Last week, I wrote about what SSL certificates are, how they work, and why you need one for your WordPress website. But now we need to look at how to go about choosing the right kind of SSL certificate.
Choosing the Right SSL Certificate for Your WordPress Site
There are a number of ways to categorize SSL certificates.
- Free or paid
- Domain, organization, or extended validation
- Single, multi, or wildcard domains
Before you purchase and install an SSL certificate for your WordPress site, figure out which kind is right for you.
Free SSL Certificates
When your business is brand new and you’re doing everything in your power to keep associated costs low, you may be hoping there’s a way to secure your website for free. And there is.
Some Certificate Authorities like Let’s Encrypt and Comodo offer SSL certificates for free.
While there is nothing wrong with getting a free SSL certificate for your website (under certain circumstances), you should be aware of the trade-off before you do:
- Security: Free SSL certificates provide websites with encryption. However, the level of encryption is restricted as you can only get DV certificates for free (more on those below).
- Liability: If the encryption fails and a visitor is harmed by a resulting breach, a free certificate won’t provide any liability protection.
- Term length: Free certificates may come with shorter terms (usually 90 days), which means regularly having to renew your certificate.
- Implementation: Free SSL certificates are best left in the hands of web developers who are capable of manually implementing certificates and keys into the backend of a site.
- Support: You won’t get assistance with authentication support for your certificate.
Like I said, under the right circumstances, a free SSL certificate may be just fine. For instance, if you have a placeholder website for your local business. Or if the information you exchange between customers or blog readers is nothing more than a first name and email address.
As your business grows, though, you will need additional protection and validation.
Paid SSL Certificates
Paid SSL certificates comprise all the other certificates available for use. The cost of each of these will ultimately depend on two factors: who the Certificate Authority is and which kind of certificate you choose.
As I already mentioned, there are certain drawbacks to using a free SSL certificate. If any of these concern you, then you can’t afford to skimp on price and miss out on the value of a higher-end SSL certificate.
The following breakdown of paid SSL certificates will explain the kind of value you get with each.
Domain Validation SSL Certificate
A domain validation (DV) SSL certificate is the easiest and cheapest certificate to get.
There’s no official paperwork to fill out. The Certificate Authority instead needs to confirm that the person requesting the SSL certificate owns the domain it will be attached to. The CA can do this through a number of verification options, including email, DNS record, or a text file saved to the root of your website.
Once approved (which generally happens within minutes), you’ll be issued your SSL certificate. In exchange for a small upfront cost, you will get an “https” address and a padlock next to it in the browser window.
Here is what the WordPress.org address bar looks like once a DV certificate has been applied:
And here is an expanded look at the website’s SSL certificate from GoDaddy:
In general, DV SSL certificates are best for small business websites, freelancer portfolios, and other websites that only ask for the most basic of contact information. As these certificates are easy to come by, they don’t necessarily offer the most robust of encryption. They also don’t do anything to provide proof that the organization behind the website is a valid one. So, if building trust is important to your business, then you will need a different kind of certificate.
Organization Validation SSL Certificate
An organization validation (OV) SSL certificate provides the next level up in browser security.
To request one of these SSL certificates, you need to provide proof that you own the domain (the same process for the DV certificate) and proof that you own the business behind the website. This means the CA will go through official public records in order to verify that yours is a legitimate business. Typically, within a day’s time, you can have an OV SSL certificate set up for your website.
With a little more paperwork and a higher fee than the DV SSL, you’ll receive an “https” address and a padlock symbol. The SSL certificate itself will also reveal more details about your business’s location and name. This is great for building credibility with your audience while assuring them you’ve taken extra measures to secure their information.
Here is what the Amazon address bar looks like once an OV certificate has been applied:
And here is an expanded look at the website’s SSL certificate from DigiCert:
As you can see, the application of the certificate looks nearly identical to a DV SSL certificate. The key difference is in the details provided about the business’s location.
In general, OV SSL certificates are a great option for new businesses that want extra validation for legitimacy purposes. It’s also a good choice for established businesses that receive personal details from visitors, but perhaps not ones as sensitive as credit card information or social security numbers.
Extended Validation SSL Certificate
An extended validation (EV) SSL certificate is the highest level of certification and security you can get. It’s also the most expensive.
When purchasing an EV SSL certificate, a top-tier CA must review the validity of your domain and business, and verify that all official records are consistent and check out with your claims. In addition, you must be able to prove that you have officially registered your business. This one requires the most rigorous review process, so be prepared to hand over a number of official documents to validate your rights to the business, website, and the ensuing SSL certificate.
After a few days (or sometimes a week) of processing, only then will you get the green address bar, padlock, name of your organization, and “Secure” note. Obviously, the tightest form of encryption will be added to your website, too.
Here is what the PayPal address bar looks like once an EV certificate has been applied:
And here is an expanded look at the website’s SSL certificate from Symantec:
As you can see, there’s much more presented here in terms of validation, including the PayPal business name in the address bar. As such, visitors have extra assurance that the organization running this website is not only a valid one but completely trustworthy.
EV SSLs are ideal for e-commerce companies, banks, and any other company dealing in highly sensitive payment and customer information.
Single Domain SSL Certificate
In the examples above for the DV, OV, and EV SSL certificates, only a single domain name was secured.
For those of you looking to secure your own business’s website, or for web developers helping clients to secure theirs, a single domain SSL certificate should suffice. If you were to purchase one of these and later decided to add a subdomain to it, though, you would have to purchase a completely new SSL certificate.
Wildcard Domain SSL Certificate
A wildcard domain SSL certificate will protect only one domain as well. However, the key difference between this and a single domain SSL certificate is that the wildcard protects all subdomains under that website.
Here is what the Sucuri address bar looks like once a DV certificate has been applied:
And here is an expanded look at the website’s SSL certificate from COMODO:
Take note of the domain name that’s protected: *.sucuri.net. You can also see down below where the Organizational Unit describes this as a “Wildcard”. This means that any subdomain on the Sucuri website is protected by the same SSL certificate that protects the main domain name.
A wildcard domain SSL certificate is the ideal choice for websites with Multisite networks. Also, if your website happens to contain a number of subdomains (for example, for various product lines, store locations, or landing pages), a wildcard SSL certificate would be the most cost-effective choice so you don’t have to pay to secure each subdomain separately.
Multi-Domain SSL Certificate
Finally, we have the multi-domain SSL certificate. This allows you to secure domain names from disparate businesses or hosting plans under the same certificate. There are a couple of use cases for these kinds of certificates. Namely, for companies that manage various web properties as well as for web hosting clients on shared hosting accounts.
What You’ll Need in Order to Buy an SSL Certificate
As you can see from the list of SSL certificates above, there’s much to think about.
- Do you need to pay for an SSL certificate? Most likely.
- How much encryption and validation do you need from the SSL certificate? That depends, though the value of an EV SSL certificate cannot be beaten.
- Will you need to protect more than one domain or subdomain? That’s to be determined on a case-by-case basis.
Once you’ve chosen the certificate type, you need to prepare for the application process. As noted above, free and DV SSL certificates don’t require much. With everything else, however, you will need to gather a bit more information.
Here is what you should compile before contacting a CA:
- A registered domain name. Verify that yours shows up in WHOIS.
- A registered business. Include valid email and phone number for confirmation purposes.
- A Certificate Signing Request which provides CAs with information on your web server and domain name.
- If applying for an EV SSL, have a copy of your business’s records scanned. You may want to confirm that the local government has an official record of it as well.
- A valid credit card for payment.
When you’re ready, proceed to the Certificate Authority of your choice (more on that in my next post) to submit all necessary materials and make a payment for your new SSL certificate.
Final Notes
Choosing the type of SSL certificate is only the first step in this process to secure your WordPress site. Next, you will need to find a Certificate Authority to procure one from and then install it on your website.
Stay tuned to the next post where I take you through the step-by-step of securing your website with an SSL certificate.
Harry
This is the best article to understand types of SSL. I want to buy EV SSL certificate for my Ecommerce website but you do not suggest any Paid SSL certificate provider in this article. So can you let me know which SSL provider is best to buy an EV SSL?
And also let me know, Apart from validation, What is difference between DV and EV?
Alan
The level of encryption does not change at all on a technical level with different kinds of public key certificates. The only thing you might be paying for at the moment is the ability to have your organization name in the address bar on some browsers with an EV certificate. However, the vast majority of technical and non-technical users would not notice if a site were to stop using an EV certificate.
Johannes Springer
The most important thing not mentioned in this article: you are buying insurance services with the paid SSL`s ! Nobody knows that. And if – nobody has the datas collected to proove and use that insurance.
Andrew Thames
Hi Suzanne, very informative post on SSL Certificates. I read your posts regularly to enhance my skills on WordPress. Thank you.