When to and when not to use SSL around your WordPress site

Hawker

Well-known member
Registered
Joined
Dec 22, 2015
Messages
287
Points
0
Having an SSL certificate is useful for installing trust in your users because their sensitive private information is encrypted.

But really, unless someone has access to that persons router, or has hacked the site, nobody can sniff and steal your site users data anyway so SSL in some cases is just overkill.

Really SSL, is just for the really paranoid people and also, it's heavily marketed like YOU NEED IT, YOU MUST HAVE SSL or face DOOM!

No. That's just a marketing ploy used by SSL providers/resellers into making you think that you-must-have-it.

But having an SSL certificate doesn't just mean that your users information is encrypted and giving them some level of peace of mind.

While it can offer some level of protection, remember, like anything, it's never truly 100% reliable and the ONLY thing you might need to do to prevent packet data theft taking place anyway.

There are actually some caveats to having and using SSL on your WordPress site.

Pros and Cons to Using SSL with WordPress

Pros

  • Trust factor - When your buyers can see that you've made the site secure for them to use with the little green padlock icon in the address bar this installs trust in your sites users/buyers.
  • Transparency - By having an SSL certificate, your sites buyers know you are who you say you are and they are buying from a site who has a legally binding contract with the SSL provider.
  • Data protection - Your sites users/buyers are "guaranteed" by the SSL provider that their data isn't going to be intercepted and used illegally.
  • SEO - We all read the announcement Google made about how they're using HTTPS and SSL as a ranking factor in the SERP's.
Cons

  • Usability - Can be difficult for newbies to understand and set up on their site without the help of a professional. However these days it's much easier and doesn't have to be complicated.
  • Cost - While no more expensive than a lunch, and renewal costs no more either. There is still some cost to it from the start unless you go with free option but that's never recommended for serious sites.
  • Warning messages - If your SSL isn't set up right, sometimes your visitors may see a warning page telling them their data isn't protected which can scare some people away who don't understand from using your site.
  • Caching - Encrypted content isn't cached and this can be a problem if you're using some complex caching method that can cause conflicts and problems with using the site.
  • Resources - While properly setup SSL certificates these days aren't as resource hogging as they were 10 years ago, if you don't have big resources but a lot of request, your site might feel the strain and become slow.
Sorry if I'm not telling you anything you don't already know. I'll be honest and say I've set up my first SSL certificate recently and at first found the whole process probably one of the most confusing and complicated things I've had to do in a long while but was a learning curve I'm glad for. Fortunately despite 3 retries, resigns and start again's, after much reading of all the install guides, somehow on a wing and prayer, I managed to get it all working and setup properly. So far so good. So this post was really for my own benefit as well as your own if this is something that you ever come across for the first time in your online ventures.

Some questions I still have about it all which you may have.

When and where on your site is a good time to use SSL?
Should you only use SSL when it's needed or should you use it all over your site at all times?
Example; registration/login pages, checkout/cart pages, customer accounts, WP backend etc.
If the answer to them is yes, what are some effective ways of managing that? Is it done with htaccess, wp-config, some plugin or other method?
If it can be done with a plugin, which plugin is recommended for it?
If its recommended to use SSL all over your site all the time, then your main URL is https so should you use some redirect method to redirect all http traffic to https?
An off-page question. Which URL should you use when building links? The http or https URL?

Well thanks for reading and thanks for your answers and insight into this.

Hopefully we can all learn a thing or two from it. :smart:
 

savidge4

Well-known member
Registered
Joined
Jan 6, 2016
Messages
108
Points
0
There are 3 instances that i can think of that you would use SSL.

#1 for show - we see it all the time. Landing page that is SSL, for an email address. Sure it develops the trust factor, but the reality is it does not a damn thing other than that. It is playing on the misconception of security.

#2 Running Commerce - This one breaks down into 2 parts.
a) there are sites that actually use a "Merchant Account" of one type or another and SSL is a requirement for such services. The transaction is actually taking place on / from your server - the credit card information is actually filed away somewhere, in this instance SSL is obviously not a bad thing
b) again for show - A site that uses PayPal or Amazon, or Google wallet or a host of other 3rd party transaction vendors... THEY ( being the 3rd party transaction vendors ) provide the SSL ( as required when making the transaction as stated above ) but because designers think it develops trust and whatever else reason, they get the SSL. I personally prefer a statement that says what I have said here. something to the effect of "Your payment information is our greatest concern. We have chosen to use a payment provider that provides a greater amount of security than we can. None of your payment information other than delivery information is maintained on our computers etc..."

#3 The higher end of security..bank websites etc..its just expected.

As a developer.. if I am going to use SSL anywhere on my site..I will encompass the whole thing from the get go. Its not harder to do that than just segments of your site - if anything it is overly easier. IF I am including SSL there is a reason somewhere other than just developing trust. Sure at thatpoint I will use it to my advantage... but i would never use SSL if all I had was a landing page and sending people off to affiliate offers!
 

RDO Servers

Well-known member
Registered
Joined
Apr 3, 2015
Messages
1,027
Points
83
RDO Servers
Let me add another important point to this statement.

If you are using a 3rd party processor and redirecting your visitors to a webpage on the processors website (i.e. PayPal.com), then you don't have to worry about anything.

However, if the customer fills in their credit card info on your website (i.e. myDomain.com/checkout) then not only do you need a SSL, but you also have to be PCI compliant. Even if you are not processing or storing the info, you have to be compliant if Credit card info is ever entered on or transmitted by your server.

All too often I hear people think that don't have to be compliant if their not storing the info. This is not correct and a SSL does not make you compliant.

~David
 

Ron Killian

Well-known member
Registered
Joined
Dec 3, 2015
Messages
363
Points
0
I might be lazy on this, but I just pay for the SSL and let my hosting install and set it up for me. Your right it can be confusing, I've tried doing it myself a long time back and think I broke stuff. Like that was the first time :)

If my host does it, then I know it's set up properly. Most of my hosts have done it for free. Only one that changed me was hostgator and that was $15. Still worth it to me.

Only use it on my store. But I've gone back and further on using it or not. All the payments go through Pay pal, so there really is no need for me to have it. The most hackers "could" get is a person's name or email. Since all the financial stuff is on PP, there is not much to get.

But, the reason I've kept it up is for one, supposedly google liked it. Though that seems like just another rumor, or another one of those, "We've going to tell every one they should have it. Because we are the kings and people do what we say if they "hope" to get our traffic".

The other reason, and I might be off on this, if people have to log into, say into their account, do they not get a warning? Unsecured connection? Even though there is nothing to lose, will the warning scare some of the off? That's my one big concern.

How many people even see, notice or look for that green padlock these days? Curious to know that myself. Don't think I do.

Plus, I've had my SSL with Godaddy for years and it seems the price goes up every year. That or I should just look for another source.
 

Fusion Arc Hosting

Well-known member
Hosting Provider
Registered
Joined
Oct 25, 2017
Messages
136
Points
18
If your website will contain users submitting sensitive information like credit card information then you should use SSL to protect them from there information being stolen.
 
Older Threads
Replies
8
Views
3,231
Replies
8
Views
3,040
Replies
1
Views
1,830
Replies
10
Views
4,433

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top