What is SSL is a question that you probably kind of know the answer to. Most people dealing with websites do. Or, at least, they pretend they do. 🤔
It’s okay. These things have a level of complexity to them, and all these three-letter abbreviations do require some time getting used to.
So here’s an all-you-need-to-know guide to SSLs and all things related. We also tell you how to enable SSL on WordPress step by step.
What is SSL? Like, really…
Okay, so you know what SSL stands for. That would be, “Secure Sockets Layer.”
In simple terms, SSL is used to encrypt the connection between a website and its visitor. When this encryption takes place, it means that only that specific website and that specific visitor can read the information they’re sending back and forth.
Without the SSL in place, virtually anyone can eavesdrop on the data transfer. And I do mean anyone!
The traditional way in which HTTP communication is handled on the web is by sending plain packets that can be read by third parties while on their way between the source and the destination. This is not such a problem when you’re just browsing 9gag, but it can be a serious threat when you’re trying to buy something online and have just input your credit card number.
In other words, here’s what happens when you visit a website that does not use SSL:
The guy in the middle can read the entire communication purely because it’s all happening in the open with no encryption whatsoever.
Imagine talking to someone in a busy cafe. It’s kind of like that.
Now with SSL running:
The communication is encrypted. While people can still intercept it as it’s traveling through the interwebs, decrypting it is near impossible.
Imagine sitting in the same busy cafe, but now you’re speaking Klingon, backwards.
How does SSL work?
It’s all quite simple when we get to the mechanics:
Again, SSL encrypts all data being transferred between the visitor and the website.
For a website to use SSL, they need to obtain an SSL certificate. That certificate is a proof that the website is a legit one and that the SSL encryption they’re using is correct, plus the certificate also holds the information about the public key used for encryption (more on that later).
Here’s what’s going on step by step when a person visits an SSL-powered website:
At this stage, we’ve come full circle, from establishing a secure connection to sending data to the website and then receiving a response. This is how communicating through SSL is done.
The public-private key pair is a simple concept, but it’s all that’s required to establish a secure channel of communication and to make sure that the party you’re communicating with is what they claim to be.
💡 In simple terms, you can think of the public key as the padlock and the private key as the actual secret combination that can be used to open the padlock.
What’s the difference between SSL and TLS
In a word, there’s no difference.
Okay, to be more specific, there is. But a simple one for all we need to know. TLS (Transport Layer Security) is an updated version of SSL. It’s more secure, and it’s actually what all of us use these days instead of SSL.
Yes, you read that right, whenever you get a – what you think is – an SSL certificate for your website, you’re actually getting a TLS certificate.
We still refer to it as SSL because it’s a more commonly used and understood term.
HTTP is a protocol used for communicating over the internet. It’s using this protocol how a website sends you its contents/data and how you can interact with it and send data back.
HTTPS is a secure version of the protocol. That’s what the “S” at the end stands for.
With HTTPS, the communication itself is done pretty similarly with the only difference being that it’s encrypted using an SSL certificate, making it secure.
Types of SSL/TLS certificates
Not all SSL certificates are created equal. Based on what type of certificate you get for your website and how you configure it, your visitors will see different notifications in their browsers.
Most commonly, certificates are grouped based on two things:
- (a) what the validation level of the certificate is
- (b) how many domains can be secured using a single certificate
Under the first group (a), we have:
- certificates validating just the domain name itself – the certificate authority simply validates that the company has control of their domain name
- certificates validating the organization owning the domain – this one validates not only the domain name but also the information included in the certificate about the organization, such as name and address
- certificates offering extended validation – this is the highest level of a certificate where the certificate authority verifies the ownership of the domain, the information about the organization, their physical location, and even legal existence of the company
In order to make your site correctly integrated with SSL, you need to opt for either standard domain validation or organization validation. The third level is usually something only the big players opt for, such as PayPal, Airbnb, etc.
You can see the level of SSL certificate in the browser window.
Domain and organization validated certificates appear as:
While extended certificates have an additional bar around the padlock and the company name:
In the second group (b), we have:
- single-domain certificates
- wildcard certificates
- multi-domain certificates
These are all pretty straightforward. Single-domain certificates allow you to validate one website under one domain name.
For example, if your main site runs on
YOURSITE.com and your blog runs on
YOURSITE.com/blog then you can have those under one single-domain certificate.
However, if your site is on
YOURSITE.com but your blog runs on
blog.YOURSITE.com then you’ll need a wildcard SSL.
With the wildcard certificate, you can basically validate a single domain name plus an unlimited number of subdomains under that main domain. Basically, there’s a wildcard character in the certificate –
*.YOURSITE.com, hence the name.
The last type of certificate, multi-domain certificate allows you to protect up to 100 domain names under the same certificate. This is not something that a casual website owner or even a developer needs to trouble themselves with.
👉 Here’s your cut-out-‘n-keep summary of which SSL certificate you should choose:
- Need to validate a single domain name? Get a single-domain certificate of either domain-level or organization-level validation.
- Need to validate a website with one or more subdomains? Get a wildcard certificate of either domain-level or organization-level validation.
Why having SSL on your site is important
SSLs used to be really expensive back in the day. Not that long ago, if you wanted to add an SSL to your site, you had basically only two options – VeriSign or Comodo. Both of them were quite expensive (around $100 / year). So most people simply didn’t bother. Having an SSL on your site seemed like an unnecessary and costly luxury.
But times have changed, and that is mainly thanks to one organization – Let’s Encrypt. You’ve probably heard of them by now. In short, Let’s Encrypt provides entirely free, genuine SSL certificates to any website that wants one.
The “free” component of their offering is what really got the “SSL for the masses” concept off the ground.
But there was also another player on the field that made a lot of difference – Google.
Google was always quite open when it came to encouraging website owners to integrate SSL certificates. However, it wasn’t until Google actually made encryption a ranking signal that everybody started taking them seriously.
Read: if you want your website to rank better, you need SSL!
So, with Google’s and Let’s Encrypt’s efforts combined, the number of SSL-powered websites has been on a huge rise, with more than 150 million websites using Let’s Encrypt at the time of writing.
What’s even more impressive, there are around one million certificates issued a day.
Let’s Encrypt’s initiative is also supported by the other giant of the web – Facebook. The company has been with Let’s Encrypt from the very beginning and is now even converting all outbound links that users share on Facebook to HTTPS versions where possible.
As per Facebook’s own data:
This level of adoption is truly incredible! But Let’s Encrypt didn’t achieve this all on their own. Yes, Google’s efforts had its effect and Facebook’s for sure, but apart from that, Let’s Encrypt also has a lot of supporters in other web- and tech-savvy companies.
Actually, since we believe in what Let’s Encrypt is doing wholeheartedly, we’ve decided to sponsor Let’s Encrypt as well. As you’re reading this, CodeinWP has already gone through the steps of getting on board! 🍾✨
We’re really proud to join the ranks of companies like Mozilla, Cisco, Shopify, Sucuri, SiteGround and others who have sponsored Let’s Encrypt over the years! Since Let’s Encrypt is a non-profit, they are always looking for supporters of their work. You can join us in funding this effort!
How to get SSL on WordPress
Even though SSLs seem like a fairly tech-intensive thing to add to a website, in practice, integrating one with WordPress is quite straightforward.
Practically speaking, there’s only one sensible way of adding SSL to WordPress, and that is via your current web host.
A couple of reasons for this:
- You don’t have to obtain the certificate manually from Let’s Encrypt. The host handles that for you.
- You also don’t need to import that certificate to the server on your own. Again, your host’s job.
- Lastly, you also don’t have to worry about renewing your certificate when it expires (happens every couple of months or so). Again, your host.
💡 If your host doesn’t give you access to Let’s Encrypt certificates or if you want to enable yours manually for other reasons, you still can. Let’s Encrypt explains how to do that on their site.
Here’s the easiest way of getting an SSL certificate on a WordPress site:
Step 1. Enable SSL via your host
Most of the top-tier WordPress hosts these days offer a free SSL certificate from Let’s Encrypt as part of their standard hosting packages with no additional fees involved.
Here are just some of the hosts that offer those free SSLs:
If you’re hosting your site with any of these, you’re in luck, and you can get an SSL certificate in a couple of clicks.
Here are some examples of how to take the first step:
Step 2. Enable SSL on your WordPress site
The next step you have to take is enable the SSL on your WordPress website’s end. Enabling the SSL via your host’s interface is only half the job.
To take care of this, get an all-in-one plugin called Really Simple SSL.
Right after activating the plugin, you’ll see this notice:
To finalize the setup, click on the Go ahead button.
You’ll see a confirmation, and you’ll get logged out of your WordPress dashboard. This is quite standard behavior so don’t worry and just log back in.
You now have enabled SSL on your WordPress website!
In case of any errors, go to Settings → SSL, the Settings tab, and fine-tune some of the options available there.
Really Simple SSL has some neat helpers next to each option to explain what they do.
With that done, you should see that good-looking padlock next to your site’s address bar.
Let’s make the web better!
As you can see, enabling SSL on your site or the sites of your clients isn’t difficult at all. In most cases, you can get the whole thing done in less than 10 minutes – at least that’s what it took me even with the additional time needed to handle the “mixed content” error.
If your website still doesn’t use SSL, you’re on the wrong side of history. Upgrade now and make the experience more secure for your visitors and also better for you SEO-wise.
For other security tips, please check Simple WordPress Security Tricks to Keep Your Website Safe
So, is your site SSL-enabled? If not, what are you waiting for?!
Don’t forget to join our crash course on speeding up your WordPress site. With some simple fixes, you can reduce your loading time by even 50-80%: