In the video at bottom, I explain how if you don’t have an SSL certificate on your website, you’ll likely be at a disadvantage when competing against other websites. This is because most of the websites that rank on Google now have SSL certificates on their website. Another extremely important note is that any traffic that tries to access your website – if even 1 or 2 percent are getting a message about how your site is not secured by SSL, they could potentially be leaving your website. You need to always ensure that you can view your site over HTTP and HTTPS both, without getting any kind of error in that first critical site-load.
The title basically says it all. So, why must you use an SSL certificate on your website? It’s no longer a choice – it’s mandatory now. The first reason is when a site visitor hits your website, if you don’t have an SSL certificate, what your site visitor will see is a “not secure” message at the top left of your site. No SSL certificate means no traffic served over HTTPS. Site visitors will see “not secure” at the top left, and they may also get a message saying “this site is not secure” in their browser. Some users who are smarter will know to click around the error and still be able to visit the site. However, most do not know how to do this.
The first thing about this is right away you’re losing some of your site traffic. It can be so difficult to get that site traffic, especially in the early days. The last thing you want or need is driving a line right through your traffic as soon as you start, wondering who will be able to actually hit the site and who will click away from the site. When you lose site traffic in this way in many respects it can be lost forever. Some of those site visitors will never return.
When this happens, the next thing you need to immediately accept is Google likely won’t rank you very well. Google loves HTTPS. SSL certificates grant trust. Google begins to “trust” your website. You’ll rank better then other websites that don’t have an SSL certificate.
How much should I pay for a SSL certificate?
Be careful about schemes and scams from Go Daddy or other hosting providers where they charge you close to $100 or more. You don’t need a wildcard certificate unless you also use sub-domains. Generally, you can buy a DV certificate for around $20 per year. Even this can start to cost some overhead on multiple domains, so you can also use CloudFlare to skip purchasing an SSL certificate. CloudFlare acts as a proxy for your website, filtering traffic and attempting to speed it up before depositing it to your site. As such, you have to change your name servers (DNS management) to point to Cloudflare.
Cloudflare is a CDN (content delivery network) so they will attempt to cache pages for site visitors, speeding up the time that it takes to load a page. Cloudflare has lots of tools you can use to see how long it takes for your pages to load, and how much CloudFlare speeds it up is reporting that is helpful.
So, in summary, you can pay anywhere from $20 per year to hundreds of dollars a year depending on the certificate you buy. However for just starting out with a few WordPress sites, CheapSSLsecurity.com is one website I could recommend for getting simple Domain Validation (DV) certs for cheap.
Note: I’m no proponent for CloudFlare – I’m not going to sit here and say whether it’s good or bad, or tell people they have to use it. When looking online I recently did find a website that has done some pretty deep analysis of CloudFlare and how they encrypt traffic. That analysis (called Crime Flare) is located here. The article goes on to talk about how traffic really isn’t fully encrypted when using CloudFlare. I get it, and this may be something to keep in mind if you’re worried about MITM (man in the middle) issues or attacks. For small sites like mine, that aren’t extremely business critical – I haven’t had any particular issues that I can actually trace back to using CloudFlare’s DNS & SSL certificate services.
Personally, I’ve had good success with Cloud Flare because it’s saved me a lot of money in terms of having to setup SSL certificates. I find the process pretty quick and easy. I recommend generating a CSR from your Cpanel, then put that CSR into Cloud Flare’s SSL certificate generation (login, then look for the SSL / TLS tab). Generate the certificate and then install it in Cpanel, using the SSL / TLS button in Cpanel.
When generating the certificate on CloudFlare, you can choose to have it expire in 15 years. Yes, 15 years. Which means you may only need to setup the certificate once. Saves a lot of time, money and overhead. The one thing to keep in mind, as I mentioned above is that CloudFlare is not really encrypting all traffic. The connection between the user and Cloud Flare is encrypted, and Cloud Flare talks to your website instead of the site visitor. This essentially is called a Man in the Middle strategy. The actual connection on the other side – between your web host and CloudFlare, is not encrypted. If you’re at all concerned about security, it may be worth to read up on this more.
For it to work with web hosting like GoDaddy or a GoDaddy reseller, you need to install the Cloudflare origin certificate onto your site. Changing DNS to Cloudflare and installing their certificate can take 20 minutes or so for it to be recognized. When I setup their certificate, I initially had troubles and my site would not show the locked icon with a CloudFlare certificate. I eventually found the additional step mentioned of having to install the Origin Cloudflare certificate in Cpanel.
Cloudflare has many statistical analysis tools. In terms of its usefulness, CloudFlare has a graph that shows you how long your site takes to load with and without CloudFlare. If their claims are true that the first page load is sped up, and the graph is correct, then yes CloudFlare is a useful system. There are some online that would say that Google does not like Cloudflare sites but that is not true at all. There are far more positive reviews of webmasters using CloudFlare with their website then there is negative ones.
Using CloudFlare is in essence, you are turning all your traffic over to their servers first before it hits your site. You can review and see how much of that traffic is then secured down to your website using TLS 1.3, 1.2, 1.1 and etc. There is still an unsecured amount of traffic filtered down to your website as well, which you can review the stats. The theoretical concept at play is that when this traffic is filtered, once it hits your website it’s safer traffic. All of this should be helpful for your website and make it “healthier” if anything.
With all of this being said, when websites load faster in a more optimized fashion due to CDN usage, it should also lead to the servers hosting the site(s) to be less taxed and serve more requests in a shorter time period.
This is all of “how it should work.” It’s high level theory and it’s difficult to actually pin down if all of this is really happening or not. If you notice that after you setup CloudFlare, your site does seem to load faster – good. That’s what you want. All of this so far is free, so we can’t complain on CloudFlare too much, right? I really like the free SSL certificate, to me it looks like my sites are loading faster also, so I prefer using their services thus far.
If you have a different experience with CloudFlare and your WordPress website (or other), please do leave us a comment and let us know. We’ d like to hear about it.