Should your WordPress site have an SSL certificate? The short answer is while it is not always, required, you should. While you don’t have to have it unless you are accepting payments, or are subject to privacy laws, you really should.
Using the secure HTTPS transfer protocol for your site is one important step in keeping your site secure, respecting the integrity of your data and your user’s data. It also gives you an SEO boost and helps prevent the mass surveillance of the web, which are both nice bonuses.
SSL vs HTTPS
We tend to talk about two related technologies as if they were the same. An SSL certificate is what makes the secure HTTPS transport possible. The “S” in HTTPS stands for secure, same with the “S” in SFTP.
SSL provides the encryption key that makes the encrypted HTTPS protocol possible.
When we say a “site is using SSL” we mean that it has a properly configured SSL certificate and has been configured to only accept connections over HTTPS. These are two very different things.
HTTPS Is A Must For eCommerce
If your site accepts payments in any form, an SSL certificate should always be used. Most payment processors require this. Some, like PayPal express, which work by redirecting to another site, do not require SSL. But since the original form is not secure, you are putting customer data at risk during the form submission.
Not only is an SSL certificate good or security, it’s also good for appearances. People are more and more worried about online security and the public is becoming increasingly aware of what HTTPS. Non-technical folks are more than likely than ever to look for that green lock in the browser bar.
The Other Thing An SSL Certificate Does
When you buy an SSL certificate, they come with a warranty. Read this warranty. The more expensive the bigger the guarantee in terms of dollars they will pay the encryption provided somehow fails and leads to monetary loss.
If your site is accepting payments and some how leads to your customer’s credit card numbers being used fraudulently, you may be liable. Having an SSL certificate with a warranty in excess of the largest possible charge for your site is an easy way to protect against this liability.
What If My Site Has No Forms?
You may be reading this and thinking about a site with no forms. You might think that site doesn’t need HTTPS. First off, add a contact form to your site with Caldera Forms, it is simple and free.
Also, every WordPress site has forms. They have login forms, which leads to a huge collection of forms we call the WordPress admin. There are a lot of security measures in place in the WordPress admin, but they are based around nonces and cookies. Without HTTPS you are transmitting those insecurely with every post edit, or plugin settings change.
Don’t Forget About The Other Direction
We tend to think of HTTPS in terms of securing data sent from a site, like form submissions, but it is also important to consider the integrity of data sent from your site. Without HTTPS the page with your form could be intercepted and modified enroute. The URL that the form was submitted against, or what fields were in the form could be changed.
This kind of “main in the middle attack” could allow your site to act as part of a phishing or identity theft scam without you knowing it. Hopefully when it happens Google will alert you that your site has been flagged as insecure. Your SEO and your reputation will have taken a hit, but at least you will know.
Buzzfeed recently migrated their whole site to HTTPS for this exact reason. They were worried about readers being tracked by repressive governments and their content being changed. HTTPS solved this for them.
What To Keep In Mind When Migrating To HTTPS
Unfortunately moving an insecure WordPress site to HTTPS has a few pitfalls. This isn’t a tutorial, but I do want to point out a few things to look out for.
Just setting up your SSL certificate and changing your site URL to use https:// is not enough. You need to make sure that your server is configured to redirect any requests over HTTP to the HTTPS equivalent URL. I use WPEngine for many reasons, one is that they make doing this very easy.
Just Do It!
It has never been easier to get an SSL certificate. Many hosts provide a simple way to use the free LetsEncrypt service to setup a FREE SSL certificate. LetsEncrypt is perfect for a blog, but you will want an SSL certificate with warranty for a business site. For less than $10 you can get plenty of coverage.
Seriously, with the risks being serious, and the rewards of using HTTPS being what they are, you really should just do it.