Table of Contents
This post contains an affiliate link for my favorite hosting company, SiteGround.com. If you choose to purchase website hosting through SiteGround, I may receive a small commission. Thanks for checking them out!
Attackers might be trying to steal your information! Your private information may be transmitted in plain text! This website is misconfigured! All of these and more represent common warnings you might get when visiting an insecure website. Website security often begins with proving that their name (such as example.com) matches their address (something like 192.168.1.1) through something known as an SSL (Secure Socket Layer) Certificate, which often shows up as a padlock in your browser’s address bar.
A website with no padlock, an “unlocked” padlock, or the words “Not Secure” is considered unsafe, and you don’t want to type any sensitive information, such as passwords, credit card numbers, or personal messages on them. Modern browsers and even search engines discourage people from visiting such sites altogether. But it’s easier than you might think to ensure your website’s security and that traffic keeps flowing: it starts when you first register your domain and set it up with your host. Before you register, re-design, or migrate a site, though, it might help to know that there are different kinds of SSL certificates that help make your website secure.
Types of SSL certificates
There are three main kinds of SSL certificate “validation” levels, from lowest to highest:
- Domain (DV)
- Organization (OV)
- Extended (EV)
Additionally, you can get a certificate for a single domain (example.com), or multiple domains using a wildcard, where the certificate can apply to an unlimited number of subdomains (like mail.example.com, shop.example.com, and so on). When you have multiple separate websites, like example.com and mysite.com, it might be easier to have one certificate to cover both domains and any subdomains they have, using what’s called a unified SSL certificate. This is also sometimes known as a multi-domain or subject alternative name (SAN) certificate.
Where to get your SSL certificate(s)
The higher the level of validation, and the more domains secured, the more expensive the certificate will be. There is no reason why you should have to pay for a basic DV-level certificate for a single domain. If your domain registrar or host wants to charge you for this, find a new registrar or host; I recommend NameCheap.com or SiteGround.com as inexpensive options for registration and hosting, respectively.
It’s worth noting that if you do purchase a domain and hosting from the same place, installing an SSL certificate is seamless, and adds the benefit of “end-to-end” encryption. However, many registrars don’t make for great hosts, and vice-versa; you will often save money and get better service from separate providers that specialize in one thing (for example, NameCheap.com is primarily a registrar, and that is all I use them for; I don’t use them as a web host at all). What combination of registrar and host you use is up to you, but bear in mind that it does impact your overall website security, because every layer that a visitor has to pass through to send or receive information from you is one more potential place where their information can get lost or stolen.
Website security is so important these days that plenty of web hosts offer SSL certificates for free, and try to make it as easy as possible to activate and install them. My preferred hosting provider, SiteGround, has a handy SSL Manager in its Site Tools > Security section that lets me install new certificates with just two clicks. Once it’s installed on my host, all I need to do is go into my WordPress admin area and change my site’s URL to include https (for secure). This process might differ if you use a different website platform, but it should be relatively easy to set up and find; security is important for any modern website, whether it’s a personal blog you someday hope to monetize or an eCommerce site to accompany a brick-and-mortar store.
Troubleshooting SSL certificate issues
Sometimes your site will show up as “Not Secure” even though you’ve installed and activated a certificate. In that case, you can use a resource called Why No Padlock to find out, well, why you don’t have a padlock in your browser’s address bar. Most of the time, it’s due to your website security being good, but not great, because some of your website is secure, but other components, such as images, scripts, and stylesheets not having https:// in the code that displays them.
Once you know which elements aren’t secure, you can return to your website and re-upload whatever wasn’t secured. For example, if an image on a blog post isn’t secure, you can edit that blog post, select the image, and verify the image’s URL: it should start with https://. If it doesn’t, the easiest solution is to delete the image in your Media Library and re-upload it. Alternatively, if you’re able to edit the File URL of the image on your website, add the https:// there.
Remember, website security goes beyond just installing an SSL certificate; you also need to activate it. In the case of WordPress websites, you need to go to Settings > General and change the Site Address (URL) to include https:// instead of http://. If you run a WordPress Multisite (Network), then this setting will be in the Network Admin > Sites and in the Settings tab for an individual site. Note that you won’t be able to edit the setting for the Main Site from the backend; you’ll have to edit your wp-config.php file for that.
The importance of website security
Website security ultimately comes down to trust: should your site’s visitors—be they blog readers, would-be clients or customers, or partner businesses—trust you? You can forge that trust not only by having a well-designed online presence, but one that reassures visitors that they can safely comment, share, or shop from your website without their information being compromised. Start by installing and activating a free SSL certificate, and annually renewing it in just a few clicks. You’ll be glad you did!
I would be remiss in concluding this post on website security without mentioning that there’s far more to it than simply having a registrar and a host you trust, or an SSL certificate suitable for your website’s situation. You also need to take into account things like backups, software auto-updates, add-ons (like plugins/widgets/extensions/apps or themes), and regular scans of your website’s content, including user accounts, comments. Having an SSL certificate is a good first step when it comes to website security, but it’s far from the last.
Your Solution for Website Security
If any of that stuff sounded intimidating, I get it! As a research and information professional, it’s my business to look into the nuts and bolts of how and why things “need” to be done a certain way online. That means scouring knowledge bases, wikis, and forums; testing, re-testing, and confirming fixes, and documenting what works—and what doesn’t. I only share solutions that are tried-and-true; I would never tell someone to “just Google it.” If just thinking about all that makes your head spin, then let Indigo Ink Solutions point you in the right direction!
I’ve set up, designed and maintained over 40 WordPress sites on a Multisite network, plus several other individual sites for small business owners around the web. If you’re looking to upgrade your current website’s setup, then contact me for more information on how I can help save you time and money.