Lately, we’ve been getting more requests from our clients to set up an SSL certificate on their website. An SSL (Secure Sockets Layer) cert is used to encrypt the web traffic between the web server where your website is hosted and your visitors’ browsers.

Why is this important?

When you visit a website, if the web address starts with http://, all the information that your browser sends to the web server and receives is in open text. So for instance, if you log into your WordPress admin panel, your user id and password are transmitted across the internet in clear text that anyone could read. So it’s entirely possible that someone who is watching the web traffic to your website could grab your user id and password as it was sent.

But if you have set up an SSL cert correctly on your web server, the URL becomes https:// (the “s” for “secure”), and all data transmitted back and forth is encrypted. This is especially important if you’re collecting any private data on your website like credit card information. You don’t want someone snagging your client’s credit card information.

I actually just visited someone’s website the other day that was not secure, and it was asking for a credit card to subscribe. Yikes. I backed out and went somewhere else.

Current PCI banking standards require that all credit card transactions are done on a secure website.

But I Don’t Take Credit Cards on My Website

Many websites are informational and don’t actually sell things online. So why would you want to set up an SSL certificate? There is a little bit of effort to get it set up, and it can cost you a couple hundred dollars for the cert plus your web support person’s time if you don’t do it yourself. You probably have a few compelling reasons to go ahead and get it set up anyway.

Security

As mentioned before, it’s remotely possible that someone could sniff your user id and password and gain access to your content management system. If you haven’t changed the login alias, it’s actually pretty easy to find your login id on WordPress. So if I have that information, now all I’d need is your password (if I were a hacker looking to break in).

SEO

Secondly, Google is telling us that setting up SSL on your website is important, and it’s actually a ranking factor. They’ve backed away from all the “usual” SEO factors like links, and so on. But they are telling us we need three things:

  • A mobile-responsive site
  • A fast website (small graphics)
  • A secure website

They want peoples’ experiences to be secure.

Trust

Finally, I personally believe that people are looking for the green padlock in the web browser. It’s a small, subtle sign of trust. This seems to ring true for some of my clients who are getting pushback from their clients because they don’t want to schedule online appointments or interact on the website without it. This is smart. So we’re getting more requests to set it up for our clients.

green ssl padlock example

This is what your clients want to see if your SSL is working.

How Do I Set Up an SSL Certificate?

There’s a little bit of a process to get your website set up with an SSL cert. You don’t just change the web address to https:// and you’re done. In a nutshell, these are the steps you need to take:

  1. Generate a CSR (Certificate Signing Request) from your web host which identifies your web domain and your company information. That gets uploaded to the certificate generating authority.
  2. Obtain a trusted certificate from your domain registrar (like GoDaddy) which will cost you about $200 for 3 years (or more). I prefer to buy the certificate for as long as I can so you don’t have to reinstall the new cert each year when it expires. You can often find a coupon on RetailMeNot to save a few bucks.
  3. Generate and download the certificate files, then upload them to your web host. Some hosting companies let you install them yourself, others like WPEngine takes tech support to get it installed. I did one for a client just this weekend, and within four minutes of the request being sent to WPEngine, they had it done. So it was very fast.
  4. Test all pages on your website for a green padlock. If the https:// version of your web address is working, but you’re not getting a green padlock, you’ve got some more work to do. ALL graphics, files, JavaScript and so on have to load with https:// and not http://. It takes some work to ferret out all the offending code. Why No Padlock is a very useful tool for figuring out what isn’t configured correctly. Here’s an example of one that’s not working correctly (not my client):
ssl certificate not working

This SSL certificate isn’t fully functional (no green padlock), so the browser will block some content.

  1. Redirect all old http:// URLs to https://. This is important because you don’t want a mix of both http:// and https:// URLs getting indexed. They should all be 301-redirected so Google picks up the new addresses, and you preserve your links from other sites.
  2. Finally, make sure you re-validate your new domain with Google Search Console. It won’t affect your Google Analytics, but you have to create a new entry in Search Console and revalidate it. Your data in Search Console will start with that date, so it takes time for Search Console to catch back up again.

Depending on your setup, it can be a bit more complicated than this, but these are the basic steps you have to take. It’s definitely not for the faint of heart or technically challenged to get this done, but it’s not terribly difficult either.

We’ve definitely seen an increase in website traffic since we switched our site. I’m not sure if I can directly attribute it to the SSL cert, but maybe it is. It’s interesting to me that most of my competitors have not set theirs up yet.

Shhh. Don’t tell them, OK?