Do I Need SSL for WordPress?

Not sure whether you need an SSL for certificate for WordPress? The answer is likely a resounding “yes”

If you have found this post, it is likely that you searched for “do I need SSL for WordPress” or “do I need SSL certificate for WordPress” on a search engine and you are one of millions of business professionals using the platform as your content management software (CMS). According to W3Techs, WordPress (WP) controls 61% of the global CMS market. As an open source CMS with a lot of capabilities, the platform appeals to users of virtually any technical proficiency. However, because it is an open source platform, it means that it is also potentially easier to victimize with less effort than other CMS platforms. This is where using SSL/TLS certificates can help.

What is an SSL certificate and do I need one?

An SSL certificate, which stands for secure sockets layer, is a security file on your web server that enables your website to use an HTTPS network protocol transmit secure, encrypted data via the internet, instead of the non-secure HTTP protocol. It is important to note that HTTPS protects data in transit but does not encrypt data at rest.

This means that the data transmitted between your web browser and the server(s) of the website you connect to is encrypted, but once it reaches its end destination (your computer, an cloud storage server, etc.) and becomes “data at rest,” it no longer falls within the realm of SSL/TLS encryption. It is at this point that the data would need to be protected through other means, such as data-at-rest encryption solutions. WordPress has encryption in place to protect your password, so when you add an SSL certificate, you’ll have at-rest and in-transit data encryption in place!

In a nutshell, SSL is an essential security measure for businesses to help increase the security of their websites. To summarize the purpose of SSL for WordPress, it is used to:

• Authenticate your website, organization, subdomains, and/or alternate domains (depending on the type of SSL/TLS certificate you have)
• Encrypt the communications and transactions between your clients and web server.
• Demonstrate that you care about data integrity and are dedicated to protecting your data and users’ data through encryption. This will help to keep vital info from the prying eyes of eavesdroppers and man-in-the-middle (MitM) attackers who are determined to steal WP admin login details and user information.

This is particularly important considering the findings of a 2018 SailPoint survey: 75% of employees reuse their passwords across multiple accounts, and 56% use the same password for both personal and work accounts. Imagine the publicity nightmare your company would face if hackers used your unsecure website to gain access to your users’ passwords. Hackers could then use those passwords to gain access to those users’ personal and/or business email accounts, bank accounts, and more.

Google Warnings of “Not Secure” Websites Can Turn Off Users

One of the most significant ways that SSL for WordPress helps your site is that it moves your web pages from an HTTP site to an HTTPS site. This means that Google’s Chrome browser won’t identify your pages as “not secure.” As Google increases its dedication to creating a safer web by requiring websites to embrace SSL/TLS technology, being identified as “not secure” is (or should be) a concern for every website using HTTP.

The Chromium Projects, an open source project that helped generate the source code used by Google’s Chrome browser, outlines how Chrome rolled out multiple security upgrade phases to move toward creating a more secure virtual world:

• January 2017 — Chrome 56 marked HTTP web pages containing a password field or a credit card field that users could interact with as “not secure” in the browser’s omnibox (the location address bar).
• October 2017 — The Chrome 62 browser began warning users browsing HTTP websites in incognito mode or HTTP sites that contained forms (password fields or input fields with which users could interact) that the sites were “not sure.”
• July 2018 —Chrome 68 marked all HTTP pages as “not secure” in the omnibox.
• September 2018 — Chrome implemented new security indicators that marked HTTPS pages in neutral terms rather than affirmatively secure. This means that sites would no longer display “secure” in users’ browser omniboxes.
• October 2018 — The most recent update reverted to marking HTTP pages as “not secure” when users interacted with any input fields on a page. However, this time, it would mark the messaging in intimidating red text with a red exclamation point icon to emphasize this security concern. 

Considering that Google will automatically flag any website that uses HTTP instead of HTTPS, there is no reason why anyone should hold off on implementing SSL/TLS certificates on their web server(s).

Still haven’t quite answered your question “Do I need SSL for WordPress?” We have put together a list of the top questions we receive about SSL for WordPress for your reference and our responses to them.

Answering Top Questions Relating to “Do I Need SSL for WordPress?”

This section will address some of the most commonly frequently asked questions (FAQs) about WordPress SSL:

1. How does using a WordPress SSL certificate benefit my site and business?

Although we have already covered some of the security-related benefits of adding SSL to WordPress, let’s go a little more in depth about some of the additional benefits of using SSL/TLS for your website.

• Improved SEO — When you use a WordPress SSL certificate on your website, it can help to boost your website’s rankings on Google by as much as 5% through enhanced search engine optimization (SEO) ranking signals. While this may not seem like a lot, keep in mind that it could be the difference between showing up on Google’s first search engine results page (SERP) instead of page two. 
• Increased trust —A survey by The Harris Poll for IBM indicated that data security is a primary concern for global consumers: “75 percent will not buy a product from a company – no matter how great the products are – if they don’t trust the company to protect their data.” SSL/TLS certificates offer security indicators that help to establish trust with consumers. 
• Increased website security — By adding SSL to WordPress, you are strengthening your site’s security and providing greater protection from hackers.
• Increased financial security — Another benefit is that many SSL certificates come with warranties that help to protect your organization should the SSL certificates fail to encrypt data.   

2. Do I need an SSL certificate for my blog?

In one word? Yes. No matter whether you are using the WordPress platform to run an ecommerce website or you are using WP to operate a blog on cooking tips, your website can benefit from the use of SSL for WordPress. As we mentioned earlier, having an SSL certificate installed on your web server(s) helps to encrypt any information that your website transmits between the client and the server. Having WordPress HTTPS web pages also helps you site avoid triggering Google Chrome’s “not secure” warning messages.

3. Does SSL/TLS enable WordPress sites to use the HTTP/2 & HTTP/3 network protocols?

Yes, it will — TLS will be a requirement of HTTP/3, the third (and most recent) major revision of the HTTP network protocol that is used to exchange binary data on the web. This follows in the footprints of its predecessor, HTTP/2, which also requires the use of HTTPS/SSL encryption. HTTP/3, once approved, will be a faster and more secure protocol than both HTTP/2 and HTTP. This will enable a faster and more secure connection with lower latency — and isn’t that what everyone hopes for on their WordPress websites?

HTTP/3 was formerly known as HTTP-over-QUIC (Quick User Diagram Protocol [UDP] Internet Connection). According to Kinsta, QUIC has been used by companies like Google and Facebook to increase the speed of their websites. W3Techs reports that as of April 22, 2019:

• HTTPS is used by 50.6% of all websites.
• HTTP/2 is used by 36% of all websites.
• QUIC is used by 3% of all websites.

4. Is an SSL certificate only necessary for eCommerce websites?

No — website security isn’t just for ecommerce businesses. The idea that SSL certificates are reserved for use by only websites conducting online transactions is an outdated notion that is no longer accepted in the IT security community. Now, any website that doesn’t use an SSL/TLS encryption is viewed as unsecure and unsafe by web browsers such as Google Chrome, Mozilla Firefox, and Apple Safari. As we mentioned earlier, Chrome will even go as far as to label your WordPress website as “not secure,” throwing up major warning flags that warn visitors to stay away, which could impact your brand image and reputation.

No matter whether your organization is a healthcare, retail, financial or educational institution — or even if your site is “just” a personal blog — we have WordPress SSL solutions to meet your security needs. 

5. How can I get WordPress HTTPs for my website?

There are two ways to get SSL/TLS for your WordPress website: You can use free SSL/TLS certificates or purchase one from a reputable vendor. Hands down, the safest way to update your site to an HTTPs protocol is to purchase an SSL/TLS certificate from an industry trusted provider such as RapidSSL® Online. Our certificates are supported on 99.9% of web browsers, iPhones, and other mobile devices.

6. How difficult is adding SSL to WordPress?

After you’ve purchased an SSL certificate from RapidSSL® Online, there is an installation process you must follow to get SSL up on your web server(s). The process of adding SSL to WordPress can be a bit tedious if you don’t know what you’re doing. If you are an IT professional who is comfortable with the process, you can manually install the SSL/TLS certificate yourself. However, not everyone is comfortable or equipped to handle the process — and many IT pros simply don’t have the time to install security certificates themselves. It is for these reasons that we offer SSL installation services at RapidSSL® Online.

When you opt to use our SSL installation services, our team of SSL installation experts will handle the hassle, frustration, and stress that can result from trying to install an SSL certificate on your web server(s). We’ll even help with your CSR (certificate signing request) generation, too, at no additional cost.

7. How many WordPress SSL certificates do I need for my site?

Depending on what you want to accomplish, you may just need one type of SSL/TLS certificate. This is one of the best things about SSL/TLS — you don’t need to get certificates for individual pages. One certificate can secure all of the website pages on your main domain. We offer multiple options depending on your needs:

• Domain validated (DV) SSL certificates are ideal for many small WordPress site owners whose pages don’t involve personal information.
• For larger WordPress sites that need to protect subdomains wildcard SSL certificates are the best option.
• If you need to secure multiple domains and/or their accompanying subdomains you may need a multi-domain/SAN SSL certificates.
• You also can establish the highest levels of trust and security on your WordPress business website with extended validation certificates (EV SSL certificates). This offers full business validation so visitors and customers alike can trust that you are who you say you are.  Whatever your need, our team is here to help.  

At RapidSSL® Online, we are SSL pioneers who have helped more than 400,000 site owners. As a top Symantec Specialist Partner, we offer a variety of certificates from Symantec™ and other industry-recognized certificate authorities including GeoTrust® and Thawte®.