HTTPS & SSL: The Definitive Guide To Securing Your Website
In this definitive how to SSL guide, we’re going to explore the topic in detail, and provide some great resources, so you can secure your website with confidence and ease.
Your site is a valuable asset that you’ve poured time, thought, and energy into. Protecting it is vital.
The best way to accomplish this? Hands down–with the presence and power of HTTPS.
Continue reading, or jump ahead using these links:
- Domain Security Value
- HTTP vs HTTPS
- How does HTTPS actually work?
- What is SSL?
- What is an SSL Certificate?
- Types of SSL Certificates
- What Type of SSL Certificate is Best?
- How to Make a Website HTTPS
- Don’t SSLeep on This
There’s a fair amount of ground to cover here, so let’s get started.
You have probably noticed the shift of many website URLs going from HTTP to HTTPS over the past decade, in particular, the last half-dozen years. There’s an interesting wiki article on the timeline if you’re keen on more specifics.
So what is it that makes HTTPS so good?
A WordPress HTTPS site makes your online business more trustworthy to visitors. From the moment your site loads in their browser, they see a visual cue that their personal information will be highly guarded in your corner of the world (wide web).
You’ll also get an SEO boost, as search engines favor HTTPS websites. According to Google Webmaster Trends Analysts, SSL is part of Google’s search ranking algorithm.
Being rewarded with improved page load times is another awesome part of the package. Who doesn’t want performance gains?
HTTPS, aka end-to-end encryption, can help prevent all types of online attacks, including the big baddies known as APTs and MitM attacks. Here’s a quick rundown on these:
- APTs (Advanced Persistent Threats) are attack campaigns in which intruders use continuous, clandestine, and sophisticated techniques to gain access to a system, and remain inside for a prolonged period of time. These have potentially destructive consequences.
- MitM (Man in the Middle) attacks are when a cybercriminal gains access to an unsecured or poorly secured Wi-Fi network to intercept and read transmitted data, capturing login credentials, banking information, and other personal information. The attacker might also impersonate the person or entity you think you’re talking to, in order to steal information.
Sadly, these cyber attacks don’t seem to be slowing down.
While not completely fool-proof, having HTTPS on your website will greatly improve your defenses against APTs, MitM attacks, malware, direct hacker attacks, and a host of other vulnerabilities.
Next, let’s look at how encryption actually works.
HTTP (Hypertext Transfer Protocol) allows communication between different systems―like your browser to a web server―so you can view web pages or transfer data. HTTP moves data in plain text, but is unsecured/readily available for anyone to read.
HTTPS (Hypertext Transfer Protocol Secure) is HTTP with an added layer of security. It uses SSL (Secure Sockets Layer) certificates to encrypt the information flowing between your browser and the server, protecting sensitive information from being stolen.
When a website is secured, HTTPS appears in the URL through an SSL certificate. This is indicated by a lock symbol in the browser bar.
You can click on that little lock to see the certificate information, which provides more details, including who the cert is issued to (website owner), who it’s issued by (the certificate authority), and the valid from/to dates.
The extra layer of security in HTTPS comes from TLS (Transport Layer Security) protocol. TLS is just an updated, more secure version of SSL. Nine times out of ten you will hear security certificates referred to as SSL, mostly because it’s the term people are used to.
In a nutshell… a browser reaches out to a server, and a “handshake” connection is made. During the handshake, the server sends an SSL certificate that has an asymmetric public key to the client, and a private key that is stored at the webserver (self) end. This ensures that all data in the stream is encrypted.
HTTPS uses two types of end-to-end encryption, which we’ll now examine in finer detail.
Asymmetric encryption is known as public-key cryptography. A public key is used to encrypt the data, while a private key is being used to decrypt the data. The two keys are connected and are actually very large numbers with certain mathematical properties. If you encode a message using a person’s public key, they can decode it using their matching private key.
Symmetric encryption is when only one key is being used to encrypt and decrypt the data. The entities will share the same key during communication for encrypting and decrypting the data.
Both TLS and SSL use an asymmetric PKI system. Data encrypted by a public key can only be decrypted by private key or the other way round.
Private keys should be kept very securely and never distributed or made accessible to anyone other than the website owner.
Public keys can be distributed to anyone who needs to decrypt information that was encrypted with the private key.
The client will create a session key based on algorithms. This session key will be encrypted using the public key. Then it will be sent to the server.
The server will use the asymmetric private key to decrypt the encrypted session key and will get the session key. The browser will use the session key for encrypting and decrypting the data for the session.
Now the data is secured as the session key will be known by the client and server. Once the session has expired, the process will be repeated again, since the session key will no longer be valid.
Today we use the AES encryption algorithm, which was adopted and published as the federal standard by The National Institute of Standards and Technology (NIST).
Advanced Encryption Standard (AES) uses a single key as a part of the encryption process. The key can be 128 bits (16 bytes), 192 bits (24 bytes), or 256 bits (32 bytes) in length. Given that the fastest computer would take billions of years to run through every permutation of a 256-bit key, which is valid for such a short time, hijacking the session key is extremely difficult. That’s why AES is considered an extremely secure encryption standard.
SSL stands for Secure Sockets Layer, and is the standard technology for keeping an internet connection secure. It safeguards any sensitive data that is being sent between two systems, thus preventing data in the stream from being intercepted by unintended recipients who may have criminal intent.
This is done by making sure that any data transferred between users and sites, or between two systems, remains impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it’s sent over the connection.
This includes anything sensitive or personal, such as names and addresses, logins, emails, credit card numbers, and other financial information. And it extends over FTP, web apps, cloud-based computers, hosting planets (e.g., cPanel), VPNs, intranets, extranets, and DB connections.
To quickly clarify a point: Although the terminology is used interchangeably, and they are intrinsically connected, HTTPS is not SSL. HTTPS is a combination of HTTP and either SSL or TLS. So more accurately, HTTPS is one common instance of SSL.
With that said, let’s move on to SSL certificates.
An SSL certificate encrypts the information that users supply to a site, which basically translates the data into complex code. Even if someone managed to steal the data being communicated between the client and the server, it would be a mess of gibberish impossible to decipher.
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, the HTTPS protocol (over port 443) allows secure connections from a web server to a browser.
SSL Certificates bind together:
- a domain name, server name, or hostname
- an organizational identity (i.e., company name) and location
An organization needs to install the SSL Certificate onto its web server to initiate secure sessions with browsers. Depending on the type of SSL Certificate applied for, the organization will be vetted at the appropriate level.
Once HTTPS is installed, all traffic and communication between the web server and the web browser will be encrypted and secure.
SSL certificates are used for encryption and validation.
Encryption ensures that traffic cannot be tampered with by eavesdroppers and enhances the confidentiality and integrity of the information in any transaction. Validation ensures that the two communicating parties are actually who they say they are.
SSL certificates are categorized by the level of validation provided, and the number of domains or subdomains under the certificate.
Certificates are processed by a Certificate Authority (CA), using software specifically designed for running and granting these certificates.
The encryption levels are the same for each type of certificate, meaning, none are less secure than the others. The difference between them is in the vetting and verification processes needed to obtain them, the assurance value that comes with that, and the type and number of domains that are included.
SSL certificates fall into two categorical areas:
- Validation Level
- Number of Domains
The SSL Certificate Validation Levels are:
- Domain Validated (DV)
- Organization Validated (OV)
- Extended Validated (EV)
The SSL Certificates by Number of Domains are:
We’re going to get into a more detailed description of each of these certificates, along with some basic suggestions on who they’re best for, as well as a broad idea of associated costs. (Pricing is ballpark, as it not only varies by type, but by the vendor it’s purchased from.).
Domain validation SSL certificates are the lowest level of validation. The Certificate Authority simply verifies that the organization has control over the concerned domain. Verification is usually done via email, either by making changes to a DNS record or uploading a file supplied by the CA to the domain. This usually takes a few minutes to a few hours to complete the process.
DVs are often used by blogs or informational websites that primarily entertain or inform.
Cost is free to minimal. DV certificates are one of the least expensive to get.
OVs provide a medium level of validation. This certificate’s primary purpose is to encrypt sensitive information during transactions, and to validate business credibility with a high-level of assurance. The Certificate Authority validates the ownership of the domain along with organization information (like name, city, and country), which usually takes a few days.
OVs are often required for commercial and public-facing websites that collect and store their customers’ information. Ideal if you sell merchandise or provide paid services online.
Cost is mid range. OV certificates fall between DVs and EVs in price.
EVs are the highest-ranking SSL certificate type. For these, the CA validates the ownership, organization information, physical location, and legal existence of the company. It also checks that the organization is aware of the SSL certificate request before approving it. Documents are required to certify the company identity along with many checks. This usually takes a fews weeks.
Web security experts recommend EVs for sectors like e-commerce, banking, social media, healthcare, government, and insurance businesses. Basically, any entities that handle user payment details or large quantities of sensitive information should get an EV cert.
Cost: Expensive. EVs are the priciest to get.
An SSL certificate may be associated with one or more domains (aka, hostnames). Once it has been issued, it’s not possible to change its name type (e.g., switch from a single-name to a wildcard name).
Just like it sounds, this SSL certificate protects a single domain/hostname. The single name certificate is only valid for the domain specified with the certificate.
However, if you secure a single-name certificate for www.myspecialsite.com, most certificate authorities will issue the signed certificate with an entry in the field for myspecialsite.com as well. Browsers will then trust the certificate with or without preceding www.
Multi-domain SSL Certificates have changed a lot over the years. Originally created to support new-at-that-time Microsoft platforms, they are also known as Subject Alternate Name (SAN), and Unified Communication Certificates (UCCs).
A multi-domain SSL certificate allows adding, editing, and deleting the domain in the current certificate. They are available for DV, OV, and EV types.
Wildcard SSLs ensure that if you buy a certificate for one domain, you can use that same certificate for subdomains. Thus, you secure a base or primary domain along with unlimited subdomains.
Because wildcards cast a larger net than traditional single-name certificates, their benefit is three-fold:
- It reduces the work for the certificate owner to cover the number of subdomains associated with their domain.
- It allows much greater flexibility in adding new subdomains to existing sites than alternative options.
- It tends to be cheaper than if you had purchased a separate certificate for each subdomain.
Wildcard SSL certificates only secure subdomains at one level of the URL. Things get more complicated as you get to the second and third levels of the URL. If you want to secure multiple levels, you’ll either need to use multiple wildcards or a multi domain wildcard certificate, which can also function as a multi-level wildcard.
The wildcard certificates use an asterisk symbol to indicate the subdomain.
If you purchase a wildcard certificate for *.myspecialsite.com, you can use it in any first-level subdomains, such as:
However, you can’t use it for these:
Any attempt to serve multiple, grouped subdomains with the certificate will result in a security warning in most browsers.
The cost for wildcard certificates is commensurate with OV or DV prices, depending on which one is opted for. EVs are not available for wildcard SSL certificates.
You can associate multiple domains to an SSL certificate using two different attributes:
- the Common Name (CN)
- the Subject Alternative Name (SAN)
The Common Name allows specifying a single entry (either a wildcard or single-name), while the SAN extension supports multiple entries.
In theory, every certificate issued today is effectively a SAN certificate, as the CA requires adding the content of the common name to the SAN as well. Even if the certificate covers a single name, it will still use the SAN extension and include that single name.
In practice, the terms “SAN certificates” and “multi-domain certificates” are synonymous, and generally indicate a certificate product where issuers can associate more than one domain by specifying the content of the SAN (directly or indirectly).
Any number of different domain names can be included in the SAN field of the certificate, enabling it to work on any of the included domain names.
Unlike a wildcard, a UCC can cover a relatively high volume of domains. A wildcard certificate can only cover one domain, which will include a given number of subdomains for the portion of the domain name represented by the wildcard asterisk in the certificate.
Some providers can include wildcards in the SAN field, or issue an EV, multi-domain certificate. This allows protection for up to 100 domains with the help of the same certificate.
This can provide significant cost savings in many situations.
SSL Certificates are always a good investment, however, it’s important to think about which one will best suit your business needs.
Here are a few items to ponder when deciding which type of SSL certificate to get:
- Number of domains
- Level of assurance required for your business & clientele
- Budget considerations
- Issuance time
A standard SSL certificate will usually suffice for the majority of individuals and businesses. If you’re in the finance or insurance sector (regulated industries), or require PCI compliance, prioritized email support, or enterprise-grade security/performance, you’ll likely need an OV or EV.
There are also different kinds of encryption that you may come across when searching through Certificate Authorities:
- Rivest-Shamir-Adleman (RSA) – Named for the surnames of its creators, it’s the most common form of encryption and comes in 128-bit, 256-bit, and 2048-bit encryption.
- Digital Signature Algorithm (DSA) – Government standard of encryption necessary for sites which are required to meet this criterion.
- Elliptical Curve Cryptography (ECC) – The most powerful form of encryption of the ones that are most commonly used.
The higher the bit rate of encryption, the better the security. Although, ECC is stronger than RSA, so an ECC 256-bit certificate is stronger than an RSA 2048-bit certificate.
The difference between RSA and DSA is that the former is faster at validating signatures, which are encrypted keys that are used in the process of issuing an SSL certificate. RSA is also slower at creating signatures. DSA encryption is the opposite since it’s faster at creating signatures, but it’s slower when validating them.
The validity period of a certificate is also a key consideration. Most purchased, standard SSL certificates are available for one to two years by default. You can get a more advanced type with extended time periods, if you feel the need.
The costs of purchasing SSL certificates varies, but you can get DVs for free, or pay per month to obtain a custom certificate.
For more recommendations on the kind of certificate you need, check out this article.
That concludes our in-depth coverage of domain security terminology and types. Next up, is the all important topic of….
So we know what HTTPS & SSL are, and understand their utmost importance. Let’s look into what’s involved in procuring and implementing them.
SSL certificates are also obtainable at no cost. There are currently several free SSL certificate providers online, such as ZeroSSL and SSL for Free. Our personal recommendation goes to the highly trusted and very popular, Let’s Encrypt.
Let’s Encrypt is a Certificate Authority who offers free SSL certificates. They offer DV type only, and these expire every 90 days, so you will need to keep up with regular renewals. To do this, you could use the Certbot ACME client, which automates this process with relative ease, and provides instructions on how to do so. You should also use a service such as WP Force SSL that’ll monitor your SSL certificate in real-time and email you if it’s not renewed on time.
Many top hosting providers have partnered with Let’s Encrypt to make installing SSL certificates a painless process for website owners. (Hey! WPMU DEV is one of them.😃) If your hosting provider offers Let’s Encrypt support, they can provision a certificate on your behalf, install it, and keep it up-to-date.
While the Let’s Encrypt SSL certificates are free, hosting providers are absorbing the administrative and management costs to provide those certificates (obtaining them, implementing them, and keeping them valid through regular renewals). However, that should be part of what they offer you in hosting value, not something for which they charge additional fees.
Case in point: Let’s Encrypt currently recommends that you don’t get their SSL certs through GoDaddy hosting. This is because GoDaddy offers automated renewal with their own certificates only―as an added-cost feature. (At WPMU DEV hosting, we will never tack on fees for SSL cert renewals.)
If your hosting provider doesn’t integrate Let’s Encrypt, but does support uploading custom certificates, you can install Certbot on your own computer and use it in manual mode. Check out Cerbot’s documentation for more on how to do this. Or, see this helpful tutorial from The SSL Store on cPanel installation.
To give you an idea how easy installing an SSL certificate through a hosting provider is, we’ll do a quick walk through of one now.
The specifics on this will of course depend on who you host with, as the finer points of SSL certificate provisioning are unique to each company.
I’ll share how WPMU DEV’s process works since I’m hosting with them.
Any time a new site is created with a temporary tempurl.host domain, or a custom domain added to any existing site, WPMU DEV automatically provisions and installs a regular SSL certificate for it.
For most sites, this happens in a matter of minutes, but can take up to a couple of hours. The wait time is based on how quickly your DNS settings take to propagate around the world.
As soon as the certificate is added to a site, WPMU DEV forces all traffic over HTTPS only.
For a single site certificate, that’s it! You’d be all done.
If you want to get free wildcard SSL certificates for both subdomain and subdirectory multisite networks as well through WPMU DEV, you absolutely can. Even if you have a subdirectory multisite, you can map subdomains to subsites in it, and have them all covered by the same wildcard certificate.
A subdomain multisite can be developed without a wildcard certificate, but make sure you take the network live, or your subdomains will show a security error when visitors attempt to access them.
To generate a free wildcard certificate, you only need to add a single record to your primary domain’s DNS, then recertify the SSL.
Locate the row of your custom added domain that you want to use as primary, and hover your cursor over the 3-dots menu icon; you’ll see a regular certificate has been automatically provisioned. There is a prompt there to remind you that if you want to use a wildcard certificate instead, you need to add the required CNAME to the DNS records of your domain.
Once the required CNAME has been added, hover again over the 3-dots menu icon, and click on the Recheck ACME option from the dropdown. The system will automatically verify the DNS, and generate the wildcard certificate for that domain.
To get the info you need to add to your domain’s DNS, scroll down to the bottom of the screen to find the site’s DNS records. Locate the CNAME record (optional for wildcard SSL certificates), which has two parts: a hostname of _acme-challenge, followed by the actual record.
The hostname and the record must be copied to your domain name system. If your DNS is connected to the Hub 2.0 DNS Manager, follow the guide to quickly update it.
If your DNS is managed elsewhere, such as your domain registrar, refer to our Registrar Guides documentation, which covers a selection of popular providers.
That’s it! Domain security → activated. 💪
If your hosting provider handled the switch, chances are that nothing will be amiss.
If you did your own installation, or your host didn’t quite seal the deal, it’s possible to encounter some issues.
We’ll take a look at the most common one, and how to find and fix it.
Mixed content warnings happen when your site has incorrectly assessed images and/or content as insecure. Basically, both HTTP and HTTPS content are being loaded to display the same page, while the initial request was secure over HTTPS.
Should this happen, your first clue will be visual. Images and content that had appeared normally will now seem to be non-existent or broken. It will also prevent the padlock (indicating your site is secure) from showing in a visitor’s browser.
There are two types of mixed content:
- Passive – these are resources whose impact on the page’s overall behavior is more minimal, such as images, audio, and video. Browsers will load passive mixed content, but will likely change the HTTPS indicator.
To fix this, you need to make sure WordPress SSL is set to display mixed content.
SSL Insecure Content Fixer is a highly used, highly rated WordPress plugin, designed for this specific purpose.
Using the SSL Insecure Content Fixer plugin will solve most insecure content warnings with little to no effort. The remainder can be diagnosed with a few simple tools.
Upon installation, SSL Insecure Content Fixer’s default settings will automatically perform some basic fixes on your website, using their Simple fix level. You can select more comprehensive fix levels as needed by your website.
You’ll get a network settings page if you use WordPress Multisite. Through this you can change settings for all sites within a network, if you have requirements differing from the network defaults.
WebAware has a fantastic walk-through resource on their site, which is basically the below bullet points, expanded on in great detail. Here are the top-level steps:
- Install & activate the plugin on your website
- Run the test tool (to verify that WordPress can detect HTTPS)
- Select the appropriate fixer settings for your content
- Test your website (with a browser tool or online test)
- Clean up your HTTPS insecure content warnings
If you prefer, you can investigate what’s causing insecure mixed content warnings by checking your web browser’s error console. See the following:
- Firefox has the Web Console
- Internet Explorer has the F12 Tools Console
- Safari has the Error Console
Make sure to refresh your page after opening your browser’s console, so it loads the insecure content again and logs any warnings to the error console.
There are two other free tools that will report problems with your website. They can be more detailed than the browser consoles, and provide suggestions for resolving found issues.
These testing websites are both great for diagnosing certificate problems, and producing clean, clear reports.
Whynopadlock.com looked for insecure mixed content as well, which is just what we wanted here.
SSLlabs.com, in particular, had tons of material, just not for mixed content. Potentially valuable though, so worthy of a look-see sometime.
If you’ve gone with a reputable host for implementing SSL on your sites, you shouldn’t have to worry about any issues. Either they won’t exist to begin with, or the support team will quickly resolve any that crop up. (WPMU DEV excels in support, and we’re available 24/7/365. If you’re looking, try us with a no-risk free trial.)
A more thorough understanding of what SSL does definitely gives a deeper appreciation of the multi-level impact it makes.
Considering all of the pluses it offers, putting HTTPS into place across all of your sites is a no-brainer. Businesses who want to become or remain successful can’t afford to be without the digital force field that SSL provides.
As you’ve seen in this article, there are some great options for getting SSL protection. The fastest and easiest is to align with a solid host who takes care of this for you. There’s also the option of tinkering in your own WordPress files, if you enjoy that sort of thing.
However you get your HTTPS on, do it, and do it now. You’ll sleep better knowing your customers’ data (and your business reputation) is safe and sound. Then you can catch ZZZ’s instead of hacker’s fees. Or count what you’ve reaped instead of sheep.