Disclosure: This post contains affiliate links. I may receive compensation when you click on links to products in this post. For an explanation of my Advertising Policy, visit this page. Thanks for reading!
What is an SSL certificate and how does it work?
Basically an SSL certificate is a private, secure handshake between the client side or “website” and the “device” that comes to it. An SSL certificate creates an encrypted connection so that any information transferred between the website and the visitor is secured. Thus preventing any hackers from stealing such sensitive information like credit card and banking details, passwords etc.
Why should you have an SSL certificate?
With millions of users transferring data over the internet every day, especially confidential information, they want to be assured that the website they visit is secure.
I mean would you transfer your credit card details, banking details, passwords and confidential files to a site that you weren’t sure about?
Having an SSL certificate is just the bare minimum for ensuring visitors that your site is not only safe and secure, but more importantly, trusted.
Many websites throughout the web do not have an SSL certificate and it’s quite easy to tell which ones do because they begin with the prefix HTTPS before the colon(:).
Those that don’t begin with http before the colon(:).
Maybe you have a simple blog or website where no transactions occur.
Perhaps you have a website where visitors aren’t required to give their passwords and you’re not offering any type of PDF or other downloads. In those cases you may be able to get away with not having an SSL certificate.
However, you are an ecommerce site where you expect your visitors, or just hope your visitors will engage in some kind of transaction.
That could be signing up to your email list, downloading your free PDF, videos, or making a purchase where there are financial information like credit cards and banking details. Then having an SSL certificate is a must.
In addition, merchants who accept credit card information on their website must pass certain audits which demonstrate that they are complying with the PCI or Payment Card Industry standards.
Acquiring an SSL certificate is one of the requirements.
Who issues SSL certificates and why that’s important?
There are two types of SSL certificates. The first type and the most important type is the SSL certificate that has been digitally signed by a Certificate Authority or CA.
Most browsers have a pre-installed list of trusted CA’s or otherwise known as a trusted root CA store.
If you use any of the major web browsers like Chrome, these lists are kept up to date with the latest list of trusted CA root stores.
To become a Certificate Authority company you must be in compliance with the security standards established by web browsers.
In addition, these companies are audited to ensure compliance on a regular basis.
The other kind of SSL certificate that many people are not aware of are what’s called Self Signed certificates.
These certificates are not used for authentication because they have not been certified by a Certificate Authority.
These Self Signed certificates are normally used by web developers as a cheap option for setting up web servers for SSL enabled testing.
Interestingly, these certificates can still be encrypted. They’re quite easy to recognize when you come across a website which has a self signed certificate.
One of those nasty red triangle with the exclamation point in the middle appears in big red letters that also says “Your connection is not private”.
Below is a is a screenshot of one:
When you see this sign pop up on your screen you have a chance to back out.
Most people do because they think that they’ve come across some kind of hacking site used to steal information. This may be true, but this may also be a website that is still being developed by its developers.
Nonetheless, it’s always best to back out anyway. Better safe than sorry.
Comodo SSL (now Sectigo)
If you want to skip the middleman and not have to deal with web hosts, you can go to the Big Daddy themselves and that’s Comodo.
However, Comodo is now Sectigo and the combination of the two companies now makes Sectigo the world’s largest Certificate Authority in the world.
In fact, they are so confident in their services that they offer a 90 day free SSL certificate with all the features of their lowest paid SSL plan.
Installation is quick and the 90 day free plan is usually recommended for those who need an SSL certificate up and running fast on freshly new website.
Many times if you go through your web host or a third-party vendor, it can take a little bit for your SSL certificate to be visible on your website costing you valuable time and possibly money..
In fact, many web hosts are actually resellers for Comodo SSL certificates themselves, so bear that in mind.
Most web hosts will sell you an SSL certificate when you register a domain with them. SSL certificates are portable. So you can take them with you when you decide to change hosts.
You can even buy your SSL certificate when you buy your domain from one vendor and transfer to a hosting plan on another vendor. That’s one of the beauties of WordPress, it’s flexibility.
However, most hosts will now include a free SSL certificate when you host your website(s) with them.
You should though read the terms of the hosting agreement since they may limit you not only in the quantity of SSL certificates per plan, but in the quality of the SSL certificate itself.
Getting an SSL certificate should be a no-brainer. It should be like adding a Whois to your domain name when you buy it. But it’s not.
Get it up and running on your website can be a bit of a hassle if you’ve never done it before.
This is yet another reason, choosing your web host is so important. If they have top notch support, it can save you hours.
The advantages of getting an SSL certificate far outweigh the disadvantages. That being said, SSL certificates are not the be all end all in website protection.
They are usually just the first line of defense, but just the first line.
As a website owner or webmaster you should also be aware of the vulnerabilities of SSL certificates, despite their certification credentials.
This isn’t meant to scare you of course, however, by knowing SSL certificate vulnerabilities, you will be better equipped to deal with potential hacking, malware and virus risks to your site, should they happen.
Don’t forget, you should make sure if you are buying a website or a website theme and the developer offers to host it for you.
Perhaps just sell you the whole website and theme complete with the SSL certificate.
Don’t buy one that is still Self-signed though. Get yourself a verified CA, SSL certificate.
SSL Vulnerabilities
Getting an SSL certificate is just the first step to protecting any valuable information that is exchanged between you and your website’s visitors.
Buying an SSL certificate is not the end of it. Although, an SSL certificate does provide a level of security, it can be a false one at times since even SSL certificates are vulnerable to various attacks.
Here is a list of just some of the vulnerabilities SSL certificates have.
Self-signed or “Wildcard” certificates
As discussed earlier in the article, many times web developers will assign themselves a Self-signed certificate or otherwise known as a Wildcard certificate, using a free open SSL.
However, just because you see the “HTTPS:” prefix in front of a website’s address in your browser, doesn’t mean that site’s secure.
These Self-signed certificates are false friends since no CA would ever verify these certificates.
Don’t forget, you should make sure if you are buying a website or a website theme and the developer offers to host it for you.
Perhaps just sell you the whole website and theme complete with the SSL certificate.
Don’t buy one that is still Self-signed though. Get yourself a verified CA, SSL certificate.
Advanced persistent malware
Sophisticated hackers can actually design malware to steal SSL keys as well as certificates to extract vital data and information from the website.
Forged certificate authorities
As we talked about above the CA verification or Certificate Authority verification is the underpinning of every SSL certificate.
It is the single trust factor that separates the Self-signed or Wildcard certificate from a verified SSL certificate. So, for the unsuspecting webmaster/website owner, you should buy your SSL certificate from a reputable web host and verify that your SSL certificate is CA verified.
It shouldn’t be a problem if you host your WordPress website with a well-known reputable web host.
Man-In-The-Middle (MITM) attacks
MITM attacks or otherwise known as Man-In-The-Middle attacks are basically third parties that impersonate a trusted website and then eavesdrop on secured conversations.
The most common forms of entry for these types of attacks are usually unsecured or lightly protected Wi-Fi hotspots.
Expired SSL certificates
Expired SSL certificates can not only open the door for hackers to attack by entering your network, it can cause system outages too.
You should make sure that your SSL certificate hasn’t expired. If your website is through a reseller you should also make sure that you don’t accept any expired SSL certificates for your domain.
Finally, you should be aware that an expired SSL certificate opens you to Man-In-The-Middle attacks as well.
These are just the most common forms of SSL vulnerabilities. If you would like to read on in further detail about how these attacks occur, I highly recommend you checking out these two links:
SSL 3.0 Protocol Vulnerability and POODLE Attack by US-CERT
SSL Vulnerabilities by Santa Clara University’s Information Services Department
Mixed content
What is mixed content? According to this Google article, “Mixed content occurs when initial HTML is loaded over a secure https connection, but other resources such as (images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. this is called mixed content because both HTTP and HTTPS content are being loaded to display the same page and the initial request was over a secure https.”
WordPress and Mixed Content
WordPress and SSL mixed content warnings
Why fix any mixed content issues?
Because if you have any mixed content on your webpage, even if you have HTTPS and an SSL certificate, your visitors can still receive a sign like this one (again!) when they visit your webpage:
WordPress SEO and Mixed Content
How does mixed content affect the SEO on your WordPress site? Well, since Google doesn’t penalize websites that have http, directly it does now mark them as non-secure in the browser.
However, even if you do have an SSL certificate and the HTTPS: before your domain name in the address bar, that pesky little sign above stating that “Your content is not secure”, will still appear.
Although, this won’t affect your SEO rankings right away, it may make your content unshareable in social media for one, as visitors will be bouncing right off your website.
This will increase your bounce rate which does affect your Google page rankings.
So you will need to get that fixed.
So how do you fix mixed content issues in WordPress?
Well Google makes it easy for you. Here is a link to the Google Developers Web Guide page which will take you through the steps.
What are the main differences between Free SSL Certificates and Paid SSL Certificates and does it matter?
Well, as I said at the beginning of the article, most reputable web hosts nowadays do offer their clients on some of their hosting plans a free SSL certificate with the domain.
However, there are some very important differences between free SSL certificates and paid SSL certificates.
You should know these before going in because it also can affect your monetization risks and liability, if you run an e-commerce website.
Here are some overviews of typical SSL free versus paid packages from some web hosts online today.
Here’s a snapshot of SiteGround’s SSL Certificate Plans.
As you can see, there are some differences between the free SSL certificate and the paid SSL certificate plans.
The first main difference is that SiteGround offers the “ Free Let’s Encrypt” plan.
You’ll find that many web hosts now offer their free SSL plans when you purchase one of their hosting plans.
But these free plans are usually with the Let’s Encrypt SSL certificate.
There is nothing wrong with the Let’s Encrypt SSL certificate per se since most reputable web hosts use it now but it is something you’ll see many web hosts offer nowadays.
The second difference will be the Dynamic Site Seal which is that nice green lettering that the HTTPS usually has in the browser, however it is not included in the Free SSL.
The extended validation is also not included and there is no underwritten warranty.
Now let’s move onto there paid SSL certificate plans.
The first is the Premium Wildcard. As you can see, it includes all the features of the Free Plan, but there are two main differences.
The first difference is that the Premium Wildcard includes the Dynamic Site Seal i.e. the seal that is nice and green with the green lock in the prefix of the browser before the HTTPS.
The second difference is that the Premium Wildcard includes an underwritten warranty of $10,000. Warranties are good and the amount depends on how many transactions your site has.
You, as the site owner, may become liable to any damages caused by products or services your site offers. Keep that in mind.
The last SSL plan that SiteGround offers is called the Premium SSL.
This plan also offers all the features of the Let’s Encrypt SSL except multiple subdomains. Now why does the most expensive SSL plan not offer the SSL certificate on all your subdomains?
The reason is simple, the Premium SSL certificate like most top SSL certificates only secure one domain. This is of course is due to liability issues.
The premium SSL certificate also includes the Dynamic Site Seal, and the extended validation.
Finally, last but not least, an Underwritten Warranty of $1.5 million dollars.
That’s why it’s the most expensive. It’s basically an SSL certificate insurance policy on your website.
Hostinger also offers their own SSL certificate although I couldn’t find whether or not it was a “Let’s Encrypt” SSL certificate or one they issue themselves.
Here’s a snapshot of Hostingers Paid SSL Plans:
Although, the comparisons between the plans weren’t as clear as SiteGround’s plans, they still give you a glimpse of the differences between two of their paid plans.
One is the SSL Certificate Standard and they give you a lifetime for $11.95. The other is a Comodo Positive SSL certificate, which they give you at $7.49 a year.
The main difference is the warranty they offer $10,000 on the Comodo Positive SSL certificate.
So what’s the main difference between the Free SSL certificates available out there and Paid SSL certificates.
- With Free SSL certificates you have to purchase the hosting company’s hosting plan.
- They are not transferable. If you decide to switch your hosting company, you will need to apply for a new SSL certificate, either with your new hosting company or you will have to purchase an SSL certificate through an SSL security certificate provider. However, you should also note that whenever you transfer an SSL certificate that you’ve purchased onto a hosting plan, some hosting plans may charge you a fee for putting it on its server. This is usually true for most shared hosting plans. Usually with Dedicated Server plans you generally don’t have to pay this cost, since it is your own server and you are responsible for its security and normally the SSL installation.
- Free SSL certificates good don’t give you their nice green https lettering or green lock.
- Levels of warranty. With paid SSL certificates you are normally given it level oven warranty should any losses occur due to a breach of security protocol period with paid SSL certificates no warranty is given.
There you have it. Those are the main differences between Free and Paid SSL certificates. So the question remains. Does it matter?
The answer depends on your needs and your budget. If you have a simple website where are you not selling a product or service and collecting payments, then a Free SSL certificate is normally just enough.
However, if you sell any products or services where payment transactions are being performed through your website, it might be best for you to purchase a Paid SSL certificate.
One with some kind of warranty attached depending on the level of liability your product or service may have.
Anyway you look at it, with the introduction of HTTPS and Google’s embrace of this security protocol now being mainstream, you really need to get one put on your site if you haven’t already.
David Peluchette is a Premium Ghostwriter/WordPress, SaaS, Tech and Travel Enthusiast. When David isn’t writing he enjoys traveling, learning new languages, fitness, hiking and going on long walks (did the 550 mile Camino de Santiago, not once but twice!), cooking, eating, reading, SEO Voodoo and building niche websites with WordPress.