If you want to avoid your users getting a warning that tells them that your site isn’t secure you need to have an SSL certificate installed.
In an effort to make using the web more secure for everyone Google has rolled out an update for its Chrome users that will alert them that the site they’re on isn’t secure. This goes for sites that use opt-in forms of various types, login forms, contact forms, or any other forms into which a user will be submitting info.
SSL certificates are used to ensure that any data transmitted by your site is encrypted. SSL stands for secure socket layer, and when you’re site is secured using an SSL certificate, it means that the certificate encrypts the information in transit so that it’s a secure exchange between the user, and your web server.
You can tell a site that’s using an SSL certificate because their URL will be prefaced with HTTPS and there will be a green padlock showing in the address bar of your browser.
Once something only e-commerce merchants needed to worry about, now, any site that uses forms that collect and transmit user data via a web form of basically any type needs to be protected by an SSL certificate in order to avoid that warning being displayed to visitors who are using Google Chrome.
So not only is securing your site via a properly installed SSL certificate a way to give your visitors peace of mind when it comes to their security on your website, Google started giving preference to sites using HTTPS in its search rankings a while back, so there is definitely an SEO and marketing consideration here as well.
So, if you’re not already using an SSL certificate, and you’ve got any kind of form on your site, you need to get an SSL certificate and get it in place.
So how to fix this? You’ve got three choices.
First option is to buy an SSL certificate
Buy an SSL certificate from a trusted provider, like Comodo or Godaddy. I use Godaddy SSL certificates all the time – not only for my own sites but also for client sites. They’re reasonably priced, pretty easy to work with and their certificates will solve your issue entirely.
Getting going with a traditional SSL certificate means you’ll need to work with your hosting company to get it installed properly. Different hosts may have different ways of getting your SSL certificate installed. The good news is once you’ve got your SSL certificate installed and properly configured you’re basically done.
The challenge for getting started with a traditional SSL certificate comes in getting it implemented. It can be really challenging if you’re site has been long established and you’ve got a lot of URLs that need to be updated.
But it’s not just the URLs for your pages and posts you have to worry about.
It’s also any linked assets like pdf files and images that have to be updated too, lest you run the risk of getting the partially secured warning in the browser. It means that you need to make sure any absolute links on your site need to be updated to the HTTPS version too, so it can take a bit of work for bigger, older sites to get this fully implemented.
However, challenges aside, getting the right traditional SSL certificate will solve a lot of your headaches. You can easily purchase a wildcard certificate to cover multiple subdomains, or get extended validation certificates for deeper more thorough background checks and higher trust levels, protect multiple domains, and more.
But when purchasing your traditional SSL certificate be aware that Google is NOT trusting SSL certificates issued by Symantec. You can read more about that here, but certificates issued by “Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements” and will not be trusted.
Make sure you’re picking your SSL certificate from a company who’s not on that list and you’ll be fine.
Your second option is to use CloudFlare
I use CloudFlare on virtually all sites I build. There are enough great features in their free version that it’s really a no-brainer to use CloudFlare for your site.
The great news is that CloudFlare is super easy to use and get in place. All you need to do is get your DNS pointed to your CloudFlare account and get CloudFlare set up the way you want your features set up.
One of the great features is the ability use an SSL certificate through CloudFlare. Depending on what CMS you’re using, set up may differ a bit, but for WordPress, there is an available plugin to help you get configured and setup.
You can (and depending on your particular hosting situation, should) use CloudFlare’s page rules to direct all your traffic to use HTTPS and you’ve got a secure connection in place.
The challenge with CloudFlare’s basic free certificate is that it only encrypts traffic from the user to CloudFlare. It does not encrypt traffic from CloudFlare to your hosting service.
To remedy this, you can install an SSL certificate and use the “strict” setting in your CloudFlare control panel, but this setup may take a little more tinkering to get all the pieces set just right.
However, if you want a great free solution that provides a wealth of other benefits for your site (like site caching and CDN capabilities) this is a perfect solution for you.
Use Let’s Encrypt for a free SSL
Let’s Encrypt, a nonprofit organization backed by heavy internet hitters like Mozilla, Automattic, Akamai, Facebook, and more, offers free SSL certificates for use on your website.
This can be a fantastic solution to your SSL issue. Let’s Encrypt is now a viable option on more hosting platforms than ever, and solves your SSL certificate issue entirely. Many hosts offer the ability to use a Let’s Encrypt SSL certificate right through your hosting control panel. Others make it easy to implement through using tools like the command line to install and deploy for those who are more comfortable with those kinds of tools.
The challenge with Let’s Encrypt is that you have to renew it every three months. Unlike a traditional SSL where you can register your certificate for a year or more when you make the purchase, Let’s Encrypt SSL certificates have to be renewed every three months.
If you don’t have a problem with that – great! Then this can be a perfect solution for you. If you’d rather not be bothered with this kind of upkeep, then one of the other options mentioned will be a better path for you.
Let’s Encrypt doesn’t currently issue wildcard SSLs, extended validation or other more robust certificates, so that could be a challenge if you’ve got a bigger site with multiple sites, and/or multiple domains and subdomains.
However it does provide complete security for your website, and it’s pretty easy to use so it could be a great option to use in conjunction with a CloudFlare SSL certificate to make sure your entire connection is secured.
Security is standard these days, and we’re all better off for it. Google is putting the right kind of pressure on website owners to make the overall experience better for everyone. A secured site will rank better in search engines too, so don’t forget that. Make sure you have a plan in place to get your site secured if you don’t have it done already.