Secure the traffic on your WordPress website with a free shared SSL certificate from Cloudflare.
In this article, we’ll dive into SSL (Secure Sockets Layer) for WordPress websites, learning what it is, why it’s important, the different variations of SSL, and how to enable it for free on your WordPress website.
SSL is a “cryptographic protocol” which protects and secures data being transferred through a computer network; this transfer of information occurs between a website or online application and a visitor. If your website transmits and collects credit card information, you’re actually required by law to have an SSL connection in place; even if you don’t collect sensitive information through your website, it’s generally a best practice to have SSL in place.
As a website visitor, the easiest way to determine if your connection to a specific site is encrypted using SSL is that you’ll see a green lock on left side of the navigation bar in your browser. In addition, the URL will begin with “HTTPS” (Hypertext Transfer Protocol Secure), instead of “HTTP”. When sending information through a website or application that has SSL enabled, that data is encrypted, and snooping or hijacking by bad actors is prevented before reaching its final destination; typically the final destination for securely transmitted data via SSL is the server which hosts the website or application.
After the information has been successfully sent to the server, it uses a key to decrypt the data and complete the transaction. The keys used to encrypt and decrypt data are uniquely created for each connection a visitor initiates with the website or application, and is based on a shared secret, negotiated at the start of each website session; that shared secret is called a “handshake”.
Historically, it was only mission critical websites that required high levels of security, such as banks and government agencies that utilized SSL. Today, SSL is widespread and highly encouraged by Google as a tool to boost your SEO, protect the transmission of data across all Internet assets, and build trust in your website visitors.
These days, even if your website doesn’t collect or store credit card information, it’s best practice to enable SSL on your WordPress website for many reasons. A few of these reasons can be found below.
Having the green lock in your visitor’s web browser provides a sense of trust and integrity. In addition, starting January 2017, the Google Chrome web browser will begin visually labeling non-HTTPS connections as insecure.
If visitors are logging into your website or application over a public WiFi network and using the same credentials to log into your website as they use, for example, online finances, you could be putting them at risk. Having an unencrypted connection between a visitor and website is one of the easiest ways for sensitive data to be captured.
In 2014, Google announced that secure websites using SSL/TLS will have a slight edge in SEO ranking over websites that don’t provide visitors with a secure connection, and indicated that advantage will increase over time. Learn more about how the Cloudflare plugin for WordPress affects SEO rankings here.
One component of current PCI compliance standards is the requirement to encrypt cardholder data across open, public networks. This level of encryption can be achieved by enabling SSL on your website.
Cloudflare, the performance and security company, has recently launched a WordPress plugin which allows you to enable Cloudflare’s free plan with optimizations that are purpose-built for your WordPress website. Cloudflare’s free plan provides a flexible SSL certificate for your WordPress website, along with basic DDoS protection and performance improvements. For an even faster and more secure website, you can upgrade within the plugin to a higher-tiered plan.
You’ll notice in your Cloudflare dashboard that there are multiple options for enabling SSL on your WordPress website. Using the “1-Click Default Settings” option found in the instructions above, you’ll automatically apply “Flexible SSL” to your WordPress site. Below is an explanation of the three different types of SSL offered by Cloudflare.
Enabling Flexible SSL on Cloudflare creates a secure connection between your visitor and Cloudflare, but not a secure connection between Cloudflare and your website or application server. With Flexible SSL, you’re not required to have a SSL certificate on your web server, but your visitors still see the site as being “HTTPS” enabled.
Full SSL creates a secure connection between both website visitors and Cloudflare, as well as Cloudflare and your web server. You’ll need to have your server configured to answer HTTPS connections by having a self-signed certificate. To enable Full SSL, the authenticity of the certificate is not verified from Cloudflare’s point of view.
Full SSL (Strict) creates a secure connection between your website visitors and Cloudflare, and a secure and authenticated connection between Cloudflare and your web server. The difference between Full SSL and Full SSL (Strict) is that the SSL certificate on your server must be valid, signed by a certificate authority, have a expiration date, and respond for the request domain name.
1. To download the Cloudflare plugin into your WordPress admin panel, please visit: https://wordpress.org/plugins/cloudflare/
2. Once you’ve installed the plugin, you’ll need to activate it through the WordPress plugin panel.
3. If you're upgrading from the old plugin, and had previously inputted your API Key, you'll be automatically logged in after updating the plugin. If this is the first time you're installing Cloudflare's WordPress plugin, navigate to the plugin settings in your WordPress admin panel after activating, and input your Cloudflare username and API key; to find your API key, follow these instructions. If you do not already have a Cloudflare account, you’ll see the option to create one.
4. After successfully logging into the plugin, the first setting you’ll see at the top of your dashboard is “Apply Default Settings”. Clicking “Apply” will enable specific Cloudflare settings, optimized for the WordPress platform. These settings can be found here.
5. Once this setting has been applied, that’s it! Your WordPress website is now protected against DDoS attacks and is on the Cloudflare network. You’ll also begin to see improved website load speeds, bandwidth savings, and protection against hackers, spammers, and bots.