Imagine if a customer lands on your website to make a purchase but is greeted with a safety warning instead? Not having an SSL certificate can not only result in a serious loss of traffic, but it can also affect your website's rankings.
However, an SSL certificate costs anywhere from $5/year to $1000/year and can add to the cost of running your small blogs. Luckily, there are several ways to obtain an SSL certificate for your website for free. In this article, we will go over some of the best methods to get an SSL certificate for your WordPress website.
What is an SSL certificate?
When you add a product to cart, or post a comment on a blog, your data are sent to the server unprotected. This means that anyone with the right tools can sniff the network and read the information you sent across, including your name, address, credit card details, etc.
A Secure Socket Layer (SSL) certificate ensures that all your data are encrypted before they are sent over to the server. This prevent your data from being readable by anyone, making it more difficult for hackers to intercept and steal your data.
How Do SSL Certificates Work?
An SSL certificate acts as a digital passport that authenticates a website and insulates the data flow between the website and browsers.
Here's how it works:
- When you attempt to connect to a website with an SSL certificate, your browser requests the web server to identify itself.
- The server generates a copy of the SSL certificate/public key issued to the website and sends it to your browser.
- Your browser checks the validity of the key and creates an encrypted key to send back to the server.
- The website's server decrypts the key and delivers the encrypted content to the client along with the key.
- Finally, your browser decrypts the content again, thereby finishing the SSL handshake process.
Why Do You Need An SSL Certificate For Your Website?
Even though it is not mandatory to have an SSL certificate on your website, a majority of people who use the Internet prefer browsing safely on "HTTPS" websites.
And anyone can easily identify websites that use an SSL certificate as they have a padlock icon next to the URL. Whereas websites without an SSL certificate display a warning sign.
Apart from public preference, there are many significant advantages of having an SSL certificate for your website:
- Strong encryption safeguards users' data from phishing scams and attacks.
- An SSL certificate provides a positive influence on the browser's evaluation of websites.
- Increases visitors' trust.
- Having an SSL certificate increases SEO rankings.
- Finally, an SSL certificate can help improve your website's loading speed.
Type of SSL Certificate
There are primarily three types of SSL certificates. Based on the type of your website, you can choose any of the following:
- Domain Validated (DV) Certificates: Suitable for small websites that don't have a ton of traffic and also don't exchange any personal information like email addresses or bank details.
- Organization Validated (OV) Certificates: Suitable for business-oriented websites that have forms and lead capturing capabilities but don't store bank details or other sensitive information.
- Extended Validated (EV) Certificates: These certificates are for top-level security and are designed to handle sensitive information like credit card details and other financial information.
Get Free SSL Certificate For Your WordPress Site
Let's look at how to get a free SSL certificate for your WordPress website. Here are a few viable methods:
Generally, most CDN services include a free SSL certificate in their package. So if you are planning to subscribe to a CDN service, you can consider the options listed below to get a free SSL certificate too.
However, these services themselves can charge anywhere from 5$ to $1000 depending on your use case and the data your website consumes on their servers.
If you are just starting out your blog or website, you can use a free CDN service like Cloudflare which also offers you a free SSL certificate. They have a very easy-to-use interface designed for creating internationally scalable apps and provide a free SSL certificate for WordPress websites.
- Go to CloudFare and create an account.
- On your account homepage, click on "Add Site."
- Enter your website's URL without the HTTP prefix and click on "Add Site."
- After adding a website, choose a free plan from the list of alternatives.
- Cloudflare will scan the DNS records of your website.
- After the scan is complete, you will be asked to verify the current domain name server records for your website. Click on continue.
- Cloudflare will assign you the name servers for their own server. You need to replace the current name servers of your website with the new ones. After you've copied your nameservers over to your domain name registrar, click "Done, check nameservers" to be taken to the domain's settings.
- Click on "Get started".
- Toggle on the "Automatic HTTPS Rewrite" and click on save. This will force all web traffic to the HTTPS version of your website.
- Turn on "Always Use HTTPS" and click on save to redirect all traffic from the HTTP version of your website to HTTPS.
- Optionally, you can enable the "Auto Minify" feature to optimize the delivery of the web content.
- You can also speed up your website's loading speeds by toggling on the Brotli feature.
- After you've set everything up, click on Finish. Now, your website will be switched to HTTPS automatically in a few hours. It can take up to 24 hours for this process to complete based on how long your domain registrar takes to update the name servers of your website.
ZeroSSL offers free SSL certificates that last for up to 90 days, after which you need to manually regenerate another one. You can get up to three free SSL certificates, after which ZeroSSL charges $10 per month for the basic security coverage.
- Go to the ZeroSSL website. Enter your website's domain name in the input field and click on "Next Step."
- Enter your email address and choose a password for your account. Then click on "Next Step."
- On the next screen, you'll be greeted by a customization area where you can set up your SSL certificate. Here, verify your domain name and click on "Next Step."
- Choose a 90-day certificate and click on "Next Step."
- Toggle on the "Auto-Generate CSR" feature and click on "Next Step."
- The next step is to verify your domain ownership. ZeroSSL offers three verification methods that you can follow. The easiest option is to go with email verification. Simply enter the email address associated with the domain and click on "Next Step."
- Click on "Verify Domain," and you will receive a standard verification email with a verification code.
- You'll also find a link in the email where you need to go and enter the verification code you've received.
- Enter the verification code and click on Next.
- ZeroSSL will verify the code, generate the certificate and mail it to you.
- If, for some reason, you can't access the email for domain verification, you can also opt to add a CNAME record in your domain's DNS settings.
Or, you can upload a HTTP file to your website's root directory.
3. Really Simple SSL
Simple SSL is a widely popular plugin for WordPress, which provides a free-of-cost SSL certificate, and as the name suggests, it's extremely simple to set up as it does not require any domain verification.
- To set up Really Simple SSL, open your WordPress dashboard, navigate to the Plugins tab, and install and activate the Really Simple SSL plugin.
- Open the plugin settings and click on the "Activate SSL" button.
- Go to the settings area and enable the "Enable 301" feature to set up a 301 redirection of your HTTP web pages to the HTTPS version.
- That's it. Refresh your website, and you will land on its HTTPS version.
4. Using Web Host With Free SSL
Some web hosting companies offer free SSL certificates with their hosting plans. So if you want to keep things simple, you can set up your website on a hosting platform that offers a free SSL certificate.
Generally, most web hosting companies that provide free SSL certificates, outsource them from a third-party SSL provider known as Let's Encrypt. It is the largest free SSL provider and has already issued SSL certificates to over 260 million websites.
You can also directly get a free SSL from Lets Encrypt, but bear in mind that it's a pretty complicated process and also requires you to have shell access to your server and a little server management knowledge. So the easier way to get a Lets Encrypt SSL certificate would be to host your website on a hosting platform that provides you a free SSL certificate.
Here are a few things to keep in mind when you're looking for a web host with a free SSL certificate:
- Make sure the host offers a "FREE" SSL certificate. Some hosting providers advertise giving out free SSL certificates but secretly add additional costs for it in the final bill.
- Check if the type of SSL certificate being offered is suitable for your website. For example, if you're running an eCommerce site, you'll need an SSL certificate that supports online transactions.
- Try to purchase a hosting plan with a platform that also offers support for the free SSL certificates they offer. Some hostings may require you to install and configure the SSL certificate yourself, which can be a very hectic task.
Here are a few hosting companies that provide free SSL certificates:
Problems Associated With SSL Certificates
1. Certificates That Have Passed Their Expiration Date
When an SSL certificate expires, the visitors trying to access your website will be greeted by an error saying with an error code: NET::ERR_CERT_DATE_INVALID. This is because each certificate has an expiration date, and the web browser will reject certificates that are no longer valid.
From September 1st, 2020, major web browsers are instructed to refuse connection with SSL certificates that are older than 398 days.
So if you neglect to renew certificates when they expire, or if you install an SSL certificate with a validity period of over 398 days, your website will end up throwing this error to all the visitors. To fix the problem, you'll need to replace the SSL certificates on your web server with a new one.
2. A Certificate That Has Been Revoked
Just like some cheap padlock manufacturers assign the same key for the locks they make in a batch, some SSL certificates also carry identical encryption keys. Now, whenever there is a data leak, these keys are recorded by the authority that assigned you the SSL certificate and revokes all the SSL certificates with the same encryption key.
So if your SSL certificate has been revoked, your website will display an error message – "NET::ERR_CERT_REVOKED." In such situations, you can either contact your SSL certificate provider or replace the revoked certificate with a new one to resolve the problem.
3. The Hostname Is Not Found
If your website shows the error message – "NET::ERR_CERT_COMMON_NAME_INVALID," it means that the hostname in your SSL certificate does not match your site's domain name. To establish a secured connection from the web browser to a website, the SSL protocol initiates the first handshake to confirm the legitimacy of the SSL certificate.
Now, the most basic need for this handshake to be successful is that the URL of the website should match the URL mentioned on the SSL certificate. Again, this verification does not stay limited to the domain name but extends to the exact URL. For example, if a user tries to connect with your website using www.example.com as the URL, but the SSL certificate only lists example.com, it will fail to connect with the secured version of your website.
To solve this issue, you need to either add the non-www version of your website's URL in the certificate or 301 redirect from www to the non-www version.
4. A Certificate Authority That Isn't Trusted
If your browser is unable to establish a chain of trust between your website and the visitor's web browser, your website will throw an error saying – "NET::ERR_CERT_INVALID." This can happen for one of two reasons. Either you are using an SSL certificate from an untrusted certificate issuing authority, or you are using a self-assigned certificate.
In the first case, the only option is to either replace your certificate with a trusted one, or you can contact your SSL certificate provider to seek help. If you are using a self-signed SSL certificate for a local HTTPS development, you need to manually add your certificate to the browser's trust store. However, keep in mind that your self-assigned certificate will only work on your local network.
Frequently Asked Questions
What is an SSL VPN?
The concept of SSL VPNs is very similar to the working of SSL certificates on the Internet. Except, instead of the browser and a web host, you can set up a local machine that connects with localhost using an SSL certificate for authentication.
This way, an SSL VPN gives individual users access to an organization's network, client-server applications, and internal network utilities and directories without the requirement for specialized software. It allows safe, secure communication for all types of devices over an encrypted connection, regardless of whether the network is accessed via the public Internet or another protected network.
Is it possible to use a single SSL certificate for multiple domains?
Yes, a single SSL certificate can be used on the same server for numerous domains. If your domain has an SSL certificate, its security will automatically extend to all its subdomains. However, if you want to cover multiple unique domains under one SSL certificate, you need to use a Multi-Domain SSL certificate that comes with additional SAN fields, which you can use to list additional domains that you want to extend the security to.
Image credit: Mirsad Sarajlic
Our latest tutorials delivered straight to your inbox