How to get HTTPS: Setting up SSL on your website
If you are collecting ANY sensitive information on your website (including email and password), then you need to be secure. One of the best ways to do that is to enable HTTPS, also known as SSL (secure socket layers), so that any information going to and from your server is automatically encrypted. The prevents hackers from sniffing out your visitors sensitive information as it passes through the internet.
Your visitors will feel safer on your site when they see the lock while access your website knowing it s protected by a security certificate.
The best thing about SSL is it s simple to set up, and once it s done all you have to do is route people to use HTTPS instead of HTTP. If you try to access your site by putting https:// in front of your URLs right now, you ll get an error. That s because you haven t installed an SSL Certificate. But don t worry we ll walk you through setting on up right now!
Setting up HTTPS on your website is very easy, just follow these 5 simple steps:
- Host with a dedicated IP address
- Buy a certificate
- Activate the certificate
- Install the certificate
- Update your site to use HTTPS
Step 1: Host with a dedicated IP address
In order to provide the best security, SSL certificates require your website to have its own dedicated IP address. Lots of smaller web hosting plans put you on a shared IP where multiple other websites are using the same location. With a dedicated IP, you ensure that the traffic going to that IP address is only going to your website and no one else s.
An affordable host I recommend for a dedicated IP is StableHost. At this time it s under $6/month, but you can get it cheaper if you order for a full year. They re my host and I ve been blown away with their support and performance. Oh, and here s a coupon for 40% off: expert40
If you don t have a plan with a dedicated IP you can ask your current web host to upgrade your account to have a dedicated IP address. There will probably be a charge for it it could be one-time or monthly fees.
Step 2: Buy a Certificate
Next you ll need something that proves your website is your website kind of like an ID Card for your site. This is accomplished by creating an SSL certificate. A certificate is simply a paragraph of letters and numbers that only your site knows, like a really long password. When people visit your site via HTTPS that password is checked, and if it matches, it automatically verifies that your website is who you say it is and it encrypts everything flowing to and from it.
Technically this is something you can create yourself (called a self-signed cert ), but all popular browsers check with Certificate Authorities (CA s) which also have a copy of that long password and can vouch for you. In order to be recognized by these authorities, you must purchase a certificate through them.
NameCheap is where I buy my certificates. They have a few options, but the one that I find best is the GeoTrust QuickSSL. At this time it s $46 per year, and it comes with a site seal that you can place on your pages to show you re secure which is good for getting your customers to trust you. You ll simply buy it now, and then set it up by activating and installing it in the next steps.
Step 3: Activate the certificate
Note: Your web host may do this step for you check with them before proceeding. This can get complicated and if you can wait 1-2 days it may be best to let them do it.
If you re activating the certificate yourself, the next step is to generate a CSR. It s easiest to do this within your web hosting control panel such as WHM or cPanel. Go to the SSL/TLS admin area and choose to Generate an SSL certificate and Signing Request . Fill out the fields in the screen below:
Host to make cert for is your domain name, and the contact email can be blank. When you ve filled it out, you ll see a screen like this:
Step 4: Install the certificate
Note: Your web host may also do this step for you too check with them before proceeding. This can get complicated and if you can wait 1-2 days it may be best to let them do it.
If you re installing up the certificate yourself, this is the easiest step you ll ever do. You have the certificate in hand, all you need to do is paste it into your web host control panel. If you re using WHM.CPanel, click the Install an SSL Certificate from under the SSL/TLS menu.
Paste it into the first box and hit submit. That s it! Now try to access your site via https://www.domain.com you should be secure!
Step 5: Update your site to use HTTPS
At this point if you go to https://yoursite.com you should see it load! Congrats, you ve successfully installed SSL and enabled the HTTPS protocol! But your visitors aren t protected just yet, you need to make sure they re accessing your site through HTTPS!
Keep in mind that you typically only need to protect a few pages, such as your login or cart checkout. If you enable HTTPS on pages where the user isn t submitting sensitive data on there, it s just wasting encryption processing and slowing down the experience. Identify the target pages and perform one of the two methods below.
You can update all links to the target pages to use the HTTPS links. In other words, if there s a link to your cart on your home page, update that link to use the secure link. Do this for all links on all pages pointing to the sensitive URLs.
However, if you want to ensure that people can only use specific pages securely no matter what links they come from, it s best to use a server-side approach to redirect the user if it s not HTTPS. You can do that with a code snippet inserted on top of your secure page. Here s one in PHP:
Another server-side approach is to use mod-rewrite. This won t require you to change any of your website files, but will need you to modify your apache configuration. Here s a nice mod-rewrite cheat sheet. or just use this example:
This will ensure that if anyone accesses a page via HTTP they will automatically be redirected to HTTPS.
- Understand that HTTPS doesn t mean information on your server is secure, it only protects the TRANSFER of data from your visitor s computer to yours, and the other way too. Once the sensitive data is on your server it s up to you to keep that data safe (encrypt in database, etc).
- Some people just look for a lock on the page, not on the browser. After you ve installed SSL you might want to try adding a lock icon on your pages just to let them know it s secure if they don t look in the url bar.
What makes a website secure? A properly installed security certificate.
Congratulations! You ve successfully protected your website by installing an SSL cert and made your visitors less prone to attacks. You can breathe easy knowing that any information they submit on your website will be encrypted and safer from packet sniffing hackers.
God of The internet says:
A SSL cert means nothing these days. Its a false sense of security. Anything you do online is open to public attacks and eyes. This includes bank logins and transactions. The SSL cert is just a way for these companies to grab your money.As a security expert, I can tell you this from first hand. I can sit anywhere in a public place where people use their wireless device and steal any info they send across the airwaves including bluetooth.
This appears to be the internet equivalent of saying we are all going to die .yes but in the mean time we all have to live, so comments like this are extremely unhelpful with out giving a solution, so thanks for increasing the sense of vulnerability and may be you can give your solution? If SSL is useless then what do you suggest?
Hadi Altaha says:
No excuse any more for not having EVERYTHING SSL on the internet. It is too easy (thank you for this still relevant article) AND now always FREE thanks to Let s Encrypt (https://letsencrypt.org/ ). I use Dreamhost, and the combination is truly a fix it and forget it solution. Just apply for the certificate, follow the rules on this article and you are done. It automatically renews.
NO MORE EXCUSES!
Thanks for your information. Today, I read about HTTPS. Google Says, Its a Ranking signal. So, I am going to buy a ssl certificate. Can you please tell me which ssl provider is best?