A long time ago, SSL/TLS was only for ecommerce sites. Now, everyone is expected to use HTTPS. But, how do you get that configured?
In order to get HTTPS to work, your website needs an SSL certificate that is unique and verified. There are many types of SSL certificates, but you’ll probably want a wildcard certificate. A wildcard certificate generally covers two domains: “example.com” and “*.example.com”. That
* in the second domain means that the same SSL certificate will cover every single subdomain of your site. This makes setup easier, and significantly lowers maintenance time because you only have one certificate to renew.
There are many ways of getting an SSL certificate, but my two favorites are the free ways: Let’s Encrypt, and Cloudflare.
Let’s Encrypt is the first free CA, or Certificate Authority, the people who hand out and verify your certificate. They are a non-profit, and are funded my any big corporations, including Google and Mozilla. The certificates they provide are valid for 90 days, but should automatically renew. Many WordPress hosting providers offer an option for this in cPanel, while others don’t have this option quite yet.
Unfortunately, the host I chose for this site, Namecheap, does not offer native Let’s Encrypt support. This isn’t much of a problem for this website, as I currently use Cloudflare(which I’ll get to shortly), but for IMAP and POP3, I need a valid SSL certificate. So, cPanel offers a way to copy and paste the SSL certificates manually, which is completely free. This usually means that you need another server to run acme.sh on, but Namecheap offers Jailed SSH Access, which
acme.sh should work on. Then, you only need to update the certificate once every two months or so, which is worth paying nothing for a free SSL certificate.
Also, Let’s Encrypt does not offer extended validation certificates because the process for them can’t be automated. This means that while sites using Let’s Encrypt will get the secure icon in browsers, there’s no way to get your organization’s name there(like Cloudflare). Overall, this is a good option if available, and will give you all SEO benefits of using HTTPS for free.
Cloudflare also offers a free SSL certificate, which doesn’t require manually copying and pasting keys if Let’s Encrypt is not supported by your web host. Another reason to use Cloudflare is that you don’t have to worry about renewing the certificate, as they will do that for you. Cloudflare acts as a proxy and CDN for your website, making your site faster, while also protecting you against DDoS attacks. On top of that, they also offer two viable ways to get HTTPS for free: “Flexible SSL” and “Full SSL”.
Please keep in mind that using Cloudflare means that you can’t see the real visitor’s IP without installing their plugin. It’s also worth noting that using Cloudflare will require you to change your DNS records to point at them, and not all hosts have the Cloudflare cPanel addon. Without the cPanel addon, you will have to login to Cloudflare each time you want to make DNS changes, instead of making your changes in cPanel.
Flexible SSL is the easiest to set up, but also the less secure of the two options. According to the Cloudflare documentation, Flexible SSL is:
A Secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don’t need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.
Basically, the connection between Cloudflare and your visitor is encrypted with TLS, but the connection between Cloudflare and your server is over plain HTTP. This is extremely easy to set up, and doesn’t require any setup on your host. However, there are some problems:
This option is not recommended if you have any sensitive information on your website. This setting will only work for port 443->80, not for the other ports we support… It should only be used as a last resort if you are not able to setup SSL on your own web server.
In other words: DO NOT use this if you process personal info such as payment information. However, for most WordPress sites, this should work fine because the most personal information you process is emails.
There is also the risk of redirect loops, so only make HTTP to HTTPS redirects in Cloudflare. The problem with redirects to HTTPS on your webserver is that Cloudflare connects to your site with “http://”, even though the visitor is on “https://”. Your webserver redirects to “https://”, which the visitor is already on, but Cloudflare still connects over “http://”, causing an infinite redirect.
The more secure, nearly as easy option is Cloudflare’s Full SSL. Full SSL is
A secure connection between your visitor and Cloudflare, plus a secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with at least a self-signed certificate. The authenticity of the certificate is not verified
Basically, the connection between Cloudflare and your visitor is TLS encrypted, and the connection between Cloudflare and your server is TLS encrypted, but not verified. This means you need HTTPS working with any SSL certificate, valid or not. Even with an invalid certificate, your visitors will only see the valid Cloudflare-generated one.
There is also Full SSL(Strict), but this doesn’t help in getting HTTPS, as this requires your server to have HTTPS with a valid SSL certificate in the first place.
Always try the options going from most secure to least secure until your website works:
- Full SSL(Strict)
- Full SSL
- Flexible SSL
Let’s Encrypt or Cloudflare?
If you can change your DNS settings, using Cloudflare can be easier in the long term. However, you will lose the ability to edit DNS settings via cPanel in some cases, so it may not be worth it. If you can’t change your DNS settings, or don’t want all traffic to go through Cloudflare, stick with Let’s Encrypt. If integrated properly, it requires very little work and maintenance to secure your site.
Let me know any other options I may have missed in the comments.