WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.
What Is An SSL Certificate? And How Does It Benefits Your Website?
Confused by what an SSL certificate is and why you need one for your website?
In 2021 and beyond, every single website needs an SSL certificate because it plays a huge role in securing your site and boosting confidence with your visitors.
Because SSL certificates are so important, it’s useful that you understand how they work, what they do, and how you can start using one on your website, including configuring your WordPress site to run over HTTPS (which is what an SSL certificate allows you to do – more on this in a second).
That’s why we wrote this article – to answer all those questions and help you get up and running with a more secure website.
Ready to learn about SSL? Let’s dig in…
What Is an SSL Certificate?
An SSL certificate, short for Secure Sockets Layer certificate, lets you encrypt the traffic that passes between your site’s visitors’ web browsers and your site’s server (this includes your own traffic when you visit your site). By encrypting the data, you make your site more secure because malicious actors won’t be able to eavesdrop on the data moving between a visitor’s web browser and your website’s server.
It also plays a key role in helping you get the green padlock in browsers such as Chrome, Firefox, Safari, etc.
In more technical terms, the SSL certificate connects a cryptographic key to your domain name or your organization. This cryptographic key plays an essential role in encrypting traffic.
It’s kind of like a passport that verifies that the connection comes from your website and not some man in the middle who’s trying to hijack the connection.
While most people call them “SSL certificates”, this is actually a bit of a misnomer because SSL is an older technology that has since been replaced by the newer TLS technology.
Don’t worry, though, everything you see called an “SSL certificate” is really an “SSL/TLS certificate”, so you’ll still be able to use the newest technologies just by installing an “SSL certificate”.
You’ll see a few people market them as “SSL/TLS certificate”, as well. But again, an “SSL/TLS certificate” is exactly the same as an “SSL certificate”
How Does an SSL Certificate Work?
In a basic sense, an SSL certificate lets you use HTTPS, which is what gets you the green padlock in web browsers. You install the SSL certificate on your web server. Then, you can configure your website to run on HTTPS.
In a more technical sense, here’s how the actual encryption process works:
When a visitor lands on your site, their browser requests that your web server identify itself. To do that, your web server responds with its SSL certificate (this is why we said it’s like a passport).
The visitor’s web browser then checks to see if it trusts the SSL certificate and, if it does, it sends back its own digitally signed acknowledgment to launch an encrypted session over HTTPS.
Once this encrypted session is set up, all of the data that moves between the browser and the web server is encrypted, which means that malicious actors can’t see the actual data.
Why Is An SSL Certificate Important for Your Website?
The biggest benefit of an SSL is security. Installing an SSL certificate on your site lets you use HTTPS, which lets you encrypt all the data that passes between a visitor’s browser and your site’s server.
For example, let’s say you’re logging into the WordPress admin dashboard. With an SSL certificate and HTTPS, you can be confident that your password is properly encrypted and no one else can get their hands on it.
But without an SSL certificate, you would be opening yourself up to something called a “man in the middle” attack, where a malicious actor can sit in between your computer and your site’s server and intercept the data. If the data isn’t encrypted, that means they would have your actual username and password and could use that to access your site.
This is especially problematic if you’re browsing the Internet on public networks, such as the public Wifi at a coffee shop or airport. Without an SSL certificate and HTTPS, a malicious actor could just sit on that network and spy on everything that passes between your web browser and your website’s server.
Using an SSL certificate is also important for trust. Big organizations like Google have really been pushing SSL usage, so users know to look for the green padlock in their browsers. If they don’t see the padlock on your site, they won’t feel as secure (especially if they’re entering any type of information in a form or making a payment).
Finally, there’s a small SEO benefit to using an SSL certificate. Because Google is pushing so hard to increase HTTPS adoption on the web, Google has even made HTTPS usage a small ranking factor in its SEO results.
Now, it definitely won’t shoot your site up the ranks by itself, but every little bit counts when it comes to optimizing your site for the search engines.
How to Tell If Your Site Has an SSL Certificate
One simple way to check if your site has an SSL certificate is to look at your browser address bar. If you see the green padlock on your site, that means your site already has an SSL certificate and is using HTTPS.
If you want to see more information about the SSL certificate, you can click on that green padlock. If you have a working SSL certificate, you should see something like “Certificate (Valid)“. And if you click on the Certificate option, it will show you the details about your site’s SSL certificate:
You can also use an SSL certificate checker tool. You can find plenty by Googling, but GoDaddy has a pretty simple one. You just plug in your site’s address and it will share a bunch of information about your SSL certificate (if it exists).
These terms are pretty technical, so don’t worry if you don’t know what they mean. You’re mainly just looking for green checkmarks on most of the terms (it’s ok if a couple of terms have a yellow icon, as you can see in the screenshot below):
How Can You Get an SSL Certificate for Your Site?
Before we show you how to get an SSL certificate, we first need to run over the different types of SSL certificates.
In total, there are three types of SSL certificates:
- Domain Validation (DV SSL) – this the approach that free SSL certificates use. It verifies that you have control of your domain name, but it doesn’t verify who you are.
- Extended Validation (EV SSL) – you need to pay for these. These verify both that the organization controls the domain name and also that the organization really is who it says it is (example below).
- Organization Validation (OV SSL) – you also need to pay for these. They’re very similar to an EV SSL but with some additional vetting on the organization.
The difference between a DV and EV SSL certificate is basically this:
- A DV SSL guarantees that the data that moves between you and a website is secure but it doesn’t verify that the person/group behind the website is who they say they are.
- An EV SSL certificate guarantees that the data that moves between you and a website is secure and that the website is controlled by who you think it is.
Because of this, EV certificates are common in sensitive areas, such as banking. For example, if you view the certificate details for the American Express website, you can see not just that the certificate is valid, but also that it was issued to American Express:
This gives you confidence not just that the data you transmit is secure, but also that it will go straight to American Express’s servers.
It’s important to note that free SSL certificates offer 100% of the security benefits of premium SSL certificates. From a security perspective, there is no meaningful difference between a free certificate and a paid SSL certificate.
However, there are some more marketing and trust-based reasons to consider a premium SSL certificate if you’re in a security-conscious niche.
Most WordPress sites only need a free DV certificate. Even if you’re processing payments, you still just need a DV certificate because a DV certificate already gets you all of the security benefits.
How to Get Free DV SSL Certificates
Nowadays, most web hosts offer built-in free SSL certificates via a service called Let’s Encrypt.
These SSL certificates might be enabled by default when you use the host’s WordPress autoinstaller (as is the case at SiteGround). Or, you might need to manually enable them by ticking a box somewhere in your hosting dashboard.
If you’re not sure how to do this, I recommend consulting your host’s documentation or reaching out to their support.
How to Get Premium EV or OV SSL Certificates
If your host doesn’t offer free SSL certificates or if you want a different type of SSL certificate, you can also purchase premium SSL certificates from various services. Popular options include:
- IONOS – When choosing the right provider, make sure that you are offered the most recent service. The SSL certificate from IONOS includes the latest TLS technology (transport layer security).
- Namecheap
- Comodo
- DigitCert
- GoDaddy
Once you purchase your SSL certificate, you need to install it on your server. Unfortunately, how this process works depends on your hosting.
Most web hosts will give you a tool to install the SSL certificate – typically you just need to copy and paste some information from your SSL provider into your host’s tool.
If you’re not sure how to do this, we recommend consulting your host’s support docs or reaching out to their support for help so that you can get information specific to your situation.
How to Configure Your Website to Use SSL/HTTPS
Once you install your SSL certificate (either via your host’s free tool or by purchasing a premium SSL certificate), your site has the ability to use HTTPS. However, in order to actually benefit from your SSL certificate and secure your site’s data, you need to configure your site to run entirely over HTTPS, which is a little tricky if you’re adding an SSL certificate to an existing website.
There are two routes you can follow to do this for WordPress:
- Use a plugin. This is the simplest option, but you’ll need to keep the plugin active forever.
- Manually update your site to use HTTPS. This is a little technical, but it eliminates the need to use a plugin.
We’ll show you how both approaches work.
1. Plugin Method – Use Really Simple SSL
If you want to go the plugin route, you can use the free Really Simple SSL plugin.
True to the name, the plugin is really simple. All you need to do is install and activate the plugin. Then, go to Settings → SSL and click the Go ahead, Activate SSL! button:
And that’s it! Your site will now start properly using SSL/HTTPS. Because of the change, you might need to log in to your WordPress dashboard again. But once you do that, your site should function just as it did before – the only difference is that it will now be using your certificate.
2. Manual Method – Three Steps to Follow
If you want to go the manual route, you’ll need to do three things:
- Change your WordPress site URL to use HTTPS.
- Run a search/replace on your site’s database to update all HTTP URLs to use HTTPS.
- Set up a redirect to force all of your site’s visitors to use the HTTPS version of your site.
Let’s go through how to handle each step…
Update Your Site URL
To kick things off, go to Settings → General in your WordPress dashboard and change your WordPress Address (URL) and Site Address (URL) from HTTP to HTTPS.
Here’s how it should look at first:
And then here’s how it should look once you add the “s” to the URL:
Once you save your changes, WordPress will probably log you out and you’ll need to log in again using your credentials. This is totally normal – don’t worry!
Run a Search/Replace On Your WordPress Site’s Database
Next, you need to run a search and replace on your site to change all of your existing URLs to use HTTPS instead of HTTP. For example, if you have an image in an already-published blog post, that image is still going to be embedded using HTTP for now, which will cause issues on your site.
To do this, you can use a simple plugin. However, this search/replace process can break things if you do it wrong, so I highly recommend backing up your site before moving forward and/or working on a staging site.
Once you have a recent backup of your site, you can install the free Better Search Replace plugin. Then, go to Tools → Better Search Replace.
In the Search for box, enter the HTTP version of your domain name. For example:
http://yoursite.com
In the Replace with box, enter the HTTPS version of your domain name. For example:
https://yoursite.com
Then, select all the tables and make sure the Run as dry run? box is checked (this will run a test run before actually making any changes). Then, click Run Search/Replace:
You should see a summary of the changes the plugin would make if it weren’t a dry run. Ideally, you should see something like “X cells were found that need to be updated”:
If you see that, all you need to do is uncheck the Run as dry run? box and then click Run Search/Replace again to make the changes for real.
Then, all of your site’s existing images and internal links will now use HTTPS.
Set Up a Redirect to Force HTTPS Usage
At this point, your site should be entirely running on HTTPS powered by your SSL certificate. The last step is to set up a redirect so that anyone who accidentally tries to visit the HTTP version of your content gets automatically redirected to the HTTPS version of that content (this includes search engines like Google).
To set this up, you need to connect to your server via FTP and edit your site’s .htaccess file. Then, you need to add this code snippet:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Add this code either above the # BEGIN WordPress
line or below the # END WordPress
line (but never in between those two lines).
And that’s it! You’ve properly configured your WordPress site to use your SSL certificate and run all of its traffic over HTTPS.
Start Using an SSL Certificate Today
By allowing you to use HTTPS and get the green padlock, an SSL certificate plays an essential role in securing your site, building trust with your users, and even giving your site a small bump in the SEO rankings.
Thanks to organizations like Let’s Encrypt, it’s now possible to get a free SSL certificate, so there’s no reason not to start using it. What’s more, all quality WordPress hosts now offer free SSL certificates – all you need to do is enable them and start using HTTPS on your site.
If you’re installing an SSL certificate on an existing site and moving it to HTTPS, you might run into something called a mixed content warning, which is when some of your content loads over SSL/HTTPS and some content loads over a regular connection.
In cases of mixed content, your site won’t get the green padlock even though it’s using HTTPS and SSL. To learn how to fix this problem, you can check out our full guide to fixing the mixed content warning on WordPress.
Do you still have any questions about what an SSL certificate is or how it works? Let us know in the comments!
Thanks for the inside Ahmad. The task to move to SSL sounds very daunting and you can read a lot bad user experiences online. But after just moving two of my sites to https I found it super easy. The really simple SSL plugin does everything for you. I didn’t even see any drop in traffic.
This is a great walk-through the subject of SSL! I was wondering if for an eCommerce site I should buy a SSL or use the free SSL like Let’s Encrypt that comes with a Siteground hosting account? Is there any difference?
Hi Bob, I’m glad you like it. We will be using it for WPLift as well ;-)
For eCommerce-> I would always buy a SSL from Siteground. But that’s more my gut feeling…