If you collect any important information on your website (including email and password), then you need to be safe. One of the best ways to protect yourself is to enable an HTTPS certificate, also known as SSL (secure socket levels), so that all information coming into and out of your server is automatically encrypted. HTTPS certificate prevents hackers from hacking confidential information of your users when storing it on the Internet. They will feel secure when they see an HTTPS certificate when accessing your site - knowing that it is protected by a security certificate.
Advantages of HTTPS Certificate
The best thing about an SSL certificate, like HTTPS, is that it's easy to configure, and once that is done, you will need to direct people to use an HTTPS certificate instead of HTTP. If you try to access your site by placing https: // in front of your URLs right now, you will receive an HTTPS certificate error message. This is because you did not install the SSL HTTPS certificate. But don’t worry - we’ll do the tuning now!
Your visitors will feel safer on your site when they see an HTTPS certificate when accessing your site - knowing that it is protected by a security certificate.
What is HTTPS?
HTTP or HTTPS is displayed at the beginning of each website URL in a web browser. HTTP is the hypertext transfer protocol, and S in HTTPS is Secure. In general, this describes the protocol by which data is sent between your browser and the website you are viewing.
The HTTPS certificate ensures that all communication between your browser and the website you are viewing is encrypted. This means that it is safe. Only receiving and sending computers can see the information during data transfer (others can access it, but cannot read it). On secure sites, the web browser displays a lock icon in the URL area to notify you.
HTTPS should be on any website that collects passwords, payments, medical information or other sensitive data. But what if you can get a free and valid SSL certificate for your domain?
How does website protection work?
To enable the HTTPS security certificate, you need to install SSL (Secure Socket Layer). It contains the public key, which is necessary to securely start a session. When an HTTPS connection to a web page is requested, the site sends an SSL certificate to your browser. They then initiate an “SSL handshake,” which involves sharing “secrets” to establish a secure connection between your browser and the website.
Standard and Advanced SSL
If the site uses a standard SSL certificate, you will see a lock icon in the browser URL area. If an Advanced Validation Certificate (EV) is used, the address bar or URL will be green. EV SSL standards exceed SSL standards. EV SSL provides domain owner identification. Obtaining an EV SSL certificate also requires applicants to go through a rigorous evaluation process to verify their authenticity and ownership.
What happens if I use HTTPS without a certificate?
Even if your website does not accept or transmit sensitive data, there are several reasons why you might want to have a secure website and use a free and valid SSL certificate for your domain.
Representation. SSL can improve the time it takes to load a page.
Search Engine Optimization (SEO). Google’s goal is to keep the internet safe and secure for everyone, not just anyone using Google Chrome, Gmail, and Drive, for example. The company said that security will be a factor in how they rank sites in search results. So far this is not enough. However, if you have a secure website, and your competitors do not, your site may get a higher rank, which may be necessary to increase its popularity from the search results page.
If your site is not secure and it collects passwords or credit cards, then users of Chrome 56 (released in January 2017) will see a warning that the site is unsafe. Visitors who are not familiar with the technology (most website users) may be alarmed to see the “HTTPS certificate error” window and leave your site simply because they don’t understand what it means. On the other hand, if your site is protected, this can make visitors more at ease, which will increase the likelihood that they will fill out a registration form or leave a comment on your site. Google has a long-term plan to show all HTTP sites as insecure in Chrome.
Where can I get a free HTTPS certificate?
You get an SSL certificate from a certification authority. Such certificates are valid for 90 days, but an extension of 60 days is recommended. Some reliable free sources:
- Cloudflare: Free for personal sites and blogs.
- FreeSSL: free for non-profit organizations and startups at the moment; cannot be a client of Symantec, Thawte, GeoTrust, or RapidSSL.
- StartSSL: Certificates are valid for 1 to 3 years.
- GoDaddy: certificates for open source projects, valid for 1 year.
The type of certificate and its validity depends on the source. Most authorities offer standard SSL certificates for free and charge a fee for EV SSL certificates if they provide them. Cloudflare offers free and paid plans and various additional options.
What to consider when obtaining an SSL certificate?
Here Google recommends a certificate with a 2048-bit key. If you already have a 1024-bit certificate that is weaker, it recommends updating it.
You will need to decide whether you need one, several domains or a group certificate:
- One certificate will be used for one domain (for example, www.example.com).
- A multi-domain certificate will be used for several well-known domains (for example, www.example.com, cdn.example.com, example.co.uk).
- The wildcard certificate will be used for the secure domain with many dynamic subdomains (e.g. a.example.com, b.example.com).
How to install SSL certificate?
Your web host can install the certificate for free or for a fee. Some hosts actually have the option of installing Let's Encrypt in their cPanel account, which simplifies the work. Ask your current host or find one that offers direct support for Let's Encrypt. If the host does not provide this service, your website service company or developer can install a certificate for you. You should be prepared for the fact that you will have to renew the certificate very often. Check the timeframe with the certificate.
What else needs to be done?
After receiving and installing the SSL certificate, you need to force the use of SSL on the site. Again, you can ask your web host, service company or developer to complete this action. However, if you prefer to do it yourself, and your site is powered by WordPress, you can do this by downloading, installing, and using the plugin. With the latter option, be sure to check compatibility with your version of WordPress.
Two popular plugins for forced use of SSL: a simple SSLWP, a forced SSLSSL plugin. Be sure to back up your site and be very careful when doing this. If you configure something incorrectly, this can have dire consequences: visitors will not be able to see your site, images will not be displayed, scripts will not load, which will affect how some things on your site function, for example, typography and colors are not displayed properly way.
You need to redirect users and search engines to HTTPS pages using 301 redirects in the .htaccess file in the root folder on the server. The .htaccess file is an invisible file, so make sure your FTP program is set up to show hidden files. In FileZilla, for example, go to Server> Force Hidden Files. FileZillaBefore, before adding redirects, it would be nice to back up the .htaccess file. On the server, rename the file temporarily, deleting the period (which makes it invisible in the first place), download the file (which will now be visible on your computer as a result of deleting the period), then add the period back to that on the server.
Change Analytics Settings
After completing these steps, you need to change the preferred URL in your Analytics account to display the HTTPS version of your domain. Otherwise, the statistics of your traffic will be disabled, because the version of the HTTP URL is perceived as a completely different site from the version of the HTTPS certificate. The Google Search Console treats HTTP and HTTPS as separate domains as well, so add an HTTPS domain account to it. Remember, when you switch from HTTP to HTTPS certificate, if your site has special access buttons, the counter will be reset.