How to get HTTPS: Setting up SSL on your website

If you are collecting ANY sensitive information on your website (including email and password), then you need to be secure. One of the best ways to do that is to enable HTTPS, also known as SSL (secure socket layers), so that any information going to and from your server is automatically encrypted. The prevents hackers from sniffing out your visitors’ sensitive information as it passes through the internet.

secure lock https

Your visitors will feel safer on your site when they see the lock while access your website – knowing it’s protected by a security certificate.

Overview

The best thing about SSL is it’s simple to set up, and once it’s done all you have to do is route people to use HTTPS instead of HTTP. If you try to access your site by putting https:// in front of your URLs right now, you’ll get an error. That’s because you haven’t installed an SSL Certificate. But don’t worry – we’ll walk you through setting on up right now!

Setting up HTTPS on your website is very easy, just follow these 5 simple steps:

  1. Host with a dedicated IP address
  2. Buy a certificate
  3. Activate the certificate
  4. Install the certificate
  5. Update your site to use HTTPS

Step 1: Host with a dedicated IP address

In order to provide the best security, SSL certificates require your website to have its own dedicated IP address. Lots of smaller web hosting plans put you on a shared IP where multiple other websites are using the same location. With a dedicated IP, you ensure that the traffic going to that IP address is only going to your website and no one else’s.

An affordable host I recommend for a dedicated IP is StableHost. At this time it’s under $6/month, but you can get it cheaper if you order for a full year. They’re my host and I’ve been blown away with their support and performance. Oh, and here’s a coupon for 40% off: expert40

If you don’t have a plan with a dedicated IP  you can ask your current web host to upgrade your account to have a dedicated IP address. There will probably be a charge for it – it could be one-time or monthly fees.

Step 2: Buy a Certificate

Next you’ll need something that proves your website is your website – kind of like an ID Card for your site. This is accomplished by creating an SSL certificate. A certificate is simply a paragraph of letters and numbers that only your site knows, like a really long password. When people visit your site via HTTPS that password is checked, and if it matches, it automatically verifies that your website is who you say it is – and it encrypts everything flowing to and from it.

Technically this is something you can create yourself (called a ‘self-signed cert’), but all popular browsers check with “Certificate Authorities” (CA’s) which also have a copy of that long password and can vouch for you. In order to be recognized by these authorities, you must purchase a certificate through them.

NameCheap is where I buy my certificates. They have a few options, but the one that I find best is the GeoTrust QuickSSL.  At this time it’s $46 per year, and it comes with a site seal that you can place on your pages to show you’re secure – which is good for getting your customers to trust you. You’ll simply buy it now, and then set it up by activating and installing it in the next steps.

Step 3: Activate the certificate

Note: Your web host may do this step for you – check with them before proceeding. This can get complicated and if you can wait 1-2 days it may be best to let them do it.

If you’re activating the certificate yourself, the next step is to generate a CSR. It’s easiest to do this within your web hosting control panel – such as WHM or cPanel. Go to the SSL/TLS admin area and choose to “Generate an SSL certificate and Signing Request”. Fill out the fields in the screen below:

generate a CSR

“Host to make cert for” is your domain name, and the contact email can be blank. When you’ve filled it out, you’ll see a screen like this:

Generated CSR

Copy the first block of text. You’ll need this “CSR” to give to the SSL cert issuer so they can establish your identity. Login to your NameCheap account (or wherever you bought your certificate) and activate it. Paste your CSR and any other fields needed. It will ask you for an approver email. This is an email address that proves you own the domain, ie webmaster@domain.com. If it doesn’t exist, you’ll need to create it so you can get the email that contains the final certificate. Follow the steps and when you are done that email address should have received the cert as a .crt file.

Step 4: Install the certificate

Note: Your web host may also do this step for you too – check with them before proceeding. This can get complicated and if you can wait 1-2 days it may be best to let them do it.

If you’re installing up the certificate yourself, this is the easiest step you’ll ever do. You have the certificate in hand, all you need to do is paste it into your web host control panel. If you’re using WHM.CPanel, click the “Install an SSL Certificate” from under the SSL/TLS menu.

Installing a cert

Paste it into the first box and hit submit. That’s it! Now try to access your site via https://www.domain.com – you should be secure!

Step 5: Update your site to use HTTPS

At this point if you go to https://yoursite.com you should see it load! Congrats, you’ve successfully installed SSL and enabled the HTTPS protocol! But your visitors aren’t protected just yet, you need to make sure they’re accessing your site through HTTPS!

Keep in mind that you typically only need to protect a few pages, such as your login or cart checkout. If you enable HTTPS on pages where the user isn’t submitting sensitive data on there, it’s just wasting encryption processing and slowing down the experience. Identify the target pages and perform one of the two methods below.

You can update all links to the target pages to use the HTTPS links. In other words, if there’s a link to your cart on your home page, update that link to use the secure link. Do this for all links on all pages pointing to the sensitive URLs.

However, if you want to ensure that people can only use specific pages securely no matter what links they come from, it’s best to use a server-side approach to redirect the user if it’s not HTTPS. You can do that with a code snippet inserted on top of your secure page. Here’s one in PHP:

// Require https
if ($_SERVER['HTTPS'] != "on") {
    $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    header("Location: $url");
    exit;
}

Another server-side approach is to use mod-rewrite. This won’t require you to change any of your website files, but will need you to modify your apache configuration. Here’s a nice mod-rewrite cheat sheet , or just use this example:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(cart/|checkout/) https://%{HTTP_HOST}%{REQUEST_URI}

This will ensure that if anyone accesses a page via HTTP they will automatically be redirected to HTTPS.

Tips

  • Understand that HTTPS doesn’t mean information on your server is secure, it only protects the TRANSFER of data from your visitor’s computer to yours, and the other way too. Once the sensitive data is on your server it’s up to you to keep that data safe (encrypt in database, etc).
  • Some people just look for a lock on the page, not on the browser. After you’ve installed SSL you might want to try adding a lock icon on your pages just to let them know it’s secure if they don’t look in the url bar.

Summary

What makes a website secure? A properly installed security certificate.

Congratulations! You’ve successfully protected your website by installing an SSL cert and made your visitors less prone to attacks. You can breathe easy knowing that any information they submit on your website will be encrypted and safer from packet sniffing hackers.

Resources Used

85 comments on “How to get HTTPS: Setting up SSL on your website
  1. Junaid Ahmed says:

    wow ! worked for me (:

  2. mark says:

    Thanks for the tips, also might want to also check out http://www.sslguru.com, they have a pretty robust knowledge base and a couple SSL tools that come in handy.

  3. Rajan says:

    I don’t have any transaction to be made on my site so should I get SSL certificate or not

  4. God of The internet says:

    A SSL cert means nothing these days. Its a false sense of security. Anything you do online is open to public attacks and eyes. This includes bank logins and transactions. The SSL cert is just a way for these companies to grab your money.As a security expert, I can tell you this from first hand. I can sit anywhere in a public place where people use their wireless device and steal any info they send across the airwaves including bluetooth.

    • jules says:

      This appears to be the internet equivalent of saying ‘we are all going to die’….yes but in the mean time we all have to live, so comments like this are extremely unhelpful with out giving a solution, so thanks for increasing the sense of vulnerability and may be you can give your solution? If SSL is useless then what do you suggest?

    • Hadi Altaha says:

      I love the confidence, you are awesome

    • Ivan says:

      WEll it definitely help out with SEO, as Google ranks https sites higher than http sites.

    • Thomas says:

      Is it true even if you don’t have access tot hat WiFi ? If that is the case is it advisable to use Wifi at home and connecting to back site etc ?

    • Mut says:

      Security experts don’t make unethical comments like this one.
      More likely gray or black.

    • Hunter Rose says:

      Wow…your not much of a God of the internet…or much of an IT security geek either. I have my Certified Ethical Hacker v7.0. Let me clarify some things. Firstly SSL is for the security of data between a web server and a client system. Baiscally it ensures that their is an encrypted connection that data is being sent over between you (the client), and the webserver. Anything that is not encrypted is known as cleartext. What GOTI is referring to is packet sniffing. Packet sniffing can be done easily over a non WPA2 encrypted connection. WPA2 is a form of encryption between the router and the client wireless network interface. In order to sniff such data, the Man-In-Middle (MITM), must either be routing you through a fake AP (Evil Twin), and redirecting your traffic through their own webserver or a pineapple made to do that, and then using SSL Strip to clarify the encrypted traffic. However, service like Google, and many other major hosters have taken steps to prevent this like using HSTS (Strict Transport Security), that forces SSL throughout the session, since tools like SSL Strip can only strip on sites that use a combination of Http, and Https. For this reason it is important that you actually should enforce strict rules on your webserver to enforce SSL on all pages and prevent such attacks, even if it costs speed and overhead. For your own safety when using public wifi, always makes sure there is adequate WPA2 protection going on between your system and the host router. Often this will be a page that you login to when first going on the open network. You can check your security type on most windows based systems by simply clicking your connection icon, right-clicking your connection and going to properties, and then security, to see what is set. On Android, IOS, OSX, and Linux it works a bit differently, but the information is there if you research it and find out.
      As another note of caution always do these things on your system. One use a decent firewall. Even one like Tinywall for windows is better than the standard MS firewall alone. Use a good VPN, I like to use softether VPN as a free and easy to setup VPN. If your very tech savy, combine this with Advor (Advanced Onion Router), and route through Tor network with randomizing connections. There are tutorials on how to do this around. What God of Internet says is cautionary. Do bad guys like him exist…yeah…do you have to be pwned by someone like him. No way, not with a little precaution. Besides, given his level of information, I know he couldn’t hack someone like me, and really, probably can’t hack his way out of a paper ba ;-P

  5. Jake Glyndal says:

    “What makes a website secure? A properly installed security certificate.” Uh, no. No no no no. All it does is put up a fence around the data being communicated between the visitor and the website. It doesn’t “secure” the website from attackers.

  6. Prashant says:

    Great article Shane…it helped me 🙂 Thank you for sharing

  7. Thank you for everything details i think am one step ahead of getting my website secure.

  8. Archana says:

    The article helps

    Thanks heaps Shane!!

  9. Chandan says:

    Hi Shane,
    Can the redirection be done through .htaccess?

  10. joe says:

    hello, im new to web designing…my question: where in my site do i put this php code

    “// Require https
    if ($_SERVER[‘HTTPS’] != “on”) {
    $url = “https://”. $_SERVER[‘SERVER_NAME’] . $_SERVER[‘REQUEST_URI’];
    header(“Location: $url”);
    exit;
    }”

    is it in the “head” section or the “body” section

  11. Mitch says:

    I read the article and realized that this is two years ago but still the information is relevant. I agree! Installing SSL on the site will secure private data sent over the Internet. Google loves secured site as well. Thanks for the tip!

    By the way, what do you think with https://www.ssl.com/? They provide a wide range of digital certificates to fit any needs at a lower price.

  12. LS says:

    Thanks mate!
    Been looking for somewhere to tell me the 1 2 3 of SSL and this is exactly what I wanted 😀

  13. Joe says:

    Nice one here. Who actually ought to intergrate the SSL Cert? Is it my host company into their server or I who own the web pages? I am about to upload an e-store built on the WP e-commerce theme and using WordPress. I already have a host. Pease, advise me more. Thank you.

  14. Priyank Soni says:

    Yeah it works..good..
    But I will go with 5 comment who wrote, “As a security expert, I can tell you this from first hand. I can sit anywhere in a public place where people use their wireless device and steal any info they send across the airwaves including bluetooth.”

  15. Hussain Badusha says:

    Thanks.

    This gives me an insight on what exactly SSL Secure Socket Layer is.
    I’ve worked many domains, subdomains and other things but not with SSL.
    Hopefully, i will soon work on it with some clients

    Again thumbs up for the tremendous post.
    Hussain Badusha.

  16. David Lewis says:

    Your article is great. Can you show me or complete an SSL Certificate on my Wix site? I am losing tons of business as my Wix site is not secure!

    Can you assist with a solution?

    Thanks

    David

    P.S. My site is under construction but address is as shown below

  17. GuxGux says:

    Now there are free certificates. An org from linux foundation + google runs it:
    https://letsencrypt.org/

  18. surya says:

    i installed ssl on my host.
    thanks a lot

  19. sandra says:

    thank you for your article – we got the SSL certificate but since installation our e-mails from our quote forms and online shop orders are getting caught on the server by the spamnet? Why is it happening?

  20. Vincent says:

    I have installed a self-signed certificate on my cpanel but it doesn’t still work. What might be the issue?

  21. Do we have any way to install the free SSL certificates on website and does it help to increase the traffic, as I do not have any sensitive information on my website. So, wanted to know is it required even?

  22. I’ve been thinking of SSL for a while, some of the other sites that I run are looking to have stores on them so the info in this article is going to be invaluable to help decide how to get them up with an SSL certificate

  23. Thanks for the wonderful article I will sure try to implement it….what are your thoughts on Lets encrypt for Go Daddy.

  24. Riyaz says:

    Nice information. Can you please help with letsencrypt SSL Certifucate?

  25. Hello
    I need your help. I installed the certificate on the server and I somehow managed to redirect from http to https. Everything works fine but the problem is the website loads the default home page instead of my webpage. My hosting server is on Godaddy and my website is tusharshivan.in

    Please Help
    Tushar

  26. Jeff says:

    I don’t want to pay anything for this certification, I just want the HTTPS…where can I just have my website verified for free?

  27. Gizmo says:

    Do we have to buy the https certificate. If yes then how much it cost? If no then do I just need to put the code on to my website.

    I am new please bear with me. Thanks!

  28. seoallin says:

    https is worth considering, Google algorithm now adds seo points for that.

  29. Harish Chand says:

    Thanks for this wonderful article. It really made me easier to know more about how to secure info transfer using https://.
    Also I read the hosting and certification plans by NameCheap and StableHost. I am pretty amazed with this and looking forward to use the plan.

    Thank You.
    NSW IT Support

  30. Srijan Chand says:

    How much time does it take to a website after installing the certificate to get updated?

    By the way,
    Really a worthy article. Every stepwise suggestion is just mind blowing.

    Thank You,
    Srijan Chand.

  31. robin says:

    hello, my website has installed SSL and it shows okay when you open it in chrome with green lock.However while in google, if i search my website it does not include https, where is worng

  32. Nakisn Moiffe says:

    Really Helpful, please what other ways can we secure our site is secured especially if financial transactions are being carried out?
    Thanks

  33. assaf says:

    Hi Friend! 1 question please! if i do not collect info such as email and password – i only sell using paypal in my website – do i have to use ssl ?

  34. Sablefoste says:

    No excuse any more for not having EVERYTHING SSL on the internet. It is too easy (thank you for this still relevant article) AND now always FREE thanks to Let’s Encrypt (https://letsencrypt.org/). I use Dreamhost, and the combination is truly a “fix it and forget it” solution. Just apply for the certificate, follow the rules on this article and you are done. It automatically renews.

    NO MORE EXCUSES!

  35. Ratan says:

    Thanks for your information. Today, I read about HTTPS. Google Says, Its a Ranking signal. So, I am going to buy a ssl certificate. Can you please tell me which ssl provider is best?

  36. Lidia Clases says:

    What about free SSL’s from let’s encrypt?

  37. Thanks mate. I’m facing too much problems because of this. And now it’s totally clear because of your post.But can the redirection be done through .htaccess?

  38. john says:

    Hi Shane,

    We have a bunch of forms that need to be SSL. IS it safe to apply SSL on a production server or is it better to clone them onto a different server with SSL enabled and then do a DNS cutover to that server? Is there a server downtime to be expected when implementing SSL? I’m trying to avoid any interruption of service. I’m kind of new to this so I’m just doing some homework on this.

    Thanks!
    John

  39. Mark says:

    My site run both url with http or https, I cannot understand the issue!!! “what’s wrong with my end

  40. PJ says:

    what if my websites are behind a load balancer? how can we do that?

  41. AndroidRev says:

    Wow! I just read this now and while I knew the importance of securing your site, I never imagined that Google ranked site based on their perceived security. Thanks for this, I’m off to secure my site!

  42. Shabu Anower says:

    Thank you for your detail instruction, just I’ve activated SSL for a site. Again, thanks a lot.

  43. Emran says:

    Google is enforcing what they like, not fair

    • John says:

      Exactly, if you are a landscaper and using your site for visual advertising and pics of your work, https does nothing for you except make you spend money (if your host doesn’t offer it for free) to get google search rankings…the person who designs the website should know if they need https or not.

  44. Peter Pareno says:

    And how will changing your website from http to https affect search engine ranking?is it true that https are more favored in search engine rankings?

  45. Ashu says:

    Thanks this article help me to enable https on my Blog. Its improve my alexa rank and Google SERP Result

  46. I don’t have anything related to Online Payment on my site so should I use still this for better Google Rankings?

  47. akshay says:

    halo sir,
    there have any other option to instol ssl certificate in my wordpress website using ftp smart software
    reason my hosting server is not available for ssl certificate upload that’s why ..

    pleas help me
    how can i upload ssl certificate in my server without cpanel .

  48. Haile Gebru says:

    there are no financial or sensitive data on my site . can i get the certificates for free i am not that much convinced to pay where my web data is not sensitive.

  49. Apparao says:

    Can Any one suggest in java how to get ssl certificate and https

  50. Bukas says:

    Can this work on Blogger hosted sites using custom domain?

  51. Logic Freak says:

    Will HTTPS slow down my website?

  52. Kuldeep patel says:

    Thanks it is helpful for me.

  53. kevin says:

    Practice what you teach 🙂

    if you know what i mean 😀

  54. pakskills says:

    Nice writing but i have difficulty to set it up. any body help me.

  55. Hashib says:

    how can i install free ssl on wordpress

  56. Gary Watson says:

    Will installing the ssl certificate effect my Google rankings? Is there a way of poitning all the SEO work i had done from the standard http:// to https://

  57. Oliver Russell says:

    I would recommend you to use Let’s Encrypt for applying SSL on PHP websites. Let’s encrypt is available for free and it will remain free. It is easy to install and configure with your website.

  58. Cheryl says:

    Hello, It didn’t work in my site. Please is there any another option for https secured connection?

  59. Safe Milli says:

    Thanks, this work perfectly for my wordpress blog. SSL certificate installation was done successfully.

    Thank you!

  60. Debbie says:

    We have a valid SSL certificate but the links are not https… how do I update them… where etc?

Leave a Reply

Your email address will not be published. Required fields are marked *

*