi-domain certificate allows you to protect up to 100 domain names under the same certificate. This is not something that a casual website owner or even a developer needs to trouble themselves with.

👉 Here’s your cut-out-‘n-keep summary of which SSL certificate you should choose:

  • Need to validate a single domain name? Get a single-domain certificate of either domain-level or organization-level validation.
  • Need to validate a website with one or more subdomains? Get a wildcard certificate of either domain-level or organization-level validation.

Why having SSL on your site is important

SSLs used to be really expensive back in the day. Not that long ago, if you wanted to add an SSL to your site, you had basically only two options – VeriSign or Comodo. Both of them were quite expensive (around $100 / year). So most people simply didn’t bother. Having an SSL on your site seemed like an unnecessary and costly luxury.

But times have changed, and that is mainly thanks to one organization – Let’s Encrypt. You’ve probably heard of them by now. In short, Let’s Encrypt provides entirely free, genuine SSL certificates to any website that wants one.

The “free” component of their offering is what really got the “SSL for the masses” concept off the ground.

But there was also another player on the field that made a lot of difference – Google.

Google was always quite open when it came to encouraging website owners to integrate SSL certificates. However, it wasn’t until Google actually made encryption a ranking signal that everybody started taking them seriously.

Read: if you want your website to rank better, you need SSL!

So, with Google’s and Let’s Encrypt’s efforts combined, the number of SSL-powered websites has been on a huge rise, with more than 150 million websites using Let’s Encrypt at the time of writing.

letsencrypt stats

What’s even more impressive, there are around one million certificates issued a day.

What is SSL - one million certificates a day

Let’s Encrypt’s initiative is also supported by the other giant of the web – Facebook. The company has been with Let’s Encrypt from the very beginning and is now even converting all outbound links that users share on Facebook to HTTPS versions where possible.

As per Facebook’s own data:

“As we {Facebook} automatically crawl web content on Facebook, about 38% of HTTPS domains we observe use Let’s Encrypt, making it the top certificate authority. Over 19% of outbound clicks from Facebook to HTTPS-enabled websites go to sites that use certificates from Let’s Encrypt. Overall, more than 72% of outbound clicks from Facebook are now destined for HTTPS-enabled websites.”

This level of adoption is truly incredible! But Let’s Encrypt didn’t achieve this all on their own. Yes, Google’s efforts had its effect and Facebook’s for sure, but apart from that, Let’s Encrypt also has a lot of supporters in other web- and tech-savvy companies.

Actually, since we believe in what Let’s Encrypt is doing wholeheartedly, we’ve decided to sponsor Let’s Encrypt as well. As you’re reading this, CodeinWP has already gone through the steps of getting on board! 🍾✨

We’re really proud to join the ranks of companies like Mozilla, Cisco, Shopify, Sucuri, SiteGround and others who have sponsored Let’s Encrypt over the years! Since Let’s Encrypt is a non-profit, they are always looking for supporters of their work. You can join us in funding this effort!

How to get SSL on WordPress

Even though SSLs seem like a fairly tech-intensive thing to add to a website, in practice, integrating one with WordPress is quite straightforward.

Practically speaking, there’s only one sensible way of adding SSL to WordPress, and that is via your current web host.

A couple of reasons for this:

  • You don’t have to obtain the certificate manually from Let’s Encrypt. The host handles that for you.
  • You also don’t need to import that certificate to the server on your own. Again, your host’s job.
  • Lastly, you also don’t have to worry about renewing your certificate when it expires (happens every couple of months or so). Again, your host.

💡 If your host doesn’t give you access to Let’s Encrypt certificates or if you want to enable yours manually for other reasons, you still can. Let’s Encrypt explains how to do that on their site.

Here’s the easiest way of getting an SSL certificate on a WordPress site:

Step 1. Enable SSL via your host

Most of the top-tier WordPress hosts these days offer a free SSL certificate from Let’s Encrypt as part of their standard hosting packages with no additional fees involved.

Here are just some of the hosts that offer those free SSLs:

If you’re hosting your site with any of these, you’re in luck, and you can get an SSL certificate in a couple of clicks.

Here are some examples of how to take the first step:

Installing SSL on SiteGround:

Log in to your SiteGround user profile and go to My Accounts → Extra Services.

SiteGround SSL

By default, you might already have SSL activated on your primary domain. You’ll see that in the panel. You can click on the Manage button in the Let’s Encrypt SSL box to set everything up.

If you want to, you can also enable a wildcard SSL there.

SiteGround wildcard

Installing SSL on Bluehost:

Log in to your Bluehost user panel and go to My Sites → Security. You can enable the SSL there.

Bluehost SSL

Installing SSL on Flywheel:

Log in to your Flywheel user panel. You can add an SSL by clicking on the three dots icon next to your domain name.

flywheel add SSL

To complete the setup, you also have to provide Flywheel with some details about your organization. It’s just a simple form.

flywheel form

Installing SSL on any cPanel host:

If your host runs on cPanel (most hosts do) then you can also enable a Let’s Encrypt SSL certificate through there.

Log in to your cPanel and click on Let’s Encrypt in the SECURITY section.

cpanle lets encrypt

Click on the New SSL Certificate button.

cpanel new

Pick a domain name from the drop-down list – it contains all the domain names you have on that hosting setup – and activate the SSL.

Step 2. Enable SSL on your WordPress site

The next step you have to take is enable the SSL on your WordPress website’s end. Enabling the SSL via your host’s interface is only half the job.

To take care of this, get an all-in-one plugin called Really Simple SSL.

Right after activating the plugin, you’ll see this notice:

What is SSL and what it looks like when you activate the really simple SSL plugin

To finalize the setup, click on the Go ahead button.

You’ll see a confirmation, and you’ll get logged out of your WordPress dashboard. This is quite standard behavior so don’t worry and just log back in.

You now have enabled SSL on your WordPress website!

In case of any errors, go to Settings → SSL, the Settings tab, and fine-tune some of the options available there.

Really Simple SSL has some neat helpers next to each option to explain what they do.

What is SSL and what are some really simple SSL settings

With that done, you should see that good-looking padlock next to your site’s address bar.

What is SSL and what it looks like when it's enabled

See the 'Your connection to this site is not secure' notice in web browser?

One common error with SSLs is the one that Chrome labels, “Your connection to this site is not secure.” Here’s what it looks like:

What is SSL and what it looks like when Chrome shows you don't have it

This is a result of some of your website content – most likely some of the images – being fetched via the standard HTTP protocol instead of HTTPS. You can fix that by doing a quick search and replace.

First, check if that’s indeed the problem in your case. Fire up Chrome dev tools, switch to Console and look for something like this:

mixed content

If you see anything similar, you can proceed.

Get the Better Search Replace plugin. Activate it and then go to Tools → Better Search Replace.

  • In the Search for field put your own domain name with HTTP.
  • In the Replace with field put your domain but this time with HTTPS.
  • Select all tables.

search replace

Search and replace actions are somewhat scary to do so you can start with the Run as dry run box checked. This will just show you the preview of what’s going to be done in the live run. This can take a while, and especially when processing the wp_options table, which tends to be sizable.

If you’re satisfied with the preview, you can rerun the plugin but this time with the box unchecked.

search replace success

Let’s make the web better!

As you can see, enabling SSL on your site or the sites of your clients isn’t difficult at all. In most cases, you can get the whole thing done in less than 10 minutes – at least that’s what it took me even with the additional time needed to handle the “mixed content” error.

If your website still doesn’t use SSL, you’re on the wrong side of history. Upgrade now and make the experience more secure for your visitors and also better for you SEO-wise.

And let’s not forget that SSL is required for PCI compliance – meaning that you have to have SSL if you want to run an e-commerce store (on WooCommerce included).

For other security tips, please check these simple WordPress security tricks to keep your website safe.

So, is your site SSL-enabled? If not, what are you waiting for?!

Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:

 
Yay! 🎉 You made it to the end of the article!
Karol K
Share:

0 Comments
Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!