This is a follow up to the earlier post, Do I need SSL for My Website? Let us learn how to install SSL on our websites, that is if we need it.
If you are collecting ANY sensitive information on your website (including email and password), then you need to be secure. One of the best ways to do that is to enable HTTPS, also known as SSL (secure socket layers), so that any information going to and from your server is automatically encrypted. The prevents hackers from sniffing out your visitors’ sensitive information as it passes through the internet.
It’s fairly easy.
What you would need
SSL is simple to set up, and once it’s done all you have to do is route people to use HTTPS instead of HTTP. If you try to access your site by putting https:// in front of your URLs right now, you’ll get an error. That’s because you haven’t installed an SSL Certificate.
- Good Host
- Buy a certificate
- Activate the certificate
- Install the certificate
- Update your site to use HTTPS
Some people think you need a dedicated IP address before you can use SSL, but I don’t think so.
Whether you can or cannot use an SSL certificate on shared hosting totally depends on your shared hosting provider. Technically, it is definitely possible for your website to have a SSL certificate on shared hosting, but that depends on whether your hosting company allows that.
Good Host
Some shared hosting companies allow that by default, some other shared hosting companies charge an extra monthly fee for giving you an unique IP address so that you could have an SSL Certificate. It depends on how they set up their shared hosting services.
I would recommend you to call your shared hosting provider and ask them about that. If they don’t allow you to have an SSL Certificate on their shared hosting plan, then you can always go with a different shared hosting provider, or upgrade your hosting to a VPS (virtual private server), a dedicated server, or cloud hosting.
See:
Buy The Certificate
Next you’ll need something that proves your website is your website – like an ID Card. This is done by creating an SSL certificate. A certificate is simply a paragraph of letters and numbers that only your site knows, like a really long password. When people visit your site via HTTPS that password is checked, and if it matches, it automatically verifies that your website is who you say it is – and it encrypts everything flowing to and from it.
If your hosting provider does not offer a free SSL certificate, then you can ask them if they sell third party SSL Certificates. Most hosting providers sell them around $50-$200.
Once you have purchased a SSL Certificate, you would need to ask your web hosting provider to install it on your server.
Activate The Certificate
Your web host may do this step for you – check with them before proceeding. This can get complicated and if you can wait 1-2 days it may be best to let them do it.
If you’re activating the certificate yourself, the next step is to generate a CSR (Certificate Signing Request). It’s easiest to do this within your web hosting control panel – such as WHM or cPanel.
See details on generating a CSR here.
How to Install SSL
If you’re installing up the certificate yourself, this is the easiest step you’ll ever do. You have the certificate in hand, all you need to do is paste it into your web host control panel. If you’re using WHM-CPanel, click the “Install an SSL Certificate” from under the SSL/TLS menu.
Paste it into the first box and hit submit. If you type https://www.domain.com – you will see the green padlock…
Update your site to use HTTPS
Typically one only needs to protect a few pages, such as your login or checkout. If you enable HTTPS on random pages, then it’s a waste of time and encryption. Select your target pages and perform one of the two methods below.
You can update all links to the target pages to use the HTTPS links. In other words, if there’s a link to your cart on your home page, update that link to use the secure link. Do this for all links on all pages pointing to the sensitive URLs.
However, if you want to ensure that people can only use specific pages securely no matter what links they come from, it’s best to use a server-side approach to redirect the user if it’s not HTTPS. You can do that with a code snippet inserted on top of your secure page. eg:
[snippet slug=sslrewrte lang=abap]
That’s it.