Though WordPress is increasingly bulletproof out of the box, security is a topic that never really goes away for users. It’s not just the platform itself that you have to worry about, there’s also a much wider world out there full of potentially bad actors with a vested interest in breaking down your digital door.
SSL certificates solve one part of that puzzle and have been a rock-solid way of keeping the connection between your website and the average user secure since 1996. Cost and implementation concerns, however, have long stood in the way of their widespread deployment.
In this piece, we’ll cover the recent unveiling of the Let’s Encrypt initiative, its promise of free and easily implementable SSL certificates for all, and how it looks set to radically change the online security landscape. Let’s kick things off with a bit of background.
What SSL Is And Why It’s Important
We’ll get some basics out of the way for those who might be coming at this for the first time. HTTP, the protocol we use to sling information around the web, is unencrypted by default. This means that data can potentially be intercepted and tampered with during its journey. Secure Sockets Layer (SSL) is a suite of protocols developed to encrypt the transmission of data in order to avoid this unpleasant possibility.
Combine HTTP with SSL and you get HTTPS – a bi-directionally secure way of accessing and using a site. In addition to a minor SEO bump, there are two huge benefits that HTTPS brings:
- Encryption: Your data is securely encoded so it can’t be read by third parties.
- Authentication: You know that the site you’re dealing with is who they say they are.
SSL certificates are what make both of these things possible. Certificate authorities authenticate site ownership to varying degrees as part of the process of issuing certificates. The certificates themselves then enable the encryption of data between your server and a user’s browser.
You know you’re dealing with an SSL-enabled site when you see https:// in the URL and a padlock in the address bar of your browser. In the case of an Extended Domain Validation Certificate, you’ll also see a green visual indicator being deployed.
HTTPS has traditionally been recommended largely for eCommerce sites where sensitive user data is definitely in play. The reality for WordPress site owners, however, is that every site deals with the transmission of sensitive information, in the form of your login details if nothing else.
To cut a long story short, if you’re running an online shop of any description, you definitely need to be using HTTPS. If you’re not, it’s an excellent idea regardless. Up until very recently, however, getting up and running with an SSL certificate was not for the faint of heart.
The Bad Old Days Of SSL Certificates
As we mentioned up top, SSL is not a new technology. The basics have been kicking around since 1996. Since that time, three fundamental problems have reared their heads time and time again:
- You can’t really do it yourself: The ability to create self-signed certificates that handle encryption is technically there, but all modern browsers throw up huge warning messages to users when they hit them. This is simply not an option in the context of most sites.
- You have to identify and pay for a certificate: As with anything commercial, there’s an often deliberately bewildering amount of potential options out there from a huge range of providers. Many of the solutions are hard to understand and end up being prohibitively pricey for ordinary site owners.
- Installation is by no means straightforward: This varies according to your hosting setup and level of technical nous, but you may well be faced with a series of significant technical hurdles in order to actually get up and running once you’ve purchased a certificate.
Put all that together and you’ve got a scenario that’s less than enticing for the average WordPress user who’s simply looking to serve up a few pages and get on with their lives.
The Let’s Encrypt initiative is an attempt to cut through a lot of this clutter and make SSL encryption a much more palatable solution for ordinary site owners. Let’s look at what they’re offering.
What The Let’s Encrypt Initiative Involves
Let’s Encrypt is a new certificate authority run by the Internet Security Research Group, and is set up to make installing SSL certificates free, automated, and open. As a quick look at their homepage shows, they’re also actively supported by some of the biggest beasts in the online jungle, including Chrome, Mozilla, Automattic, Sucuri, and Facebook.
There are two fundamental ways that Let’s Encrypt represents a huge shift in the SSL certificate landscape:
- Certificates are free: A fairly self-explanatory point, but crucial nevertheless.
- They can be quickly and easily implemented: Rather than having to slowly jump through hoops as was previously the case, site owners can now install a client on their server that enables the process to be easily automated.
The combined impact of those two points has been impressive to date. From pretty much a standing start, Let’s Encrypt has issued over 10 million certificates at the time of writing, and has a decent claim to be the Internet’s largest certificate authority. They’ve also, crucially, been enthusiastically supported by huge hosting providers and platforms such as Shopify, Automattic, and OVH (among many others) who’ve made it easy for their users to automatically enable SSL.
It’s still early days for Let’s Encrypt, and there remain plenty of potential caveats to bear in mind, but it’s safe to say that its arrival represents a significant inflection point on the road to universal SSL adoption. Speaking of which, let’s close things out with a brief look at your options for getting started with using the service.
How To Get Started With Let’s Encrypt
There are basically two options on the table for using Let’s Encrypt – set it up yourself, or find a hosting partner who’s already enabled it behind the scenes as either an opt-in or default for their customers.
If you’re looking to take the DIY route, your first port of call should be the official documentation in order to get up to speed with the basics and topics such as integrating staging environments. Linode’s getting started guide is a useful general resource to turn to next, and Jenni McKinnon’s piece over at WPMU DEV does a great job of walking you through the whole process in the specific context of WordPress.
If you’d much rather that all of this magically takes place behind the scenes, then it’s a question of finding a host that explicitly supports Let’s Encrypt and exploring their offerings. To take just one example, a quick look at the relevant page on the WP Engine site shows that in most cases it’s just a matter of a couple of clicks.
The arrival of Let’s Encrypt is an incredibly welcome one for both site owners and casual users. As the slew of heavyweights queueing up to support the project shows, open sourcing the provision of basic SSL certificates ultimately makes the wider web a safer place for everyone. Partially as a result of this, we can expect to see the majority of sites shifting over to HTTPS sooner rather than later.
From a site owner’s perspective, there’s really very little to hold you back from taking the plunge. Though dedicated e-commerce sites may well still be looking to lean on Extended Domain Validation, the standard certificates issued by Let’s Encrypt are perfect for the majority of use cases.
We’re curious to know if you’ve already made the switch, or have tips or edge case warnings to share. Get in touch via the comments below and let us know!
Featured image: haalkab