The Ultimate Guide to SSL for WordPress

What Bloggers and Online Business Owners Need to Know About SSL

Let’s get in our time machine and go back to 2014, shall we?

I had just started my freelance WordPress design business (called Limepress Development because I was developing fresh designs for my clients – get it???) and was just beginning to discover that my side hustle of trading my time for money was totally not worth it…

(You can read more about how Limepress Development evolved into WP+BFF here.)

The other thing that happened in 2014 is that Google announced that it was going to boost the rankings of sites that have an SSL certificate.

In 2017, people using Chrome or Firefox to surf the web will start seeing warnings when they go to login pages, form pages or payment pages of websites that don’t have SSL certificates.

And now, in 2018, the EU's new GDPR law is making SSL even more important.

For those of you wondering what the hell that means and why you should care, let me break it down for you:

An SSL certificate secures and encrypts the information you send to a website.

SSL Certificate:

No SSL Certificate:


Websites that have an SSL have https:// at the beginning of their web address and little green lock icon in the address bar. Sites that don’t have one installed start with http:// and don’t have a lock icon in the address bar.

When you buy something online, when you log into a website, when you fill out a form to create an account, when you opt in to an email list – you’re sending those usernames, email addresses, passwords and credit card details through the internet to a website.

You definitely want to make sure your information is secured and encrypted so it can’t be intercepted on its way to it’s destination – and that’s a standard practice that’s been happening for a long time on the interwebs.

Do You Need an SSL Certificate?

It used to be that if you weren’t selling anything directly from your website or didn’t have anybody logging in that you really didn’t need an SSL certificate because nobody is sending you private info, right?

But now, you kinda do. And here’s why.

Your users are just clicking around and reading – maybe they enter their email address into your optin form, maybe they leave a comment on your blog, but nothing earth-shattering that an identity thief or hacker would be interested in (so you think).

Reason 1: GDPR

If you have website visitors from the European Union and they are subscribing to your email list, I highly recommend that you have an SSL certificate in place as an extra layer of protection for GDPR.

You can read more about GDPR and how to get your website set up for GDPR here.

REASON 2: SSL does more than just secure passwords.

The little https:// and padlock is a sign that the website you’re connecting to is the real deal and that you’re not being redirected to a fake site that looks just like the real thing designed to get you to enter your credit card info – like when you get an email that your Netflix account is about to be cancelled and you panic, click the link and land on a fake Netflix site, enter your credit card info and a week later you discover someone bought a fence in Utah on your credit card…

It also prevents people from attaching their black market malicious shit to your connection, making your website the unknowing transporter of some nasty malware – like on Locked Up Abroad where some dumb college kid takes a bunch of money to deliver an anonymous package (of drugs) to the US.

REASON 3: WEB BROWSERS ARE STARTING TO WARN WHEN SOMEONE IS ON A SITE WITHOUT SSL

Have you ever seen that big red notice – this site is insecure, it may be unsafe to proceed? You don't want that showing up for people trying to access your site for sure!

Is Google going to penalize you in search results if you don't have an SSL?

Google is not going to penalize you per se, but if you have an SSL and your competition doesn't, your site will show up higher in search results. But it's just one little piece of the overall SEO puzzle.

Google is doing this because it wants to maintain its credibility. They want to make sure you continue to use and trust Google by ensuring search results it shows you are legit and it’s not going to send you down a dark alley to get robbed.

That’s why it’s giving the little bump in rankings for sites that are secured, and warning Chrome users when they’re on a site that’s not secure.

So because you care about your audience and want to protect them (and you’ll take the added SEO benefits and would prefer not to have to wear a scarlet letter), you’re going to get an SSL for your site, right?

But what kind of SSL should you get? Free or paid?

All SSL certificates do the same thing – encrypt the information being sent from your computer to a website.

But there are a three different types of SSL certificates you can get – here’s the breakdown:

Extended Validation (EV SSL)

When you buy this one, you have to go through a kind of rigorous validation process to prove your identity, your exclusive rights to your domain name and the legal operation and actual existence of your business, and prove that you actually authorized the purchase and issuing of the certificate.

The process of getting validated can take up to 2 weeks and they are good for at least a year (you can buy multiple years – which is good because the process of renewing is kindof a pain).When you’re on a site with an EV SSL, the company name shows up in green in the address bar, like this:


They also often come with a warranty – so if something does happen where fraudulent activity is happening on your website, the company that you bought the certificate from will compensate  the people that were affected. The warranty is more to prove you’re legit and it’s safe to do business with you than anything else.

Cost: Prices range from a few hundred dollars a year to over a thousand.

Organization Validation (OV SSL) 

When you buy this one, you also have to go through a validation process to prove your identity and may even have to provide some sort of documentation to prove you own your domain or business – but this only takes a couple of days and less info is required.

Cost: The price is typically around $100 a year (if you’re seeing a higher price, it’s probably because there’s a big warranty that you don’t need) – and you can also get multiple years.

I have an OV SSL  on WP+BFF.

Domain Validated (DV SSL)

You can get a DV SSL for free from Let’s Encrypt https://letsencrypt.org/.The only verification it does is to verify that the domain owner (most likely YOU) approves the certificate request – either by sending you an email confirmation OR by having you upload a verification file to your website.

It’s free because there’s no process of actually having to prove who you are and that your business is legit. It’s all automated and it’s based on just believing you are who you say you are and you’re not catfishing them.

It’s pretty much instant setup, but the catch is that they are only good for 90 days, so depending on how you set it up, you may have to renew it every 3 months.

Cost: Free!

If you want to get into the nitty gritty and compare prices for all the companies that sell SSL and all the levels, this website covers it all. https://www.whichssl.com/compare-ssl-certificates.html

Which SSL should you get?

If you’re blogging and building an email list, you care about your community, you don’t want them to get hijacked, you want to look legit and get a bump in SEO, I recommend the free DV SSL – and lucky for you, I’m showing you exactly how to set that up in the next section.

Whether or not you should spend money on an OV or EV SSL is up to you. It doesn’t give you any more security, but for security-savvy online shoppers that check these things, it does show them that you’re verified to be legit, unlike a DV SSL which doesn’t…

The EV SSL gets you your name in green in the address bar, which looks super-legit and if you’re asking people to give you hundreds of dollars for your products, I think it’s like a subliminal sign to them that you’re not going to take the money and run.

But I teach you guys how to build a website and an online business that build the know, like and trust factor before the sale, so I’m really not convinced that you need anything more than the free DV SSL at this point.

However… If you think about how easy it is to get a free SSL and that you don’t have to prove that you’re a legit business owner, that means that shady sham websites designed to get you to enter credit card details and passwords can be set up with little green locks in the corner – and if that’s the only thing you’re looking at to make a decision about whether a site is legit or not, you could be putting yourself at risk. So just be careful about who you do business with online. At least the OV SSL gives you some extra information

If you disagree, feel free to leave a comment on this post!

How to get a FREE SSL

If you built your website with my Free 5 Day Website Challenge and purchased hosting from Bluehost* you’ve got a free SSL certificate just hanging out waiting for you to turn it on. It will automatically renew itself every 3 months. It’s super easy, and here’s the instructions: https://my.bluehost.com/cgi/help/free-ssl

Not with Bluehost? Other webhosts are offering free SSL for WordPress with Let’s Encrypt, others offer it with a certain level of hosting. Check with your hosting provider, otherwise, you can set one up with Let’s Encrypt directly right here: https://www.sslforfree.com/ – it’s a little complex, but they have step-by-step directions right on the page telling you exactly what to do. Read them carefully and take your time – you can totally do it!

After you set it up, there are a few more steps that you need to do in your WordPress site to activate it:

Activate your SSL in WordPress

Regardless of what type of SSL you choose, there are a few things you need to do after you install your SSL:

  1. Change your URL in WordPress Settings
  2. Install this plugin to redirect all old http:// links to new https:// – https://wordpress.org/plugins/https-redirection/
  3. Install the Better Search and Replace plugin and search for your URL with http:// and replace with https:// – for example, if I was changing mine, I would search for https://shannonmattern.com and replace with https://shannonmattern.com. You'll do a dry run first, and then uncheck the dry run box to actually make the changes.
  4. Update Google Analytics Settings to change http:// to https://
  5. Update Google Search Console accounts – Add a Property with your new https:// URL
  6. Upload a new sitemap. You’ve essentially changed your domain name, and because of that you can expect SEO rankings to fluctuate until your site has been reindexing – not a huge deal, but sometimes it freaks people out if they enjoy a high ranking and then they drop for a few days.

WPBeginner has an awesome tutorial on those above steps with screenshots – you can check that out here.

Chris Nesbit over WPLikeaPro has another awesome article on SSL Certificates and sells them too. He can hook you up here.

If you don’t have Google Analytics or Google Search Console set up then sign up for the Free 5 Day Website Challenge because I show you exactly how!

That’s it!! Your website is more safe, secure and legit 🙂

And if you’re new to WordPress, click here to sign up for the Free 5 Day Website Challenge where I teach online business owners how to build the kind of website that builds trust, lists and sales.


Resources:

https://my.bluehost.com/cgi/help/free-ssl

https://my.bluehost.com/cgi/help/473

https://letsencrypt.org/

https://ssl.comodo.com/free-ssl-certificate.php

https://www.sslforfree.com/

https://geekflare.com/free-ssl-tls-certificate/

https://www.elegantthemes.com/blog/tips-tricks/how-to-get-a-free-ssl-certificate-and-why-google-is-forcing-you-to

https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

https://support.google.com/webmasters/answer/6073543?utm_source=wmx_blog&utm_medium=referral&utm_campaign=tls_en_post

https://support.google.com/webmasters/answer/6033049

https://www.theedesign.com/blog/2016/2017-year-ssl-https-websites

https://wordpress.org/news/2016/12/moving-toward-ssl/

https://motherboard.vice.com/en_us/article/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https

https://www.godaddy.com/garage/smallbusiness/secure/paid-and-free-ssl-certs-what-you-need-to-know/

https://simonecarletti.com/blog/2016/02/things-about-letsencrypt/#conclusion

https://www.symantec.com/connect/blogs/types-ssl-certificates-choose-right-one

https://www.globalsign.com/en/ssl-information-center/what-is-an-extended-validation-certificate/

http://www.webhostwhat.com/bluehost-announces-free-ssl-https-with-lets-encrypt-for-wordpress/

http://www.wpbeginner.com/wp-tutorials/how-to-add-free-ssl-in-wordpress-with-lets-encrypt/