How to Choose the SSL Certificate for Your WordPress Website
The jury’s been in a while back, and the verdict is well-known to most people who use the internet, and certainly, all who even aspire to build a website – safety should be a top priority. While websites can and often do a lot to make sure their visitors and the data that they share are safe, adding an SSL certificate to a website has become the very least anyone could do.
There are plenty of ways to do it, too, if you have a WordPress website. You can install a free SSL certificate in WordPress with a little help from our guide. You might solve two problems with one solution and add both HTTPS and SSL while you’re at it – again, with the help from our guide. Finally, you can install one of the many WordPress SSL plugins and take care of the problem that way.
Even though it all seems straightforward, you’ll still have to make an important choice in the process – what type of SSL certificate do you want for your WordPress website?
We’re here to help. We’ll cover:
SSL, short for Secure Sockets Layer, was a protocol for encrypting information for network communication. We say that it was a protocol because it’s now deprecated – its successor is called Transport Layer Security, or TLS, and it serves the same purpose. Because the SSL acronym stuck, we still use it today to refer to TLS. You can also say SSL/TLS.
An SSL certificate is a file that resides on your server and contains all sorts of useful information. If you were to read it, you’d find out which domain name it was issued for and by whom, when was it issued, when will it expire, as well as something called the public key – a cryptographic key used to encrypt data. There’s also a hidden, private key there, that’s used for decryption.
SSL certificates allow websites to communicate with the browser via encrypted connections. They also help in domain authentication.
The role of SSL certificates is important for at least two reasons. The first one is that you never know who’s listening. There are all kinds of people on the internet trying to get other people’s passwords, personal information, or credit card numbers. Websites that don’t have an SSL certificate make their job easier because snooping on an unsecured connection might get them some useful, unencrypted information.
The second reason is that there’s a strong push towards SSL certification being a part of the standard kit if you have a website. To that effect, search engines have made it a point to let their users know that a website has an SSL certificate and is, therefore, safe(r), or that it doesn’t, and is therefore unsafe. Users can still visit both, but they’ll surely prefer the one that doesn’t let a hacker get a hold of their personal information. That’s the kind of website you should run.
Because an SSL certificate contains some type of information about your website and its owner, the entity issuing that certificate needs to verify that information and sign it, putting their weight as a Certificate Authority behind the info that’s there. You can also sign your SSL certificates and still enjoy some benefits of having them, but that practice is generally frowned upon.
So, when a Certificate Authority decides to vet your website, they can do that with a varying degree of vigor. That’s why SSL certificates come in three different validation levels.
Domain Validation (DV) Certificates
Domain Validation certificates require the most superficial check before they’re issued. To get one, all you have to do is prove that you are entitled to use a domain name – that’s all. The information will still get encrypted, and you can get one with little fuss, almost no paperwork, and at a lower cost. On the other hand, this type of certificate won’t show who is behind the website, which isn’t that great for building trust.
Organization Validation (OV) Certificates
Organization Validation certificates require a bit more than domain validation certificates before they’re issued. Besides proving that you have the right to use a domain name, you’ll also have to provide the name and address of your organization. All that information will be available to people visiting the website, greatly enhancing the trust levels.
Extended Validation (EV) Certificates
Are you the kind of person who loves lengthy checks that cost a lot of money and involve tons of paperwork? If you are, then acquiring an Extended Validation certificate might be just the thing for you. To issue this type of certificate, the Certificate Authority will rummage through all sorts of records to make sure your company is legally registered, that it’s present on the address where it’s registered and that all the information you provided matches those of the official records. Although time- and money-consuming, the process will yield the most trustworthy of certificates.
Single Domain Certificates
A single-domain SSL certificate will be valid for exactly one domain. It won’t cover any subdomain, but it will cover all the subdirectories. So if your website is www.example.com, and you have a single-domain SSL certificate for it, that certificate will also cover www.example.com/about_us, but it won’t cover blog.example.com.
If you have a domain that has subdomains and you want a certificate to cover them all, you should opt for a wildcard SSL certificate. It’s still valid on one domain, but you can use it on subdomains, too. So your blog.example.com subdomain will be covered, as will the root www.example.com, and support.example.com.
For the most flexibility, you can opt for a multi-domain certificate which pretty much lets you list multiple domains on one certificate, covering them as well as their subdomains. So both blog.example.com and www.example.com will be covered, but so will www.anotherexample.com and anotherblog.anotherexample.com.
Between the three types of certificates and the three-level of validations, you have eight possible SSL certificate combinations – you can’t have an Extended Validation Wildcard Certificate. So when choosing, the two questions you want to ask yourself are the following:
How much trustworthiness do I need to demonstrate to people who visit my website?
What’s the structure of my website/network?
When it comes to levels of validation, the Domain Validation certificate is mostly good for websites such as blogs or portfolios. Their website doesn’t require users to leave important information and they don’t have to project the same level of trust as, for example, a bank does.
If, on the other hand, you operate an online business, an e-commerce store, or even a website of a large multinational company, you should look into Organization Validation, and probably even Extended Validation. Trust signals are very important, and an EV SSL certificate is the best we have.
As for the structure, the type you should choose is pretty obvious. A simple website with subdirectories and no plans to add subdomains could stick to a single domain certificate. If you want to add subdomains and don’t plan to get an Extended Validation certificate, you can opt for a wildcard one. If you have a network of websites or want to use subdomains and get an Extended Validation certificate, choose a multi-domain certificate.