With a market share north of 28%, WordPress is a popular tool powering up lots of business websites. Yet, its popularity makes it an ever-more interesting target for hackers and malicious attacks, both of which can erode consumer confidence and leave you stuck with no traffic and falling sales.
Security should never be taken for granted, no matter how "big" or "famous" your website is. Actually, there are several ways and best practices to improve the security level of your website.
When people talk about security, they usually bring on the table another term that unfortunately has very little to do with a website's level of security: I'm talking about SSL certificates. The misconception relies on a wrong idea on how these SSL certificates actually work and relate with security.
In this post, and thanks to an experienced security expert, I'll explain the nitty gritty important details around SSL certificates, leaving out all the technicalities and "obscure" lingo that usually comes when talking about this topic.
SSL certificates vs security: do they even relate?
An SSL (Secure Sockets Layer) certificate is an easy and cost-effective way to protect sensitive data shared among websites from being intercepted by hackers. An important thing that I want to stress right from the beginning is that an SSL certificate doesn't protect your website from attackers. SSL certificates are all about keeping your visitor’s information secure in transit.
In other words, having just an SSL certificate isn't enough to improve your website security. For that, there are tactics, tools, and things to perform regularly that go perfectly along with having an SSL certificate installed.
What is an SSL certificate?
WordPress developer and Codeable expert Liam Bailey says:
An SSL certificate is like the gas board man's ID badge.
Residents are careful to check IDs before letting utility workers or service people into their homes. Liam likens the SSL certificate to the privacy chain across a doorway. The chain allows the door to open slightly so the person inside can evaluate what's on the other side.
The certificate itself is a public digital document. When users type in your website URL, your SSL certificate tells them the site is owned by a legitimate company. As Liam points out:
An SSL certificate is a hard and fast way to make sure that the website you're being served is the website you're trying to use.
Because hackers can hijack your URL and divert traffic to malicious sites that steal your customer's money, identity, and information. An SSL certificate lets visitors know that your website, and their information, are all safe.
How does an SSL Certificate increase your users' security?
SSL improves WordPress your visitors and users' security level in two ways. On one hand, as an SSL certificate prevents connection to malicious websites, your users will be reassured nothing suspicious is happening. On the other, it protects sensitive data transfer via encryption, which is a way to encode data in a way that's understandable by the two only parts involved in the transfer: your user's browser and your website.
Specifically, an SSL certificate secures data as it travels between computers in three steps:
- Users enter your URL into a browser. The browser asks the requested server to identify itself before a connection is granted.
- The requested server sends the SSL certificate to the browser.
- The browser verifies the certificate is authentic and up-to-date. A connection is approved.
For example: when you buy something on Amazon, your credit card information is sent through a secure and encrypted connection to Amazon's servers. If by any chance, a hacker managed to intercept that data, they would not be able to "read" it (understand it) without the unique key used to encode your sensitive data and immediately created and handled without you even noticing.
Have you ever stumbled upon an alert message like this one?
Well, this type of alerts happens when your browser comes across a suspicious or expired certificate. When this occurs, users are cautioned not to enter personal information on unauthenticated sites to lower risk of identity or data theft. Here's how to check if a site's connection is secure for Chrome.
Do you need an SSL certificate?
As of 2017, SSL certificates are becoming more and more adopted by website owners because they provide several benefits with a low price tag, one of which is showing a commitment to customer safety. As Liam recommends:
I personally think everyone should have SSL for many reasons. In fact, as SSL use becomes more and more widespread, and it becomes the norm, then not having one could even come to be seen like you're not trying to protect your users.
Top 3 benefits that an SSL certificate brings you
- It's a simple way to protect your customers.
- Google uses SSL certification in SEO rankings.
- An active SSL certificate shows your users they can trust you and your website.
How do you get an SSL certificate?
There are several ways to get an SSL certificate but for many business websites, Liam suggests using LetsEncrypt, an SSL certificate provider that releases free-to-use certificates. Liam recommends it also because he believes the service offers a high level of data safety.
The majority of hosting provider supports LetsEncrypt as part of their in-house services, so you can ask them for help. If your hosting provider doesn't offer this support or you have a more complex website, such as a membership area or an eCommerce store, you should think of hiring a security expert to get it set up correctly and then forget about it.
Liam believes an SSL certificate is always worth the minimal investment you need to make for a proper configuration:
It's really not going to be over-the-top expensive.
SSL certificates are an effective way to increase customer trust and should be part of your broad security strategy. They keep hackers from diverting your traffic to fake sites and keeps customer data out of the wrong hands. In addition, Google has started labeling websites without SSL certificates as "not secure", welcoming their users with warning messages. On top of that, the investment required to have an SSL certificate in place is pretty low, if not 0 for those who are able to take care of it themselves.
Now, hold on for a second and question yourself: when I tell my visitors and customers I do care about their data and privacy being secure, am I also doing anything I can to prove it to them?
Liam Bailey is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.