How to Get a Free SSL Certificate (and Why Google is Forcing You To)

Posted on January 9, 2017 by in Tips & Tricks | 59 comments

How to Get a Free SSL Certificate (and Why Google is Forcing You To)

Does the idea of improving your search engine rankings and offering your visitors better security sound like something you’re interested in? What if I upped the ante and told you it wouldn’t cost you a penny? SSL certificates secure your website’s connection and boost its rankings in Google. And now, thanks to services like Let’s Encrypt, you can actually get a free SSL certificate for your website.

Yup, all of the benefits of SSL, none of the costs!

In this post, I’m going to dig into what SSL certificates are, how they benefit your site, and how you can get your very own free SSL certificate. Then, I’ll even share a super simple plugin that makes getting set up with SSL on WordPress an absolute breeze.

What is an SSL Certificate?

Have you ever noticed how sometimes websites start with “http://” and then sometimes they start with “https://” and have a green padlock nearby? If you have, you’ve seen the end result of an SSL certificate. But what you haven’t seen is what goes on behind the scenes.

Free SSL certificate

SSL stands for Secure Sockets Layer. Essentially, SSL establishes an encrypted link between your web server and your visitor’s web browser. This ensures that all data passed between the two remains private and secure.

With an unsecured HTTP connection, third-parties can snoop on any traffic passing between your reader’s browser and your web server. Obviously, this is a huge issue if you’re passing sensitive information like credit card numbers.

But nowadays, many entities, including Google, are pushing to use secure HTTPS connections for all traffic, even things you might think are mundane.

Why Do You Need an SSL Certificate?

In the past, the only time an average webmaster needed to care about SSL was eCommerce. But that all changed in late 2014 when Google dropped a bomb:

SSL was going to be rolled out as a ranking factor.

That’s right, sites that use SSL certificates get a boost in the SERPs. It might not be a huge boost, but I think you’ll agree with me that any boost in search rankings is a good one. When I moved my portfolio site to HTTPS, I experienced a notable bump in my search rankings.

But now Google is going even further. Starting in January 2017 (AKA right around the corner), Google will mark “HTTP pages that collect passwords or credit cards as non-secure.” That means your WordPress login page will be marked as non-secure if you’re not using HTTPS. Here’s what that change will look like in Google Chrome:

Not secure credit card

Google eventually plans to expand this feature to treat all HTTP pages like this:

Not secure message

You definitely do not want all of your users seeing that in their URL bar…

So, in addition to offering a benefit to your readers by securing their connection, you also have both a Google-provided carrot and stick to motivate you to use an SSL certificate for your WordPress site.

Are SSL Certificates Expensive? What Are the Different Kinds?

I don’t want to dig too deeply into premium SSL certificates because it deviates too much from the goal of this post (free!). But very briefly, there are a number of different SSL certificates you can choose from. Each offering various levels of trust.

For example, Elegant Themes sprang for one of the premium SSL certificates, that’s why they get their company name next to the green padlock:

Green padlock

I used a free SSL certificate, so I only get the green padlock:

Both connections are secure, but Elegant Themes’ certificate offers Extended Validation and higher levels of security.

An SSL certificate like Elegant Themes uses typically costs somewhere around $150 per year. This expense makes sense because Elegant Themes processes payments.

But if your site, like mine, doesn’t process payments, you’re totally fine to use a free SSL certificate.

How to Get a Free SSL Certificate from Let’s Encrypt

If you’re just running a regular WordPress site and aren’t handling any super sensitive information (like credit cards), you can get a free SSL certificate from a service called Let’s Encrypt.

This certificate will give you all of the benefits of SSL without costing you a single penny. And here’s the best part:

Most major hosting providers are partnering up with Let’s Encrypt to make installing an SSL certificate totally painless.

Here are two ways to get your free SSL certificate from Let’s Encrypt:

Install Your Free SSL Certificate from Your cPanel Account (for supported hosts)

As I mentioned, many hosts are partnering up with Let’s Encrypt to add free SSL certificates directly inside their customers’ cPanel dashboards. For example, if you’re hosting at SiteGround (as I am), you can install an SSL certificate in about two seconds from your cPanel dashboard. You just have to find the Let’s Encrypt button:

Let's Encrypt

Then, all you need to do is select your desired domain and click Install:

Installing Let's Encrypt

Here’s a full list of web hosts who offer direct support for Let’s Encrypt. The process for most supported hosts should be similar to SiteGround.

Use “SSL For Free” to Configure Your Let’s Encrypt Certificate

If your host doesn’t support Let’s Encrypt, you may still be able to get your free SSL certificate by using a website called SSL For Free.

SSL for free

The site will help you configure Let’s Encrypt certificates. But, you will need access to your site’s FTP details and potentially support from your host.

If at all possible, you should try to find a host that offers direct Let’s Encrypt support because it greatly simplifies the process.

Other Free SSL Certificate Options

While Let’s Encrypt is the most popular free option, it’s no longer the only show in town. Here are some other options:

  • CloudflareCloudflare offers a shared SSL certificate on their free plan. If you’re already using Cloudflare, this is a great way to get your site up and running with HTTPS.
  • FreeSSL – While it’s not publicly available yet, FreeSSL is a free SSL certificate project from Symantec. Nonprofits or startups can get FreeSSL right now. Otherwise, you can sign up to be notified when it goes public.

How to Configure Your Free SSL Certificate With WordPress

Once you get your SSL certificate installed, users will be able to view a secure version of your site by going to “https://yoursite.com”. But just because your HTTPS connection is active doesn’t mean you’re finished.

To properly configure WordPress to work with your SSL certificate, you need to make some changes. You could do this manually…or you could use an awesome plugin that does everything for you.

Really Simple SSL

Really Simple SSL handles the whole process. Just install it and run the plugin and it will make all the necessary changes.

Just be aware – you will naturally get signed out of WordPress when you run the plugin. This is because the plugin changes your default URL from “http://” to “https://.” All you need to do is log in again with your normal login credentials. No need to be alarmed!

Wrapping Things Up

Because of how Google is pushing SSL, it’s not something you can ignore. Right now, you’ve got the carrot of improved search rankings. But Google is showing they’re not afraid to use Google Chrome to “punish” sites who don’t move to SSL.

Given that you can now get a free SSL certificate from Let’s Encrypt and others, there’s no reason not to protect your visitors’ connections and boost your search engine rankings in the process.

Have you already moved your site to HTTPS? Did you notice any change in your rankings? It would be awesome if you shared in the comments.

Article thumbnail image by fatmawati achmad zaenuri / shutterstock.com 

59 Comments

  1. You can also get a free SSL certificate with CloudFlare if your host does not support Let’s Encrypt, like mine. It works great.

    • I have a question for you. You can have CloudFlare make the certificate and you install it where? I use Godaddy for hosting.

      • Cloudflare offers 3 types of SSL mode. All of these mode (as long as it is not turned off) shows padlock in visitor’s browser. Your website will be randomly assigned a multi domain ECC SSL signed by Comodo.

        1. Flexible mode: In this mode, the connection between your server and Cloudflare is not secure while the connection between visitor and Cloudflare is secure.

        2. Full mode: In this mode, the connection between your server and Cloudflare is secure; and the connection between visitor and Cloudflare is also secure. You can use a self-signed SSL to secure the connection between your server and Cloudflare.

        3. Full (Strict) mode: This mode is similar to the Full mode, except that it needs a valid SSL signed by a trusted certificate authority.

        So, to answer your question, flexible mode does not require you to install any SSL on your server at all. However, there is risk that the connection between your server and Cloudflare can be compromised. So this mode should only be used for SEO. Do not use this mode to process sensitive data on your website.

        The other 2 modes require SSL to be installed on your server.

      • You’ll need to sign up for a CloudFlare account and then switch over your DNS/Name Servers to theirs inside your GoDaddy control panel. For their free service, there’s nothing to install on the physical server as encryption is only done between the user and CloudFlare’s servers (no encryption between CloudFlare and your GoDaddy server).

        If you’re not handling sensitive data, this is fine, otherwise I’d opt to go a different route. However, the real benefit of CloudFlare isn’t in their free SSL (which is great for more basic sites), but also their global CDN, auto-minification of assets and simple caching, which allow your site to run much quicker, from anywhere in the world.

  2. Damn, I wish this blog post was released a couple of weeks ago! I have just moved our site to https mainly to take advantage of the boost in search ranking (we have seen a small boost in ranking). I purchased an SSL certificate for about $40 from my hosting company, although not a massive amount of money, it will add up over time. So Free is good for me!!! Also we can now start to offer our client who’s site we develop and host free SSL with Lets Encrypt as standard. Win Win. Thanks for the post, very timely 🙂

    • I believe you can switch to Let’s Encrypt once your year is up so you don’t have to keep purchasing. That’s what I read somewhere, and I hope it’s true because I paid for mine too lol

  3. I have started doing all new sites using Let’s Encrypt SSL and it is so easy on cPanel to do.

    My own site is next on the list and I have read up on things to consider.

    Therefore, I am planning on installing the plugin Blue Velvet, to update all url’s that might have http:// references once the certificate is installed and I’ve changed my site url in wordpress settings.

    • Not all hosts support this. Then it’s not so easy.

  4. Very helpful for someone who isn’t that familiar with SSL certificates. Thank you!

  5. Thank you for this helpful tutorial Colin. Much less daunting of a task now.

  6. Let’s Encrypt is awesome. Easiest SSL we’ve ever dealt with. We migrated all of our sites and existing certs starting early last year and have had a very good experience all around. Very good recommendation guys.

  7. Hi, thanks for the great article! Some time ago I installed Let’s Encrypt, but my site is also still accessible through http.

    I understand that Really Simple SSL redirects all traffic to https, so that http is no longer used.

    I was wondering two things about that:

    • Does this have any affect on SEO and should you take extra measures in that area?
    • What about the redirects in my htaccess? Do they get redirected a first time according to the htaccess file and then a second time according to the changes Really Simple SSL made … Or should I edit my redirects to go to https pages in the first place?

    Best regards,
    Kristof

  8. Does your full site have to have an SSL to be in good standing with Google or just the pages that transfer secure data, like logins, credit card numbers, etc…?

    • This^^ I would like to know as well.

      • The SSL covers all pages and files under that domain so you don’t have to worry about missing any for SEO.

        Hope that helps.

  9. Interesting, I approached our web host recently asking if they would support the Let’s Encrypt SSL. The response was: We are currently not supporting letsencrypt on the shared hosting, once it has been tested thoroughly, we will consider it.

    Does shared hosting have an impact on whether you can use this? What thorough testing might be implied here?

    • Cheryl, it can be used on shared hosting. I’m using it on a shared hosting reseller account for several sites.

    • I use Let’s Encrypt on shared hosting. I think your host is just dragging its feet to be honest. Plenty of well-respected shared hosts offer Let’s Encrypt already.

  10. I have media on a subdomain. Let’s encrypt does not like that.

  11. Perhaps a daft question, but isn’t there more to it than just installing an SSL certificate?( i.e. don’t you also have to update http URLs to https, and update your site preferences in Google Console to point to the https version of your website)? Or am I confusing two separate issues?

    • That’s what Really Simple SSL helps with. You can also set up 301 redirects manually.

      • Cloudflare is easy – you can just set up page rules to redirect all instances of your domain to https. Takes 2 seconds.

  12. What happens to posts that have lots of facebook likes when you make the switch? Do you lost them all?

    Great article btw!

    • I lost all of my likes etc as it will be a ‘new domain’ in essence. I’m not sure it was worth it for me :/

  13. You could do everything inside your WordPress site (if your hosting supports it) if you install WP Encrypt: https://wordpress.org/plugins-wp/wp-encrypt/ . It handles the Let’s Encrypt part for you.

  14. Thanks so much for this critical heads up!

  15. I installed Let’s Encrypt and it worked well – it’s a pity it has to be renewed every three months, though.
    One issue I found was that absolute references to images were not updated with the plugin I used so that’s something to watch out for.

    • I thought the same thing, but my host says they will automatically attempt to renew it before it expires, so hopefully that won’t be an issue.

  16. This is very timely! I was searching for SSL in WP info past weekend but not finding much.

    I’m in process of converting our existing website to WordPress with Divi. I’ve uploaded our new Divi site into “NewSite” folder within an old HTML website on GoDaddy Linux hosting (not WP Managed) that has some .php files. Ultimately the old site will be stored online, just in an “Old” folder.

    When I hover over our site’s listing in a Google search, I often get a pop-up saying “This site may be hacked.” Is that message a for real or a scam???? Very off-putting.

    We hope to be storing member e-mails in “UltimateMember” and “Caldera Forms” plugins and using Bloom with MailChimp. Do we need SSL for those? Ultimately we want to collect Member dues etc online but not yet ready for full e-Commerce.

    BTW I don’t see GoDaddy in list of providers that supports “Let’s Encrypt.” Bummer. Also read SSL can slow your site down but not my main concern.

  17. I’ve just started moving all my sites over to a new host that has the support for Let’s Encrypt built into cPanel. The fact that they offered this feature was a big selling point for me, and I was pleasantly surprised at how easy it was to generate and install the cert. Converting WordPress installs takes a little effort, mostly because I opted not to use a plugin to take care of that part of the process on the sites I’ve worked on so far.

  18. Great article!
    Question: do I need to keep the plugin activated after it has permitted to switch from http to https?
    Regards

  19. Has to be renewed EVERY THREE MONTH.

    This has been already posted above but keep in mind: If you manually have to renew the SSL-certificates for all of your customers every 3 month (and we do host more than 500 domains) it really does not work.

    if you only have 1-5 websites this could be a good idea.

    renewing a SSL-certificate could be timeconsuming if your provider does not support SSL FOR FREE – as nearly all the germany-based providers do (not supporting…). you have to generate a CSR for your domain, copy a file to your server via http://FTP…and this every three month. and if you forget this (as you are on holidays, etc. the website will get errors and the ranking in google will suddenly be destroyed.

    so: please explain to your customers that SSL is important and then they will agree and spend some money on REAL certificates which will last max. THREE YEARS instead of THREE MONTH.

  20. OK I found some more info on this from my website hosting company – where to find the Let’s Encrypt appears to be different also for different website hosting company’s. Also has some info about the 90 days for SSL, it does attempt to renew it. Also note the info about the free SSL or dedicated IP addresses.

    https://ventraip.com.au/faq/article/lets-encrypt/

  21. Thanks. Very helpful. I just did it for my site and will now do it for my clients.

  22. I have Inmotion and they charge just to install an SSL on the server even if you buy an overpriced one from them. I have a reseller account and still don’t have the access necessary to do it on my own. I do not like that they force you to do this. Also most servers require a dedicated IP for SSL in which they charge you for. So unless you have an additional one provided for free, nothing is free.

  23. Any idea how to let GOOGLE know about the change from http to https ?
    I think I have to write something in my htaccess but I have no idea what 🙁

  24. Hi colin

    Excellent post,

    I have a questions, help me….

    I use the free SSL certificate from Let’s Encrypt, but my problem is that my wordpress site does not activate the certificate on some pages and many others on any page.

    I do not know if you have some easy steps that let me know how I can activate the ssl certificate in my entire worpress site.

    Thank you.

    • Try and use simply SSL plugin to enforce it

      • 365Life Media,

        I installed the plugin and it worked.

        thank you very much. :D:D:D:D:D:D::D:D:D::D:D::D:D:D:D:

  25. A good post with a very interesting content. Now a days SSL cerificates is must for every website as there is lot of online shopping and onlline payment will be going on.So if we have this certificate with us then the website will be secure and customers will also don’t hesitate to pay through the website.

  26. Thanks for this splendid tutorial. ;D

  27. Thanks for great information, I think SSL is only important for E-commerce websites with payment process. Not for all simple websites ?

  28. Hi
    Have anyone tested (this free) Let’s Encrypt SSL site with older mobile (any llink, I can test?)?

    I want client with (Galaxy SII or) other older mobile to see my site (Chrome is ok, but Android default browser is not)… but when my hosting added free SSL (it’s Comodo) it doesn’t work anymore.

    Fix was that they enable TLS 1.0 for the server I use.

    How big security issue is this TLS 1.0?

  29. Wow! Great advice. I didn’t know SSL would impact search results and add protection even if info is not exchanged. Since my site is hosted by Pressable it only took a press of a button to add “Let’s Encrypt”. It nice to have such an easy implementation for a change!

  30. This was a great post, but if we’re commenting, we’re often asking questions. Maybe author intends to respond soon? Would be really great to get some answers not just to our own Qs but others! I had two:

    “When I hover over our site’s listing in a Google search, I often get a pop-up saying “This site may be hacked.” Is that message a for real or a scam????”
    I also read online mostly in wordpress.org that “SSL can slow your site down.”Is that also for real?

    Thanks in advance.

  31. Unfortunately, it’s not supported by namecheap,
    But good to know about the free SSL. thanks.

  32. FWIW, you said, “Most major hosting providers are partnering up with Let’s Encrypt to make installing an SSL certificate totally painless.” I would say that depends on what your definition of “major hosting provider” is. In the lowest level of support (”No Planned Support”) listed on Let’s Encrypt’s forum post that you linked to, are 1and1 and Namecheap. GoDaddy is notably absent from all lists. And HostGator has delayed their implementation pending further consideration/investigation. But one provider that is listed (and has very favorable ratings from users) is Dreamhost. I have never done business with them. But I have heard enough good about them, and I have enough need for SSL certs that I am planning on moving everything over to them very, very shortly.

  33. Really too much helpful. I have saved minimum $100+ that i could sent for Facebook advertisements. I think free SSL is good for our online shopping in Bangladesh. We don’t need to accept PayPal, Credit card etc.

    Is there any process to add a EV SSL Certificate at very low price or free anyhow.

  34. Does iPage has the Let’s encrypt? I can’t find it on control panel.

  35. Can someone elaborate on the 90 day expiration? Does that mean I need to manually do something every 90 days for every site I manage? What’s involved?

  36. Thanks for the advice!

    I’m just starting to transfer all my sites over to SSL and luckily my web host has just this week implemented Lets Encrypt.

    Will be interesting to see if there is a bump in SERPS for some of these sites.

  37. This is a great article. I’m in the process of making my entire site compliant to a secure environment. But I’ve found a lot of inline CSS in Divi that uses absolute http paths.

    I could update those to be protocal relative URLs. But even with a child style sheet, there are problems in other areas, such as divi plugins that don’t allow for child plugin modifications.

    Any suggestions?

    • Appears I have to go page by page. However, I did find this to be quite helpful for saving time:

      UPDATE wp_posts
      SET post_content = ( Replace (post_content, ‘src=”http://’, ‘src=”//’) )
      WHERE Instr(post_content, ‘jpeg’) > 0
      OR Instr(post_content, ‘jpg’) > 0
      OR Instr(post_content, ‘gif’) > 0
      OR Instr(post_content, ‘png’) > 0;

      Backup your database first, if you think that is a good route for you to save time. My site is very large, so that was great for me.

      Still need to figure out a way to force new uploads to be protocol relative, so that there is not a continuous job of updating.

      • Hi
        You didn’t try the Really Simple SSL plugin above? I’d like to know If that works fine…

        “Your insecure content is fixed by replacing all http:// urls with https://, except hyperlinks to other domains. Dynamically, so no database changes are made (except for the siteurl and homeurl).”

  38. Too bad Let’s Encrypt doesn’t work with the free version of Cloudflare. Now, I am talking about the free version that is offered by the Web hosting company, not the free version offered directly from Cloudflare; these are two different animals with different features available. I am not giving up Cloudflare for HTTPS as I just have a personal hobby related website. Hopefully they will fix this sometime down the road.

    • Why not just try Cloudflare? It has worked great for me. Free and takes just a few minutes to set up.

  39. I just did it manually and it worked for me. thank you very much

  40. I have installed let’s encrypt certificate, but I can’t find how to renew it, can anyone knows here, how can I renew let’s encrypt certificate

401,632 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest