How to Get a Free SSL Certificate for Your Website (HTTPS)

If you own a website, it’s your responsibility to protect the data of your site visitors, especially if they share sensitive information like credit card numbers, medical details, and addresses. And a big part of doing that successfully is implementing an SSL certificate. SSL certificates are also an indication of site quality, which can impact visitor perceptions and where search engine’s place you in the rankings. 

So, what is an SSL certificate? Why does your website need one? Where do you find an SSL certificate and how do you install it? This article will dive deep into everything you need to know.

What is an SSL certificate? 

SSL stands for Secure Sockets Layer. An SSL certificate is an internet protocol that secures data transfer between your users’ browsers and your website. It keeps your visitors’ sensitive information private when they do things like submit forms and purchase products. If you accept payments online, having an SSL is required to protect your website data and your visitors’ credit card details.

SSL certificates also establish a sense of trust and authority for your brand. Browsers flag websites without an SSL certificate as “not secure.” They also display an open padlock sign in the address bar that alerts visitors to proceed with caution. So if you don’t have one, you’ll quickly lose trust with a lot of people. 

SSL certificates are also an indication to Google that your site is safe and trustworthy — something that can help you rank higher on the search engine results pages. 

The difference between HTTP and HTTPS

When you type a URL in your web browser, either “HTTP” or “HTTPS” appears at the beginning of your web address. HTTP stands for HyperText Transfer Protocol. Websites with an SSL certificate use HTTPS, which stands for HyperText Transfer Protocol Secure. In general, HTTP is the protocol used to send data between a browser and a website. 

Websites that begin with HTTPS ensure that all communication between a user’s browser and the website they view is secure or encrypted. As data transfers from one party to another, only the computers sending and receiving the information can view it. So if a hacker tries to access credit card information, login credentials, or personal user details, they can’t read it. 

Any website that collects passwords, payments, personal information, or other sensitive data should begin with HTTPS. This lets visitors know the site is secure. Google introduced HTTPS as a ranking signal in 2014 and started flagging sites without HTTPS as “non-secure” at the beginning of 2017. Therefore, HTTPS is an essential component of all websites today. 

How does an SSL certificate work? 

To enable HTTPS on your website, you need to install an SSL certificate. This contains a public key required to begin a user’s session securely. When a website visitor requests an HTTPS connection to your website, the website sends the SSL certificate to the browser. This initiates the SSL connection and allows your browser and the website to share sensitive information privately. 

For the average user, SSL certificates may seem complicated to understand. Let’s break it down with an example. Let’s say you want to visit your favorite website. Behind the scenes, this is what happens:

1. Verification: When you type the website into your browser, the site begins to load. Your computer receives the website’s SSL certificate through a public key and verifies it with the certificate authority. 
2. Connection: Your computer and the website’s server come to an agreement based on the verification. If everything looks legitimate, the two computers create a secure connection called a handshake. 
3. Encryption: Once the secure connection begins, your computer and the website server choose an encryption type they’ll use to exchange data securely. This process codes and decodes information as it moves between the computer and the server. Any data exchanged is protected from outside viewers by scrambling the information in an encrypted language. 
4. Authentication: Finally, your computer decrypts the data. A lock icon appears in the web address bar next to the website’s URL. This means you are free to browse the website with peace of mind knowing that your data is safe. 

Different types of SSL certificates

Here are different types of SSL certificates based on the level of security required:

• Domain Validated Certificates: DV certificates are the least secure and reserved for small business websites or blog sites that don’t exchange customer information. 
• Organization Validated Certificates: OV certificates provide an extra layer of security. Websites that don’t exchange sensitive customer information, such as credit card information or login credentials, use these certificates. Websites that capture prospects’ contact information are common uses. 
• Extended Validated Certificates: EV certificates offer the highest level of security for websites that exchange sensitive information. Sites that allow financial transactions require these certificates. 

Why does my website need an SSL certificate? 

Even if you don’t receive and transmit sensitive data, it’s essential to have an SSL certificate. Here are some significant reasons you should secure your website:

• Better website performance: SSLs improve the load time of your website. This doesn’t only enhance the user experience, it also helps improve your organic rankings. 
• Improved search engine rankings: As the most prominent search engine, Google sets high standards. If you want your website to show up on the search engine results, Google needs to know that you deliver a secure and safe experience for your visitors. Having a secure website is essential if you want to rank anywhere near the top of search results. And, since SSL certificates are now so common, a site without one will pale in comparison.
• Authority: SSL certificates create a sense of trust and authority in your website. If you collect credit card information, personal details, or passwords, your visitors need to feel confident in your site’s security. In January of 2017, Google Chrome started flagging HTTP websites as “not secure” with a warning pop-up. This is a significant deterrent for website visitors. 

How to get a free SSL certificate

Many website owners avoid adding an SSL certificate to save on the additional expense. Unfortunately, this leaves your website vulnerable. Thanks to a nonprofit project called Let’s Encrypt, website owners can now establish authority with a free SSL certificate. 

Free SSL certificate providers

The following authorities provide free SSL certificates:

1. Let’s Encrypt: Let’s Encrypt offers free DV SSL certificates. Their focus is on creating a more private and secure open web, and they support this goal by making SSL certificates available to everyone. However, it’s important to remember that Let’s Encrypt SSL certificates are only valid for three months at a time, so you’ll need to keep up with renewal dates and ensure your certificate is always valid. If you use Let’s Encrypt through your hosting provider, they’ll typically take care of this process for you. 
2. Cloudflare: Cloudflare offers free standard SSL certificates, alongside additional security and performance features. Their certificates can be installed with just one click and auto-renew, so you don’t have to manually update things. They also take care of redirecting your site from HTTP to HTTPS to avoid any issues. While SSL certificates are included in all plans, pricing for those plans range from free to $200 per month based on the performance and security features you need.
3. SSL For Free: Similar to Let’s Encrypt, SSL For Free supports the open web by offering SSL certificates at no cost. Their certificates are trusted by 99.9% of browsers globally and last for 90 days at a time. Keep in mind that you will need to renew it every three months.

Hosting companies that provide free SSL certificates

While installing an SSL certificate may be a challenge for inexperienced users, most hosting companies offer free SSL certificates with their plans. They also take care of the installation. Here are some of the most popular hosting companies that provide free SSL certificates as part of their plans:

1. Bluehost

Bluehost offers affordable hosting packages to fit your needs. They also have WordPress-specific features like one-click installation and 24/7 access to WordPress experts. Packages with free SSL certificates start at $2.75 per month. 

2. Dreamhost

Dreamhost has WordPress hosting plans with a 97-day money-back guarantee. Their basic monthly plans start at $1.99 with a free SSL certificate included. 

3. A2 Hosting

A2 Hosting plans start at $2.99 per month, but can scale to include VPS or dedicated servers. In addition to a free SSL certificate, they include a Jetpack license and Turbo servers for super-fast sites.

4. Inmotion Hosting

Shared hosting plans from Inmotion Hosting start at $2.99 per month. They include SSL certificates, one-click WordPress installs, fast SSD servers, and more.

5. Pressable

Pressable is owned by Automattic, the company behind WordPress.com. In addition to free SSL certificates, they offer exclusive features like a built-in CDN, WordPress training, a Jetpack Security license, and more.

While these are some of the best hosting providers, many others also offer free SSL certificates. If you’re unsure if SSL certificates are included in your plan, ask your specific host.

How to install your free SSL certificate

Now that you understand the significance of an SSL certificate and where to get one, let’s discuss how to install it. There are two installation methods for SSL certificates: plugins and cPanel. 

1. How to install an SSL certificate in cPanel 

Under Security in your cPanel, you’ll click SSL/TLS. From here, click Manage SSL sites. You’ll see an option to upload a new certificate to your domain. Keep in mind that if you have a current hosting package or purchased your SSL certificate through your hosting provider, they may have automatically installed the certificate on your site already. Ask your hosting provider before proceeding. 

Once you install your SSL certificate, you’ll need to set up HTTPS. This process involves editing your WordPress files, so if you don’t have experience with this, you may want to ask your host:

• In your WordPress dashboard, go to Settings. Update your WordPress Address (URL) and Site Address (URL) by replacing HTTP with HTTPS. 
• Click Save Changes. 
• Once saved, log out of WordPress and log back in. This process may automatically log you out anyway.
• Next, set up redirects from HTTP to HTTPS by adding this code to your .htaccess file. You can do this through the cpanel file manager or by using SFTP. 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

This completes your SSL/HTTPS setup. Check all URLs to ensure they now display HTTPS instead of HTTP. You may notice mixed content errors from images, scripts, or stylesheets that still use the insecure HTTP URL. 

To fix this, find all mentions of your old URL in the database and replace them with your new URL that includes HTTPS. An easy way to do this is to install and activate the Better Search Replace plugin.

And depending on how your SSL certificate was set up, you may also need to update the URL in your WordPress settings. To do this, log into your dashboard and go to Settings → General. Then, change “http://” to “https://” in both the WordPress Address (URL) and Site Address (URL) sections. Finally, save your changes.

2. How to integrate your SSL certificate using a WordPress plugin

Really Simple SSL is an excellent plugin that helps you install a free Let’s Encrypt SSL certificate on your site and then configures everything to work properly. There’s no need to take any additional steps in your cpanel or through your host. 

If you already have an SSL certificate through your hosting provider, Really Simple SSL will search and verify that it’s working. Otherwise, you can use the built-in Let’s Encrypt wizard to generate an SSL certificate for your site.

Then, the plugin will automatically redirect your URLs from HTTP to HTTPS and update the URLs throughout your site to match. This helps you avoid loading images or files through HTTP, protecting you from security warnings.

HTTPS changes and search engine rankings

A final step that many people fail to take is submitting their new URL to Google Search Console. Since Google considers the HTTP and HTTPS versions of your site to be two different websites, you’ll need to alert them that your website moved. This will help you avoid any SEO issues. 

Take the following steps to submit your HTTPS site to Google Search Console:

1. Go to your Google Search Console account
2. Click “Add a Property”
3. Add your website’s new HTTPS address in the popup form
4. Choose the best method to verify your ownership

Secure your website for free with an SSL certificate

Even if you don’t send or receive sensitive data, it’s vital to equip your website with an SSL certificate. SSL certificates increase website performance, improve your SEO efforts, and protect your customers and visitors from data breaches. Use the steps listed above to secure your website and establish trust and authority online. 

SSL certificate FAQs

How do I know if my SSL certificate is working?

First, open an incognito window in your browser and navigate to your site. If the SSL certificate is working properly, your website will show a padlock next to your URL in your browser. If there’s something wrong, you’ll see a security warning on your site across major browsers.

You can also use a tool like SSL Checker to ensure that everything’s working properly and identify any problems. 

What is a mixed content warning?

A mixed content warning appears when your website loads properly over HTTPs, but other content — like images, videos, or files — use the old HTTP URL.

You can fix these warnings by using a plugin like Better Search Replace to change the URLs across your site. You can also use tools like Mixed Content Test to identify any insecure content. 

How long is an SSL certificate valid for?

It depends on your SSL certificate provider. Let’s Encrypt free certificates, for example, only last for three months before requiring renewal. The maximum amount of time an SSL certificate is valid is 13 months. In some cases, you’ll need to renew your certificate manually, but most hosting providers take care of the renewal process for you.

What is a wildcard SSL certificate? 

A wildcard SSL certificate is used to secure all subdomains for a base domain. A base domain is your primary URL (e.g. example.com). Subdomains add a piece to the beginning of a URL (e.g. store.example.com). These can be used for content organization, like separating a blog or eCommerce store from an already-existing site. 

So a wildcard SSL would not just secure example.com, it would also secure store.example.com, mail.example.com, and any other subdomain.

How long does an SSL certificate take to work?

Some SSL certificates, like Let’s Encrypt, are valid as soon as installation is complete. Other certificates that require more validation can take up to a week to kick in, though the average time is one to three days.

Why do I need to force HTTPS on my site?

Forcing HTTPS means that anyone who visits your website uses the SSL-secured version. This is incredibly important because it ensures that everyone’s data and information is protected. It’s also a critical aspect of getting the SEO benefits of an SSL certificate.

Rob Pugh

Rob is the Marketing Lead for Jetpack. He has worked in marketing and product development for more than 15 years, primarily at Automattic, Mailchimp, and UPS. Since studying marketing at Penn State and Johns Hopkins University, he’s focused on delivering products that delight people and solve real problems.