As we have seen in a previous blog post, it is possible to generate a self-signed certificate for your Apache web server for free within minutes rather than buying a commercial SSL certificate. So why businesses who own WordPress blogs and websites still spend money to buy an SSL certificate from a trusted certificate authority? In this blog post we will explain when you should use a self-signed web server SSL certificate or when you should buy an SSL web server certificate from a trusted certification authority.
SSL Certificate Verification Process
When starting to browse a website over HTTPS (encrypted HTTP), the web server hosting the website sends a copy of the SSL web server certificate to the web browser to be verified, as explained in the section How Website SSL and HTTPS Work in Website SSL and HTTPS explained. During the verification process, in one of the checks the browser checks if the SSL certificate sent by the web server was issued by a trusted certificate authority. If it is, it proceeds with the other verification checks. If the SSL certificate was not issued by a trusted certificate authority, it raises an alert to the user.
When to use a Self Signed SSL Certificates?
A self signed SSL web server certificate should only be used in testing environments and to encrypt HTTP traffic of private sections of your WordPress blog or website which only you and maybe other contributors access, such as the wp-admin (WordPress admin pages) directory. It should not be used for publicly accessible sections of your WordPress blog or website, such as a payment form. Since it is a self-signed certificate the browser will still raise an alert to the user as seen in the below screenshot, even though the certificate is not expired and is issued on the correct URL.
Definitely you do not want any of your visitors seeing such an alert when accessing your website, especially if you are asking them to submit some form of payment details such as a credit card number. The alert is raised because anyone can generate a self-signed SSL web server certificate and try to impersonate any other legitimate company and fool users, therefore such certificates are not trusted.
Check the Self-Signed SSL Certificate Each Time
When using a self-signed certificate to protect the WordPress wp-admin section (WordPress dashboard) or any other section which is not to be accessed from the generic public, check the certificate details each time you access it and confirm that the certificate is the one you issued. A malicious hacker might take advantage of the fact that users expect an error to pop up when accessing such section and install his or her own self-signed SSL certificate and capture, decrypt and analyse the traffic.
Why and When to use a Commercial SSL Certificate
If you own a WordPress blog or website and your visitors need to submit sensitive information through a form such as payment details, WordPress usernames and passwords or hosting account credentials, you have to run it on HTTPS by using a commercial SSL web server certificate from a trusted certification authority such as Thawte and Verisign.
There are several benefits when using a commercial SSL web server certificate. Apart from using it to encrypt HTTP traffic between the website and the browser, it also serves as verification, or better a proof that the website the user is visiting is really the website it says it is and not a scam or phishing website, and that it is owned by a legitimate business. To get a web server certificate from a trusted certificate authority you have to submit several legal documents which are thoroughly checked to confirm that your request is legitimate, the business exists for real and that the business owns the website in question. Therefore when your business is verified and you install the commercial SSL web server certificate, your business name will show up in the browser URL bar, as in the screenshot below.
When should you use SSL Web Server Certificates for your WordPress Blogs and Websites
As a rule of thumb, always use SSL web server certificates when sensitive data such as payment details, WordPress credentials and hosting provider account details are being submitted through a form on your WordPress blog or website.
Use a free self-signed SSL certificate for areas which are not publicly accessible such as your WordPress dashboard and verify the certificate details each time before submitting the credentials.
Use a commercial SSL web server certificate issued from a trusted certificate authority such as Thawte if you ask your visitors to submit sensitive information through a publicly accessible section of the website, such as a contact or payment forms.