Does My WordPress Website Need A SSL Certificate?

BasicsTechnical ElementsWebsites
website security

What is SSL?

SSL stands for “Secure Sockets Layer”, a fancy way of saying that data is safely being transmitted to and from your website. Specifically, it means that there is a secure transmission of data between a web server and a browser. Therefore, pretty much any website needs a SSL certificate if it collects any sort of data, whether it’s credit card information or just an e-mail address. And yes, that means that your WordPress website needs a SSL certificate.

Any website served over the https protocol (the URL begins with “https”) has a SSL certificate installed. However, this doesn’t necessarily mean that all the content within is served over https. Sometimes there can be images or javascript files that are still served over unsecured http.

A SSL certificate is quickly becoming an expected standard. Google’s Chrome browser began displaying a “Not Secure” message as of January 2017 on websites without secure connections (Update: December 25, 2017: and Firefox is expected to follow suit soon). The next version of Chrome will reportedly flag websites containing any kind of form and no SSL certificate as “Not Secure”. If that isn’t enough to convince you to hop on the SSL bandwagon, consider recent research by HubSpot showing “up to 85% of people will not continue browsing if a site is not secure.”

Here we will explain what SSL certificates do and how to use one, both as a website owner and a consumer.

What SSL Certificates Do and What Does That Really Mean?

A SSL Certificate ensures that information you send over the internet is both encrypted, meaning turned into code that can only be deciphered by a certified party, and verified that it is going to the intended recipient. This is particularly important for e-commerce sites handling sensitive data like credit card information and addresses. But any website that collects data should consider a SSL certificate in order to protect it.

By encrypting data, it ensures that no one intercepts the transaction to snag sensitive data. By verifying the recipient, it ensures that no one is posing as a credit card company, for example, and collects information not intended for them.

But it’s not just about your users. A SSL certificate also protects your username and password every time you or another user logs in to write a blog post or to make an update.

Want to learn more about how it all works? GlobalSign has a pretty clear basic explainer video that explores how SSL works:

WordPress Websites and SSL Certificates?

Basically any website owner should get a SSL certificate, especially since basic SSL certificates are now available for free from services like Let’s Encrypt or Cloudflare CDN account holders. Any website collecting data must install one or they face the penalty of being passed over for being susceptible.

Therefore, if you own a WordPress website, you need a SSL certificate. All WordPress sites have some password protected content. Your administrator login page is after all locked by a username and password.

Implications Beyond Security

For a few years already, Google has been giving higher search result rankings to sites with a SSL certificate. Google cares about trust. That’s why for instance .gov domains will typically rank high in search results. Government websites are considered to be trustworthy. SSL certificates build up that trust that this is a legit website and that it’s safe to pass information through it.

Types of SSL Certificates

The different levels of SSL Certificates are based on levels of verification and therefore trust.

A website user should check that the website they are browsing is secure before sending information through it by looking for “https” at the beginning of the URL and a lock icon.

url with lock icon

If you click the lock icon at the top of your browser window, you’ll see further information about the verification of this address. The idea is to assure users that you are who you say you are.

What SSL Certificates Do is show your encrypted connection

Domain Validated (DV) SSLs are the most basic kind and therefore the cheapest. They can be issued and installed in a matter of minutes, as they only verify domain ownership.

Organization Validated (OV) SSLs validate an organization’s name in addition to their ownership of a given domain. This ensures users that they are in fact visiting the official business or organization website they think they are. These usually take a couple of days to issue.

An Extended Validation (EV) SSL is the strongest type of SSL certificate and verifies that domain ownership and business details more thoroughly. It displays green in the address bar and takes a few days to vet. These are the types of certificates used by financial institutions for example. These more extensive certificates ensure that the website owner passes a thorough and globally standardized identity verification.

If you have a WordPress website, you need a SSL certificate to ensure the safe transmission of data
Example of an Extended Validation SSL Certificate

A Wildcard SSL certificate covers the domain and subdomains (e.g.,,

How to Get a SSL Certificate

You can purchase a SSL certificate from third-party providers such as Symantec, Comodo and GlobalSign. Some hosting providers such as Go Daddy also offer their own (and may not let you install certificates from third parties). The cost can range anything from $9 to $700 per year, depending on the level of security offered.

Website owners looking for just a minimal level of security can also get started for free with a certificate from the non-profit Internet Security Research Group at Let’s Encrypt.

Why Isn’t My SSL Certificate Working?

Depending on how you got yours, there may or may not be any installation process. Or there may be insecure images that are being called. Debug your SSL Certificate at Why No Padlock?

If you don’t have the resources to take care of this yourself, we can work with your hosting provider to take care of this for you. Seeing “this website is not secure” is scaring customers away, so don’t delay!

More IRG Websites articles about website security: