How to Get a Free SSL Certificate for Your Website (HTTPS)

If you own a website, it’s your responsibility to protect the data of your site visitors, especially if they share sensitive information like credit card numbers, medical details, and addresses. And a big part of doing that successfully is implementing an SSL certificate. SSL certificates are also an indication of site quality, which can impact visitor perceptions and where search engine’s place you in the rankings. 

So, what is an SSL certificate? Why does your website need one? Where do you find an SSL certificate for free, and how do you install it? This article will cover everything you need to know.

What is an SSL certificate? 

SSL stands for Secure Sockets Layer. An SSL certificate is an internet protocol that secures data transfer between your users’ browsers and your website. It keeps your visitors’ sensitive information private when they do things like submit forms and purchase products. If you accept payments online, having an SSL is required to protect your website data and your visitors’ credit card details.

SSL certificates also establish a sense of trust and authority for your brand. Browsers flag websites without an SSL certificate as “not secure.” They also display an open padlock sign in the address bar that alerts visitors to proceed with caution. So if you don’t have one, you’ll quickly lose trust with a lot of people. 

SSL certificates are also an indication to Google that your site is safe and trustworthy — something that can help you rank higher on the search engine results pages. 

The difference between HTTP and HTTPS

When you type a URL in your web browser, either “HTTP” or “HTTPS” appears at the beginning of your web address. HTTP stands for HyperText Transfer Protocol. Websites with an SSL certificate use HTTPS, which stands for HyperText Transfer Protocol Secure. In general, HTTP is the protocol used to send data between a browser and a website. 

Websites that begin with HTTPS ensure that all communication between a user’s browser and the website they view is secure or encrypted. As data transfers from one party to another, only the computers sending and receiving the information can view it. So if a hacker tries to access credit card information, login credentials, or personal user details, they can’t read it. 

Any website that collects passwords, payments, personal information, or other sensitive data should begin with HTTPS. This lets visitors know the site is secure. Google introduced HTTPS as a ranking signal in 2014 and started flagging sites without HTTPS as “non-secure” at the beginning of 2017. Therefore, HTTPS is an essential component of all websites today. 

How does an SSL certificate work? 

To enable HTTPS on your website, you need to install an SSL certificate. This contains a public key required to begin a user’s session securely. When a website visitor requests an HTTPS connection to your website, the website sends the SSL certificate to the browser. This initiates the SSL connection and allows your browser and the website to share sensitive information privately. 

For the average user, SSL certificates may seem complicated to understand. Let’s break it down with an example. Let’s say you want to visit your favorite website. Behind the scenes, this is what happens:

1. Verification: When you type the website into your browser, the site begins to load. Your computer receives the website’s SSL certificate through a public key and verifies it with the certificate authority. 
2. Connection: Your computer and the website’s server come to an agreement based on the verification. If everything looks legitimate, the two computers create a secure connection called a handshake. 
3. Encryption: Once the secure connection begins, your computer and the website server choose an encryption type they’ll use to exchange data securely. This process codes and decodes information as it moves between the computer and the server. Any data exchanged is protected from outside viewers by scrambling the information in an encrypted language. 
4. Authentication: Finally, your computer decrypts the data. A lock icon appears in the web address bar next to the website’s URL. This means you are free to browse the website with peace of mind knowing that your data is safe. 

Different types of SSL certificates

Here are different types of SSL certificates based on the level of security required:

• Domain Validated Certificates: DV certificates are the least secure and reserved for small business websites or blog sites that don’t exchange customer information. 
• Organization Validated Certificates: OV certificates provide an extra layer of security. Websites that don’t exchange sensitive customer information, such as credit card information or login credentials, use these certificates. Websites that capture prospects’ contact information are common uses. 
• Extended Validated Certificates: EV certificates offer the highest level of security for websites that exchange sensitive information. Sites that allow financial transactions require these certificates. 

Why does my website need an SSL certificate? 

Even if you don’t receive and transmit sensitive data, it’s essential to have an SSL certificate. Here are some significant reasons you should secure your website:

• Better website performance: SSLs improve the load time of your website. This doesn’t only enhance the user experience, it also helps improve your organic rankings. 
• Improved search engine rankings: As the most prominent search engine, Google sets high standards. If you want your website to show up on the search engine results, Google needs to know that you deliver a secure and safe experience for your visitors. Having a secure website is essential if you want to rank anywhere near the top of search results. And, since SSL certificates are now so common, a site without one will pale in comparison.
• Authority: SSL certificates create a sense of trust and authority in your website. If you collect credit card information, personal details, or passwords, your visitors need to feel confident in your site’s security. In January of 2017, Google Chrome started flagging HTTP websites as “not secure” with a warning pop-up. This is a significant deterrent for website visitors. 

How to get a free SSL certificate

Many website owners avoid adding an SSL certificate to save on the additional expense. Unfortunately, this leaves your website vulnerable. Thanks to a nonprofit project called Let’s Encrypt, website owners can now establish authority with a free SSL certificate. 

Free SSL certificate providers

The following authorities provide free SSL certificates:

1. Let’s Encrypt: Let’s Encrypt offers free DV SSL certificates. Their focus is on creating a more private and secure open web, and they support this goal by making SSL certificates available to everyone. However, it’s important to remember that Let’s Encrypt SSL certificates are only valid for three months at a time, so you’ll need to keep up with renewal dates and ensure your certificate is always valid. If you use Let’s Encrypt through your hosting provider, they’ll typically take care of this process for you. 
2. Cloudflare: Cloudflare offers free standard SSL certificates, alongside additional security and performance features. Their certificates can be installed with just one click and auto-renew, so you don’t have to manually update things. They also take care of redirecting your site from HTTP to HTTPS to avoid any issues. While SSL certificates are included in all plans, pricing for those plans range from free to $200 per month based on the performance and security features you need.
3. SSL For Free: Similar to Let’s Encrypt, SSL For Free supports the open web by offering SSL certificates at no cost. Their certificates are trusted by 99.9% of browsers globally and last for 90 days at a time. Keep in mind that you will need to renew it every three months.

Hosting companies that provide free SSL certificates

While installing an SSL certificate may be a challenge for inexperienced users, most hosting companies offer free SSL certificates with their plans. They also take care of the installation. Here are some of the most popular hosting companies that provide free SSL certificates as part of their plans:

1. Bluehost

Bluehost offers affordable hosting packages to fit your needs. They also have WordPress-specific features like one-click installation and 24/7 access to WordPress experts. Packages with free SSL certificates start at $2.75 per month. 

2. Dreamhost

Dreamhost has WordPress hosting plans with a 97-day money-back guarantee. Their basic monthly plans start at $1.99 with a free SSL certificate included. 

3. A2 Hosting

A2 Hosting plans start at $2.99 per month, but can scale to include VPS or dedicated servers. In addition to a free SSL certificate, they include a Jetpack license and Turbo servers for super-fast sites.

4. Inmotion Hosting

Shared hosting plans from Inmotion Hosting start at $2.99 per month. They include SSL certificates, one-click WordPress installs, fast SSD servers, and more.

5. Pressable

Pressable is owned by Automattic, the company behind WordPress.com. In addition to free SSL certificates, they offer exclusive features like a built-in CDN, WordPress training, a Jetpack Security license, and more.

While these are some of the best hosting providers, many others also offer free SSL certificates for websites. If you’re unsure if SSL certificates are included in your plan, ask your specific host.

How to install your free SSL certificate

Now that you understand the significance of an SSL certificate and where to get one, let’s discuss how to install it. There are two installation methods for SSL certificates: plugins and cPanel. 

1. How to install an SSL certificate in cPanel 

Under Security in your cPanel, you’ll click SSL/TLS. From here, click Manage SSL sites. You’ll see an option to upload a new certificate to your domain. Keep in mind that if you have a current hosting package or purchased your SSL certificate through your hosting provider, they may have automatically installed the certificate on your site already. Ask your hosting provider before proceeding. 

Once you install your SSL certificate, you’ll need to set up HTTPS. This process involves editing your WordPress files, so if you don’t have experience with this, you may want to ask your host:

• In your WordPress dashboard, go to Settings. Update your WordPress Address (URL) and Site Address (URL) by replacing HTTP with HTTPS. 
• Click Save Changes. 
• Once saved, log out of WordPress and log back in. This process may automatically log you out anyway.
• Next, set up redirects from HTTP to HTTPS by adding this code to your .htaccess file. You can do this through the cpanel file manager or by using SFTP. 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

This completes your SSL/HTTPS setup. Check all URLs to ensure they now display HTTPS instead of HTTP. You may notice mixed content errors from images, scripts, or stylesheets that still use the insecure HTTP URL. 

To fix this, find all mentions of your old URL in the database and replace them with your new URL that includes HTTPS. An easy way to do this is to install and activate the Better Search Replace plugin.

And depending on how your SSL certificate was set up, you may also need to update the URL in your WordPress settings. To do this, log into your dashboard and go to Settings → General. Then, change “http://” to “https://” in both the WordPress Address (URL) and Site Address (URL) sections. Finally, save your changes.

2. How to integrate your SSL certificate using a WordPress plugin

Really Simple SSL is an excellent plugin that helps you install a free Let’s Encrypt SSL certificate on your site and then configures everything to work properly. There’s no need to take any additional steps in your cpanel or through your host. 

If you already have an SSL certificate through your hosting provider, Really Simple SSL will search and verify that it’s working. Otherwise, you can use the built-in Let’s Encrypt wizard to generate an SSL certificate for your site.

Then, the plugin will automatically redirect your URLs from HTTP to HTTPS and update the URLs throughout your site to match. This helps you avoid loading images or files through HTTP, protecting you from security warnings.

HTTPS changes and search engine rankings

A final step that many people fail to take is submitting their new URL to Google Search Console. Since Google considers the HTTP and HTTPS versions of your site to be two different websites, you’ll need to alert them that your website moved. This will help you avoid any SEO issues. 

Take the following steps to submit your HTTPS site to Google Search Console:

1. Go to your Google Search Console account
2. Click “Add a Property”
3. Add your website’s new HTTPS address in the popup form
4. Choose the best method to verify your ownership

Secure your website for free with an SSL certificate

Even if you don’t send or receive sensitive data, it’s vital to equip your website with an SSL certificate. SSL certificates increase website performance, improve your SEO efforts, and protect your customers and visitors from data breaches. Use the steps listed above to secure your website and establish trust and authority online. 

SSL certificate FAQs

What is the difference between a free SSL certificate and a paid one?

A free SSL certificate provides the same level of encryption as many paid ones. The main differences are in the validation process, warranty, and customer support.

Free SSLs usually perform Domain Validation (DV), which confirms you control the domain name. Paid SSLs can offer Organization Validation (OV) or Extended Validation (EV). These require checking your business information, which adds a visible layer of trust for your visitors. Paid certificates also often come with a financial warranty and direct customer support, which free options do not provide.

How do I know if my SSL certificate is working?

First, open an incognito window in your browser and navigate to your site. If the SSL certificate is working properly, your website will show a padlock next to your URL in your browser. If there’s something wrong, you’ll see a security warning on your site across major browsers.

You can also use a tool like SSL Checker to ensure that everything’s working properly and identify any problems. 

What is a mixed content warning?

A mixed content warning appears when your website loads properly over HTTPs, but other content — like images, videos, or files — use the old HTTP URL.

You can fix these warnings by using a plugin like Better Search Replace to change the URLs across your site. You can also use tools like Mixed Content Test to identify any insecure content. 

How long is an SSL certificate valid for?

It depends on your SSL certificate provider. Let’s Encrypt free certificates, for example, only last for three months before requiring renewal. The maximum amount of time an SSL certificate is valid is 13 months. In some cases, you’ll need to renew your certificate manually, but most hosting providers take care of the renewal process for you.

What is a wildcard SSL certificate? 

A wildcard SSL certificate is used to secure all subdomains for a base domain. A base domain is your primary URL (e.g. example.com). Subdomains add a piece to the beginning of a URL (e.g. store.example.com). These can be used for content organization, like separating a blog or eCommerce store from an already-existing site. 

So a wildcard SSL would not just secure example.com, it would also secure store.example.com, mail.example.com, and any other subdomain.

How long does an SSL certificate take to work?

Some SSL certificates, like Let’s Encrypt, are valid as soon as installation is complete. Other certificates that require more validation can take up to a week to kick in, though the average time is one to three days.

Why do I need to force HTTPS on my site?

Forcing HTTPS means that anyone who visits your website uses the SSL-secured version. This is incredibly important because it ensures that everyone’s data and information is protected. It’s also a critical aspect of getting the SEO benefits of an SSL certificate.

Can I use a free SSL certificate for my online store?

Yes, you can use a free SSL certificate for an online store. It will encrypt customer data, which is necessary for accepting payments securely. A free Domain Validated (DV) certificate protects information like credit card numbers while it moves between the customer and your website.

For a business that handles many transactions, a paid Organization Validated (OV) or Extended Validation (EV) certificate is a good idea. These certificates show your verified business name in the certificate details, which can increase customer confidence and help improve sales.

What happens if my free SSL certificate expires?

If your free SSL certificate expires, visitors will see a large security warning when they try to visit your site. This warning message will block them from accessing your content.

An expired SSL makes browsers display a message such as “Your connection is not private,” telling visitors their information could be at risk. This scares away most people and harms your site’s reputation. Many hosting providers automatically renew free 90-day certificates. You should always confirm that this auto-renewal feature is active to prevent your website from showing an error.

Why does my site show a “Not Secure” warning even with an SSL certificate?

Your site might show a “Not Secure” warning if the SSL certificate is not installed correctly, has expired, or if the page has mixed content errors.

First, check if the certificate has expired, because free certificates must be renewed often. Second, you could have “mixed content,” which means some images or scripts on your secure page are loading from insecure HTTP links. This makes the whole page insecure. Another reason could be that the certificate does not match your exact domain name, which can happen if it was not set up for both the www and non-www versions of your site.

Does switching from a paid SSL to a free one hurt my SEO?

No, switching from a paid SSL to a free SSL certificate will not hurt your SEO rankings. The level of encryption is the same for both. Google’s ranking system cares that your site uses a secure HTTPS connection, not how much you paid for the certificate.

As long as the new free certificate is installed correctly and your site remains secure, your SEO will not be negatively affected. The most important thing is to make sure there is no downtime during the switch and that the new certificate is valid and trusted.

Can one free SSL certificate cover my domain and its subdomains?

A standard free SSL certificate only covers a single domain name. To cover multiple subdomains at once, you need a special type called a wildcard SSL certificate. For instance, a regular certificate for yourwebsite.com will not secure blog.yourwebsite.com.

A wildcard certificate, noted as *.yourwebsite.com, secures your main domain and all of its subdomains. Some providers, including Let’s Encrypt, offer free wildcard SSL certificates. This is a very useful option if you have a larger website with different sections, as it saves you from managing many separate certificates.

Does an SSL certificate protect my website from being hacked?

No, an SSL certificate does not protect your website from being hacked. Its only purpose is to secure the information that travels between your site and your visitors.

An SSL certificate scrambles data so no one can read it as it moves across the internet. It does not stop a hacker from using a weakness in your website’s code, a bad password, or old software. To protect your site from hacks, you still need other security measures. This includes using strong passwords, keeping your software updated, and using a security firewall.

What is the difference between SSL and TLS?

TLS (Transport Layer Security) is the new, more secure version of SSL (Secure Sockets Layer). People still use the term “SSL,” but all modern secure websites actually use TLS.

SSL was the first protocol for securing internet traffic. Over time, security problems were found in it. TLS was created to fix those problems and provide stronger security. You do not need to worry about the difference. When you get an “SSL certificate” today, you are getting the current, secure TLS technology that is needed to make your site use HTTPS.

Rob Pugh

Rob works on building tools for creators and their audiences. He's focused on building an open, calm platform that will be loved by bloggers, newsletter publishers, and readers alike. He's worked on marketing and product for 15 years, primarily at Automattic, Mailchimp, and UPS.