In our previous post WordPress HTTPS, SSL and TLS – a guide for website administrators, we explained what HTTPS and all the other technical terms are, and how it works. In this article, we discuss HTTPS certificates, the different ways you may acquire one for your WordPress website, and why you should or shouldn’t pay for one. Let’s dive right in.
What is an HTTPS certificate?
Before we can discuss the hows and whys of HTTPS certificates, we need to discuss what a certificate is in the first place. A certificate is used to:
- encrypt the traffic between the web server and the web browser,
- verify the web server you are connected to is actually who it claims to be (a means of identification).
An HTTPS certificate (TLS certificate) contains cryptographic proof that an entity trusted by a browser can vouch for that website’s identity. This entity is called a Certificate Authority (CA). CAs play a crucial role when it comes to HTTPS certificates.
You can think of a Certificate Authority similar to a “passport office” which independently verifies your identity and provides you with a “passport” (certificate) to prove your identity to others. However, in order for someone (a web browser) to validate your “passport”, they need to trust the “passport office” (Certificate Authority) that issued the “passport” (certificate). Similar to a passport, a certificate will have in-built security features to make it difficult to spoof.
In other words, to serve your website over HTTPS, you need a Certificate Authority to provide you with a certificate that proves your WordPress website’s identity (you are who you say you are).
Different types of HTTPS certificates
Whilst it may not be immediately obvious, there are 3 different types of certificates you can obtain:
- Domain Validation (DV)
- Organisation Validation (OV)
- Extended Validation (EV).
DV certificates are by far the most common certificates. When you obtain a DV certificate you’ll see the usual browser user interface you’d expect. Note that this differs from browser to browser, and even from one browser version to another, but usually, you’ll see a padlock and sometimes the word “secure”.
OV certificates are harder to obtain than DV certificates because they require more validation. However, they are rarely ever used. They look exactly the same to the end-user, provide no tangible benefits over DV certificates and cost more.
This leaves EV certificates — Extended Validation certificates are supposed to require a thorough verification process in order for an organization to obtain one. They’re considerably more expensive, and have historically been treated slightly differently by browsers in terms of their UI.
However, in recent versions of Chrome, Firefox and Safari, this indicator has been moved to a much less conspicuous section. This is largely due to the fact that there is no evidence that, EV certificates convey any meaningful level of trust to end-users. In some cases, EV may actually cause more confusion to end-users. So much so, that the vast majority of the Internet’s most popular websites are moving from EV certificates to DV certificates.
What type of certificate do you need for your WordPress website?
So, in short, you want a Domain Validation (DV) certificate for your WordPress website. There is no real reason why you should need an Extended Validation (EV) certificate, especially now that browsers are pretty much removing any advantage of owning one (plus, they’re pretty pricey too).
Obtaining a HTTPS Certificate
Traditionally, obtaining an HTTPS certificate meant paying a Certificate Authority (CA) a yearly fee for them. The process was manual and pretty annoying for administrators.
Luckily, back in 2012 Mozilla started work on what became known as Let’s Encrypt; a non-profit certificate authority run by Internet Security Research Group (ISRG). It provides HTTPS certificates for no charge to everyone. It’s no surprise that in a few months it became the largest CA on the Internet.
In addition to simply being a free CA, Let’s Encrypt was revolutionary because it was the first CA to use the ACME protocol. The ACME protocol allows automatic certificate renewal. This allows Let’s Encrypt to make certificates with shorter lifetime (90 days), which is more secure. Also, sysadmins don’t need to worry about renewing their certificates thanks to tools such as Certbot.
Let’s Encrypt HTTPS certificates limitations
While there are thousands of articles online how to get Let’s Encrypt working for your WordPress website, it’s important to realize that there could be cases where you may not be able to use their certificates. This is especially true if you are paying for an HTTPS certificate as part of your web hosting plan, or you don’t have full control of your web server.
In this case, check if you can use a Let’s Encrypt certificate with your hosting provider’s customer support before spending money on a certificate. Nowadays, the majority of WordPress hosting services support Let’s Encrypt certificates.
If it’s not possible to use a Let’s Encrypt certificate with your hosting plan, you may either need a commercial HTTPS certificate, or you could potentially use an online WordPress firewall / CDN service. Most of them offers free HTTPS certificates as part of their services.
Setting your WordPress on HTTPS
In addition to obtaining an HTTPS certificate and enabling HTTPS on your web server, you’ll also want to make sure your WordPress site is setup for HTTPS too. While you can do this without the use of plugins, it’s probably easier for most WordPress admins to use a popular plugin like Really Simple SSL. With such a plugin you make sure all your links correctly point to the HTTPS version of your website.
It’s also important to note that search engines treat HTTP and HTTPS websites as different sites. Therefore, unless you have done so already, you should also submit your HTTPS site to the Google Search Console.
Are free HTTPS certificates really good?
Many WordPress website owners are still skeptic about using free HTTPS certificate from Let’s Encrypt. Some are concerned about portraying an image that they do not take security seriously, so fear loosing customers. Some others think that free HTTPS certificates are not as good as the paid one. I do not blame them – no good product / service is really available for free. However, this is a different case.
Let’s Encrypt is free for you as a user, but it is not a free project. They can issue free HTTPS certificates thanks to sponsors such as Google, Facebook, Microsoft, Cisco and many others! So let’s say that all these big corporations are paying for your WordPress website HTTPS certificate.
Let’s Encrypt is a fully blown certificate authority. There is nothing different, especially in terms of encryption capabilities, between free TLS certificates from Let’s Encrypt and a paid one. Having said that, there is no harm in paying for an HTTPS certificate, if you can justify the cost.
Does HTTPS make my site “secure”?
Unfortunately, nothing is 100% secure, and HTTPS is certainly no exception to this rule. HTTPS is only one small part of your WordPress website security program. It allows:
- your users to securely connect to your website without having their communication intercepted by prying eyes on the same network.
- helps with part of the constant challenge that is website security.
However, it is not a silver bullet: while you should undoubtedly implement and enforce HTTPS, it does not mean you’re done securing your WordPress website.
What else can I do to ensure my WordPress website is secure?
There is a lot that you can do to improve the security of your WordPress website. We recommend you start with the below:
- Use a WordPress firewall,
- Enforce strong WordPress password policies,
- Install a file integrity monitoring plugin,
- Keep a log of all changes that happen on WordPress,
- Keep WordPress core, all the plugins, themes and software you use up to date.