I want to share my story so that no one makes the same mistake I did with my WordPress SSL enabled website.
If you ask any startup company entrepreneur what their nightmare scenario would be, top of the list would be a down website just before a big launch. My story is about how SSL almost cost me my second launch. My career-making launch as it were.
A week before my second launch, everything was more or less ready to go. A few tweaks here and there and that was it. My team and I were raring to go, but then I got a message from pingdom. We had been using it to measure website performance, and it offers a nifty feature that alerts you when your website is down.
Then things went wrong.
When I receive the alert, my heart skipped a beat. Everything had been checked beforehand… everything that is, except for the SSL certificate. At the time, I was using a free SSL certificate that had quite a few limitations. One of them was time, which we had factored into the launch. The other limitation was how many people could request the certificate before it needed renewal.
A small mistake when creating the certificate led to a situation where the number of allowed visitors was far too low. It expired because we had a lot of people testing our product and going to our WordPress SSL enabled site.
That was when we all realized that nothing but a proper, paid-for SSL certificate would work. We couldn't risk anything happening during the initial phases of the launch. This was at a time when we were still new to internet technologies. Our website going down due to SSL was a big thing. The launch proceeded without too many hiccups, but it could all have gone very wrong.
Modern WordPress SSL Plugins to the rescue!
These days it's even more critical that you enable WordPress SSL on your website - because Google says so. It has been close to a year and a half since Google started aggressively punishing sites that do not use SSL. In that time, there have been several services that have sprung up to fill this niche.
One such service is Let's Encrypt - a certificate authority-lite that is free, automated and open. It is brought to you by the Internet Security Research Group, a non-profit that focuses on making the internet a safer place for everyone.
In this day and age where having a WordPress SSL website is a must, they are a life-saver. I wish they were around when I was starting. The certificates are valid for 90 days at no charge. More importantly, they do not have a cap on how many people can access the website using their certificate. Those days are, thankfully, long gone.
How Do You Solve Your WordPress SSL woes?
Proper Planning Prevents Poor Performance.
When you are starting your website, having SSL baked into your design from the beginning can help. A lot. Doing things ad hoc can have negative consequences down the line. This is why you should always opt to have WordPress force SSL whenever you can and make sure that your certificate is always up to date.
It also helps if your server is set up to be SSL enabled from the very beginning. This way, you do not need to make changes later, and Google will give you a better rating from the start.
WordPress SSL Certificate cost - how much is too much?
The primary reason many new internet marketers opt out of getting an SSL certificate is primarily down to cost. Early implementations of SSL were costly, and the free options weren't exactly user-friendly.
The options available today, however, are entirely different. While WordPress SSL certificates can still cost thousands of dollars, it is only large companies with excellent infrastructure that will need them.
The vast majority of websites, however, will never need to fork out that kind of money. There are many free options out there that are fine for small, niche specific websites. Websites that do not collect too much information (think of super-niche stores and the like).
Advantages in paying for SSL
Paying for a WordPress SSL certificate does come with an advantage. The certificate authority will check that you do indeed own the domain in real life. Free certificate authorities cannot do this due to the costs involved. They usually rely on DNS records and the regular due diligence done on the side of the domain registrar.
Paid certificates carry a lot more weight than any free certificate ever could for this simple reason. This, in turn, gives your site more authenticity. Which means your customers will never get any pop-ups saying you are not trustworthy.
After a certain level, it makes sense to buy one from a reputable dealer. Comodo is a favourite for many as they have some of the best pricing in the market. If you are looking to get your toes wet in the paid SSL arena, then there is no better company.
Once you are comfortable with paying and know how to change your certificate easily - Thawte is always a good option. Thawte was one of the first companies to offer SSL certificates and have been a pioneer in the field since the first internet boom. These two are my go-to companies, but there are many more.
Options when installing SSL on your site
Manually adding in SSL
There are a variety of ways that you can do this - and some are easier than others. If you decided to go with cPanel, then there are various options. cPanel offers documentation, but their website leaves a lot to be desired when it comes to easy reading. Most hosting companies have a page on how to manage SSL within cPanel, and my favourite is NameCheap. Their tutorial has lots of pictures and is written in a simple, elegant style.
Another method you could try is with AutoSSL - again with cPanel or WHM. It is a fantastic method for those who are slightly more tech-savvy to generate automatic SSL certificates through a free certificate authority such as Let's Encrypt. Once you set up AutoSSL, any domain you add through WHM will have SSL enabled by default, allowing you to focus on bringing in more business and leave the SSL worrying to cPanel.
You can also use AutoSSL with Comodo. The world's most significant certificate authority and the world's largest control panel joined forces in 2016 to give everyone easy access to automated SSL. They foresaw the massive adoption that followed Google's 2018 announcement two years early. AutoSSL and Comodo is your best bet with regards to flexibility and price.
What if I don't use Comodo or cPanel?
Well, then there are also options for you. Not everyone uses COmodo, and not everyone should. There are many competing certificate authorities that offer everything under the sun. If you've gone with a competitor to the big boys, then you're in luck. There are numerous ways you make WordPress force SSL on your website and your domain.
One is to use a WordPress SSL plugin such as Really Simple SSL. It is a lightweight plugin that forces your entire website to run on SSL from within Wordpress. It is easy to use and does not take up much in the way of resources.
One of the up and coming ways to implement SSL is on the cloud. Cloudflare is one of the biggest cloud computing services companies in the world. You might have seen their name when going into a website - and they are best known for DDoS protection.
They offer cloud-based SSL that is in some ways more secure than the usual method used above. It is a method that can quickly work with any website, at any time. You can go through their website or use your Cloudflare account and control it all from WPBlazer. This way, you needn't use your resources to implement SSL, and Cloudflare's pricing means you can have as much, or as little SSL, as you like. It can be their free option or the paid option. Cloud services thrive on flexibility, and that is doubly true with SSL options.
Using WPBlazer, you can add in SSL with 1click and no fuss. No messing about with options, and with the pricing flexibility on offer from Cloudflare, it is merely the easiest system to use.
Never stop securing your website.
All that is fine - but you need to remember one crucial aspect of my earlier story. We can forget, we can overlook things, and when something bad happens, it's usually at the worst time.
That is why you need a website monitoring service, and there are many out there. I used pingdom for my websites, but there are competitors. Site24x7, Dotcom-Monitor and others are all great alternatives. Set up an alarm on your phone to remind you to update from your certificate authority or renew with Cloudflare. Always make sure that you are kept aware of your website's status. You don't want your heart to skip a beat as mine did.
It all comes down to the time you're willing to spend on setting up your SSL. It is no longer a question of "Do I need SSL or not?". You do. Google says that SSL is mandatory and what they say goes. Are you going to spend time setting up within cPanel or WHM? Are you going to go with the free route or the paid one? Will you join the cloud-based SSL revolution that is quietly happening, where 1-click is all that's needed?
Everyone is different, but in my experience, the least number of steps needed is the best. I have started moving everything to 1-click WordPress SSL coverage, and it is freeing up a lot of my time. That makes 1-click installs from WPBlazer worth it for me personally. I spent my time adding in certificates manually, and I know my way around a server. Cloudflare and WPBlazer give me more free time, and that is fine by me.