SSL (Secure Sockets Layer) is a way for your website visitors to communicate securely with your website server. SSL does 2 very important things:
- SSL encrypts the data sent between your website server and your website visitor. This is critical for such information as credit card numbers, passwords, and private user information. For example, if someone maliciously takes control of a Starbucks router where your member is connecting to your website from, even if they capture all the information sent by your member to your website, they cannot decipher what the data actually is because it is encrypted.
- SSL ensures that the data is coming from your website server, and no one can masquerade as your website. Without SSL, someone malicious can inject malicious code into your website, it would allow them to capture information such as credit card numbers, passwords, user information, or even install viruses on your member's computer.
Why do I need SSL?
If you have a membership site, you will need SSL for these reasons:
- Protect credit card information when taking online payments. Without SSL you will be in violation of your credit card processing agreement, and that may make you liable for all fraudulent charges arising from any breach and your credit card processing privileges may be revoked.
- Protect sensitive information, such as passwords, private member data and more. Even if you do not process credit cards on your website, it is still important to secure user passwords and data. You may have noticed that in many high profile data breaches, actual credit card information may not have been released, but the release of other information such as passwords can still be very damaging. This is because many users re-use passwords across websites, a breach on your website may have larger consequences.
- Online security is important enough that Google and other search engines take SSL into consideration for ranking websites. So having SSL will improve your SEO.
How do I get SSL?
There are a few steps to getting SSL working on your website:
- Purchase a SSL certificate from a SSL certificate vendor, such as GoDaddy, Thawte, Digicert, GeoTrust, VeriSign and more. Purchasing the certificate is just the first step to actually obtaining the certificate.
- Request - obtain a Certificate Signing Request (CSR) from your website hosting service, that you will need to submit to the place where you purchased the SSL certificate. The CSR will contain information about the domain you are requesting the SSL certificate from, so make sure the domain is correct - "www.test.com" and "test.com" are different domains. The process for obtaining the CSR will vary depending on your hosting service, so please check with your website host.
- Verification - after you submit the CSR, the SSL certificate vendor will need to verify that you are in fact the owner of the domain. This may involve sending a confirmation email to the domain registrant, or adding a file to your website or adding a record to your domain DNS. If you opted for an "Extended Validation" certificate, it will also involve performing a verification of your company or organization. This process varies depending on the SSL certificate vendor and type of certificate.
- Install - once verification is complete, the vendor will issue your SSL certificate. You can then install the certificate on your website server. Certificates may also be formatted a few different ways, depending on the type of server it is to be installed on. This process will depend on your website host.
- Activate - after your SSL certificate is installed, you still need to "force" your website visitors to connect via SSL to your website. You may notice that when you connect to a secure website the URL starts with "HTTPS://", while with a regular website it starts with "HTTP://". Most website server systems will allow your website visitors to connect either with "HTTP://" or "HTTPS://", it is up to your Content Manage System (WordPress, Weebly, SquareSpace, etc) to force the connection to be over "HTTPS://" only. For WordPress, some themes (such as our themes) have built-in SSL support, otherwise there are also a number of plugins that do this, such as:
WordPress Force HTTPS - forces the entire site to be SSL
WordPress HTTPS - select only specific pages to be SSL
Certain themes may have hard-coded resources that load over HTTP (any one component that does not load by SSL renders the entire page non secure), in which case you may need to have the theme developer fix any such issues.