When to and when not to use SSL around your WordPress site

[Hawker]

Having an SSL certificate is useful for installing trust in your users because their sensitive private information is encrypted.

But really, unless someone has access to that persons router, or has hacked the site, nobody can sniff and steal your site users data anyway so SSL in some cases is just overkill.

Really SSL, is just for the really paranoid people and also, it's heavily marketed like YOU NEED IT, YOU MUST HAVE SSL or face DOOM!

No. That's just a marketing ploy used by SSL providers/resellers into making you think that you-must-have-it.

But having an SSL certificate doesn't just mean that your users information is encrypted and giving them some level of peace of mind.

While it can offer some level of protection, remember, like anything, it's never truly 100% reliable and the ONLY thing you might need to do to prevent packet data theft taking place anyway.

There are actually some caveats to having and using SSL on your WordPress site.

Pros and Cons to Using SSL with WordPress

Pros

• Trust factor - When your buyers can see that you've made the site secure for them to use with the little green padlock icon in the address bar this installs trust in your sites users/buyers.
• Transparency - By having an SSL certificate, your sites buyers know you are who you say you are and they are buying from a site who has a legally binding contract with the SSL provider.
• Data protection - Your sites users/buyers are "guaranteed" by the SSL provider that their data isn't going to be intercepted and used illegally.
• SEO - We all read the announcement Google made about how they're using HTTPS and SSL as a ranking factor in the SERP's.

Cons

• Usability - Can be difficult for newbies to understand and set up on their site without the help of a professional. However these days it's much easier and doesn't have to be complicated.
• Cost - While no more expensive than a lunch, and renewal costs no more either. There is still some cost to it from the start unless you go with free option but that's never recommended for serious sites.
• Warning messages - If your SSL isn't set up right, sometimes your visitors may see a warning page telling them their data isn't protected which can scare some people away who don't understand from using your site.
• Caching - Encrypted content isn't cached and this can be a problem if you're using some complex caching method that can cause conflicts and problems with using the site.
• Resources - While properly setup SSL certificates these days aren't as resource hogging as they were 10 years ago, if you don't have big resources but a lot of request, your site might feel the strain and become slow.

Sorry if I'm not telling you anything you don't already know. I'll be honest and say I've set up my first SSL certificate recently and at first found the whole process probably one of the most confusing and complicated things I've had to do in a long while but was a learning curve I'm glad for. Fortunately despite 3 retries, resigns and start again's, after much reading of all the install guides, somehow on a wing and prayer, I managed to get it all working and setup properly. So far so good. So this post was really for my own benefit as well as your own if this is something that you ever come across for the first time in your online ventures.

Some questions I still have about it all which you may have.

When and where on your site is a good time to use SSL?
Should you only use SSL when it's needed or should you use it all over your site at all times?
Example; registration/login pages, checkout/cart pages, customer accounts, WP backend etc.
If the answer to them is yes, what are some effective ways of managing that? Is it done with htaccess, wp-config, some plugin or other method?
If it can be done with a plugin, which plugin is recommended for it?
If its recommended to use SSL all over your site all the time, then your main URL is https so should you use some redirect method to redirect all http traffic to https?
An off-page question. Which URL should you use when building links? The http or https URL?

Well thanks for reading and thanks for your answers and insight into this.

Hopefully we can all learn a thing or two from it. :smart:

 

[savidge4]

There are 3 instances that i can think of that you would use SSL.

#1 for show - we see it all the time. Landing page that is SSL, for an email address. Sure it develops the trust factor, but the reality is it does not a damn thing other than that. It is playing on the misconception of security.

#2 Running Commerce - This one breaks down into 2 parts.
a) there are sites that actually use a "Merchant Account" of one type or another and SSL is a requirement for such services. The transaction is actually taking place on / from your server - the credit card information is actually filed away somewhere, in this instance SSL is obviously not a bad thing
b) again for show - A site that uses PayPal or Amazon, or Google wallet or a host of other 3rd party transaction vendors... THEY ( being the 3rd party transaction vendors ) provide the SSL ( as required when making the transaction as stated above ) but because designers think it develops trust and whatever else reason, they get the SSL. I personally prefer a statement that says what I have said here. something to the effect of "Your payment information is our greatest concern. We have chosen to use a payment provider that provides a greater amount of security than we can. None of your payment information other than delivery information is maintained on our computers etc..."

#3 The higher end of security..bank websites etc..its just expected.

As a developer.. if I am going to use SSL anywhere on my site..I will encompass the whole thing from the get go. Its not harder to do that than just segments of your site - if anything it is overly easier. IF I am including SSL there is a reason somewhere other than just developing trust. Sure at thatpoint I will use it to my advantage... but i would never use SSL if all I had was a landing page and sending people off to affiliate offers!

 

[RDO Servers]

RDO Servers

Let me add another important point to this statement.

If you are using a 3rd party processor and redirecting your visitors to a webpage on the processors website (i.e. PayPal.com), then you don't have to worry about anything.

However, if the customer fills in their credit card info on your website (i.e. myDomain.com/checkout) then not only do you need a SSL, but you also have to be PCI compliant. Even if you are not processing or storing the info, you have to be compliant if Credit card info is ever entered on or transmitted by your server.

All too often I hear people think that don't have to be compliant if their not storing the info. This is not correct and a SSL does not make you compliant.

~David

 

[Ron Killian]

I might be lazy on this, but I just pay for the SSL and let my hosting install and set it up for me. Your right it can be confusing, I've tried doing it myself a long time back and think I broke stuff. Like that was the first time

If my host does it, then I know it's set up properly. Most of my hosts have done it for free. Only one that changed me was hostgator and that was $15. Still worth it to me.

Only use it on my store. But I've gone back and further on using it or not. All the payments go through Pay pal, so there really is no need for me to have it. The most hackers "could" get is a person's name or email. Since all the financial stuff is on PP, there is not much to get.

But, the reason I've kept it up is for one, supposedly google liked it. Though that seems like just another rumor, or another one of those, "We've going to tell every one they should have it. Because we are the kings and people do what we say if they "hope" to get our traffic".

The other reason, and I might be off on this, if people have to log into, say into their account, do they not get a warning? Unsecured connection? Even though there is nothing to lose, will the warning scare some of the off? That's my one big concern.

How many people even see, notice or look for that green padlock these days? Curious to know that myself. Don't think I do.

Plus, I've had my SSL with Godaddy for years and it seems the price goes up every year. That or I should just look for another source.

 

[Mike001]

I read through every one of these posts closely because this is a big topic at the University level for the Computer Science majors and how it impacts site perception and the actual security of the site.

The one thing that I did not see mentioned and I was very surprised by it was that SSL is one of the very few areas over the last couple of years where Google has actually mentioned and printed articles on the topic that having a secure SSL connection will actually give you a ranking boost on your page rankings. As much time as we all spend with rankings and optimizing our SEO, this is a gift from Google that requires nothing but the certificate and a few bucks. Well worth the money spent in my opinion.

One thing to think about as this discussion progresses down the road. In late 2014 Google made the decision to give the boost to sites that were https. Shortly after that they began to push for all site to become HTTPS. If they really begin to push this, it will probably happen, they have led the way in many changes to the web over the last 10 years. When you are the big dog on the block, and have the biggest bark, you get the biggest bone. They tend to get what they want.

Besides, there are many more advantages to HTTPS then merely site data security. That is a big advantage but many of us, using third party merchants accounts, like PayPal really do not event use that feature.

I want to stay ahead of the curve, I will pay the few bucks.