The Ultimate Guide to Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
If there’s one thing we will never stop talking about, it’s website security. We go on about it so much because it’s quite possibly the most important aspect of running a website. However, it’s equally critical that your users understand how secure your site is.
One way of ensuring that your users know to trust you is by offering them a secure connection through Hypertext Transfer Protocol Secure (HTTPS). This is a safer way of passing encrypted data between visitors’ browsers and your site’s server. To use HTTPS, you will need to purchase a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificate, which proves that your site is safe.
In this guide, we’ll teach you all about HTTPS and explain why you need to use it on your site. We’ll also cover the different types of SSL/TLS, and show you how to purchase a certificate and set it up. Finally, we’ll talk about how this is all made easier with DreamHost. Let’s go!
Intro to Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
The phrases Secure Sockets Layer (SSL) and Transport Layer Security (TLS) might not mean much if you’re unfamiliar with the concepts involved. Without getting too technical, these are certificates you can add to your site that create encrypted connections between browsers and web servers. When you visit a site that uses a connection certified with SSL or TLS, only that particular site can access any data you send.
Before we go any further, let’s clear up some terminology.
SSL is actually the predecessor to TLS and is now considered outdated and unsafe. However, the acronym ‘SSL’ is often used interchangeably when referring to either type of certificate. As such, in this article we’ll be referring to both as simply ‘SSL/TLS’.
To set up SSL/TLS, you’ll need to install a certificate on your site. This will ensure that connecting to your site is safe. In practice, this means it will use the Hypertext Transfer Protocol Secure (HTTPS) protocol for establishing connections. You may recognize this as the secure version of the standard HTTP that many websites still use.
We realize that this may already sound a little complex, so let’s summarize the basics. SSL/TLS enables you to deliver your site using HTTPS, which ensures a secure, private connection between your site and your users. If a site’s URL uses http://, it is not secured with SSL/TLS, but it is if it uses https:// — and you need an SSL/TLS certificate to make that happen.
Be awesome on the internet. Join our monthly newsletter to get tips for making the most out of your online presence.
Why It’s Important to Get an SSL/TLS Certificate for Your Site
As we mentioned above, SSL/TLS is used to create a secure, encrypted connection to a website. This means that all data between the visitor’s browser and the site’s server can only be decrypted by the target site.
In other words, nobody can intercept or access the transferred data. This protects against so-called man-in-the-middle attacks. Attacks of this variety use unsecured connections to access data during the transfer process and then try to steal or change that data along the way.
Thankfully, using the HTTPS protocol ensures that these kinds of attacks are less likely. For that reason, not using HTTPS and lacking an SSL/TLS certificate can make your site appear unsecured. In fact, starting in July 2018, Google Chrome began listing sites that only use HTTP as not secure.
The end results of this include a loss of trust from Google itself, which can lead to a decrease in your search rankings. Plus, new and old visitors alike will become more wary of your site. If their browsers inform them your site is potentially unsafe, you’re likely to see a loss in traffic. Using HTTPS is, therefore, a primary concern.
How to Tell if Your Website Is Already Using SSL/TLS
Before we proceed, let’s see if your site already has a valid SSL/TLS certificate installed. Thankfully, this is a pretty simple process, which you can start by opening your website in any browser. We’ll be using Google Chrome, so if you’re using a different browser things will look a little different than they do in our examples.
Start by checking the address bar at the top of your browser to see if your site uses http:// or https://. You may also see a colored padlock next to the URL. If the color is red, then your site does not use SSL/TLS. However, if your site is secured with SSL/TLS, you may see a green padlock.
However, not all SSL/TLS-certified sites show this icon, as its presence depends on the type of validation used (more on this later). For example, some SSL/TLS certificates will cause a simple grey icon to appear instead.
This essentially means that the site may not be secure, but the browser can’t determine for sure either way.
If your site does not appear to be secured with SSL/TLS, you might still have a certificate. However, it has most likely expired, which you can check by clicking the warning icon next to the URL.
Here, you can click on the Certificate link to see more information. For example, we can see that this site does have an SSL/TLS certificate, but it has expired.
Finally, it is also possible that you do have a valid, up-to-date SSL/TLS certificate, but your site does not default to using it. In that case, you’ll need to force your site to redirect to HTTPS.
The Different Types of SSL/TLS Certificates
If you’ve determined that your site doesn’t have an SSL/TLS certificate yet, it’s time to fix that by purchasing one. Before you do that, however, you need to know what kind of certificate you’re looking for.
SSL/TLS certificates come in many forms, all of which have their unique pros and cons. To acquire one, your site will need to be verified by a Certificate Authority (CA). Depending on the type of SSL/TLS certificate you decide to buy, your site will need to be checked for different information.
The kind of certificate you should get depends largely on your requirements and budget. Let’s run through the different categories now to help you find the option that works best for you:
- Domain Validation (DV). This type of certificate requires you to prove that you have the right to use a specific domain. This makes it the least secure option. It’s also the cheapest type of SSL/TLS certificate, however, and you might even be able to acquire one for free. You can also usually get one approved very quickly — even within minutes. This is recommended for smaller sites that don’t handle sensitive data, such as blogs or portfolios.
- Organization Validation (OV). This is a more secure option, which requires a more thorough check of your website. The CA will vet your organization to ensure that you are legitimate and trustworthy. As such, this is also slightly more expensive and will take a little longer to acquire. However, this type of certificate is recommended for larger sites that handle user data and purchasing.
- Extended Validation (EV). This is the most secure option but also the most costly and time-consuming. Acquiring extended validation requires a thorough vetting process and is usually considerably more expensive than the previous option. This also means that it takes the longest time to be approved. This type of certificate is geared towards very large, high-traffic sites, such as e-commerce businesses and official government sites.
As we pointed out earlier, the type of SSL/TLS certificate you need is entirely dependent on your site’s purpose and requirements. We recommend that you read more on the different certificate levels to be sure you’re picking the right option.
Where to Get an SSL/TLS Certificate for Your Website
So at this point, you know that you need an SSL/TLS certificate. What’s more, you have an idea of what type your site requires. All that’s left is to actually make a purchase.
If you like, you can get an SSL/TLS certificate straight from many CAs, such as GlobalSign. In addition, some hosting providers also offer them, either as free ‘extras’ or bundled in with their paid plans.
At DreamHost, SSL/TLS certificates can be easily added to your site, right from your control panel! Let’s take a look at each one:
- Comodo-verified SSL/TLS. This is a DV certificate that costs $15 per year. It will ensure that your site appears in browsers as fully secured. That makes this the best option for commercial sites, or sites that handle sensitive data.
- Let’s Encrypt SSL/TLS. This is yet another free DV certificate, but one that is more secure than the previous option. In fact, the Let’s Encrypt certificate is almost as secure as Comodo. As such, it’s ideal for smaller sites that don’t handle much personal data, such as blogs.
If you already have a DreamHost account, you can acquire one of these certificates by navigating to Panel > Domains > SSL/TLS Certificates in your control panel. Here you’ll see all your domains and the available SSL/TLS options.
Click the Add button next to your domain name, and then you’ll be taken to a screen to where you’ll be able to choose between a free Let’s Encrypt SSL Certificate or a paid Comodo DV Certificate. When you’ve decided which option is best for your site, click Select this Certificate.
Your DreamHost site will now be protected by SSL/TLS (please allow 15 minutes for the changes to be pushed to the server).
However, what if you want to use an SSL/TLS certificate you’ve already purchased elsewhere? Before we wrap up this article, let’s look at how that process works.
How to Install an SSL/TLS Certificate on Your WordPress Website (2 Options)
If you’ve bought an SSL/TLS certificate from an external CA, you’ll need to connect it to your site and install it. The process for doing this can vary depending on your site, your web host and the specific certificate you’ve chosen.
However, there are two basic methods for installing an SSL/TLS certificate — using a plugin and through your hosting provider. Let’s look at how each technique works in turn.
Option 1: Install the Really Simple SSL Plugin
Really Simple SSL is a plugin that lives up to its name. It will perform the entire installation and activation process for you. All you need is an SSL/TLS certificate, and this plugin handles pretty much everything else.
Start by installing and activating Really Simple SSL on your WordPress site. When you’ve done that, a message will appear in your dashboard, with some additional information about what you need to do before activating SSL/TLS. Make sure you complete all of these steps before you proceed.
If your site already has a connected SSL/TLS certificate, you will see the option Go ahead, activate SSL! If you click on that button, the plugin will install and activate your certificate.
However, if you have not added SSL/TLS via your web host, you’ll see a message informing you of that fact.
You will need to return to your host’s dashboard or control panel, and follow their specific guidelines for adding your certificate. Once you’ve done that, you can return to your WordPress dashboard and activate your SSL/TLS certificate as described above.
Option 2: Use the DreamHost Control Panel
We’ve already shown you how DreamHost makes it easy to purchase and activate an SSL/TLS certificate straight from your control panel. You can actually use a similar process to add a third-party certificate as well. To do this, you’ll need to log in to your account and navigate to Panel > Domains > SSL/TLS Certificates.
Select the Import a Certificate tab. On this screen, you’ll be able to install a third-party SSL/TLS certificate on your site. Make sure you have that certificate ready, then select that option.
You will need to add the SSL/TLS certificate itself, along with your private key and the certificate signing request. If you have an intermediate certificate, you will also need to add that information here. It’s important that these all come from the same CA and were purchased simultaneously, otherwise, they will not be compatible.
Also, make sure that you include everything when you add in this information. For example, when you paste in your certificate, you should also include the lines —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– at the beginning and end respectively.
When you have added all the necessary details, click on Save changes. If the SSL/TLS certificate is valid and you’ve entered everything correctly, it will now be active on your site.
You can test to make sure that the process worked correctly, by using the method we showed you earlier. Simply access your site in a browser and ensure that it uses https:// and has a green padlock next to the URL (if relevant). If it does, you’ve successfully added SSL/TLS to your WordPress website!
Your Site’s Got Layers
Keeping your website secure is an ever-present consideration, and it’s equally important to ensure that your users know they can trust you. By adding an SSL/TLS certificate to your site and forcing secure connections through HTTPS, you protect yourself and your users, while making sure everybody knows your site is safe to use.
Fortunately, there are several different types of SSL/TLS certificates available from many different CAs. Finding a certificate that matches your requirements shouldn’t be difficult, once you know what you need. You may even be able to get one through your web host. What’s more, installing an SSL/TLS certificate is also a breeze, thanks to WordPress and DreamHost.
Do you have any questions about how to add SSL/TLS to your WordPress site? Let us know!