Is your website secure? Don’t overlook SSL for your site in 2018

By January 15, 2018 Website, WordPress No Comments

This is the year to pay attention to SSL. With website attacks on the rise, Google announced last year that they would be identifying “unsafe” sites starting in 2018.  “Safe” sites are sites that are using SSL certificates and show up using “https” at the front of the URL in the address bar. The Chrome browser is currently showing when sites are secure (that is, running under https):

SSL secured sites will have better quality ratingsThe Chrome browser will be picking up on those that are NOT secure, and given how many users Chrome has, if your site is NOT running SSL (that is, running under just http), the browser address bar will look like this when people go to your website:

ssl is a must for websites starting nowIf you’re a coach, expert, consultant, or small business, you need to display authority and trustworthiness in everything you do.  If your site is not running SSL today, you need to add it; and all hosts don’t make the best SSL options available to you.

Plus, if your site is deemed unsafe by Google, it might affect more than just your website visitors and search rankings.  It might also affect the inbox delivery of your email campaigns.

How do you avoid this?  Seems like a simple answer, doesn’t it?  Add an SSL certificate to your website.  But… it’s not as easy as it seems.

What you need to know about adding SSL to your website:

1.  When you go to add SSL to your site, not all hosting accounts & options are created equal — and what you will pay to achieve this varies wildly.  Here’s why:

Traditionally, adding SSL meant purchasing an SSL certificate, and also a dedicated IP address – because SSL certificates required dedicated IP addresses.  At most hosting providers (like Bluehost, SiteGround, WPEngine, or HostGator, to name a few) what they offer in terms of SSL, and what it will cost you, varies from FREE to Expensive, depending on what you are doing and how many sites you have in your hosting account.

In the past couple of years, a new, free, SSL service has come available, called Let’s Encrypt. Many hosts make it available to their users, but others do not. And the cost difference is real.

What kind of certificate does Let’s Encrypt use? It’s called a “DV” certificate, which means DOMAIN VALIDATED certificate. This is the most popular type of certificate that is issued – and it means that to issue the certificate, they validate that the domain is pointing to the site where you’re adding the certificate.

The cool part is that it’s not only free, but the Let’s Encrypt process removes all of the technical complexity of adding and renewing a certificate.  Bottom line:  It makes your job much easier to have your site running SSL.

2.  Not all hosting accounts offer Let’s Encrypt SSL certificates.

But here’s what I really want you to know when you go to add SSL to your sites. Not all hosting accounts make Let’s Encrypt available; and those that don’t are charging you for the SSL certificates — same model that has been the prohibitor of SSL adoption — because it’s historically been fairly expensive to have SSL on your site.

OK — now for a story that illustrates the difference:

I was working on setting up two client WordPress sites — one for their main website and one for a membership & online course site that would also collect payments. This client already had a hosting account at Bluehost.

I logged into their hosting account, and noticed that Bluehost didn’t have a Let’s Encrypt option under the “Security” section of their cpanel. So I started a text chat with their support team.

Don’t let the tech support people scare you with this…

And here’s where it got interesting. I asked whether they had a “Let’s Encrypt” option for adding free SSL. He said they didn’t, that they offered a far superior Comodo SSL certificate. I asked how it was better than the Let’s Encrypt SSL certificate, and here’s what he texted to me (spoiler alert – I hate it when support people flat out lie):

“You can’t compare lets encrypt SSL, with the comodo SSL we provide, lets encrypt doesn’t have any encryption, that’s just for name purpose or to make you happy, it just shows https in browser”

OK — there is A LOT just wrong about his response, and this is a key reason why I’m writing this blog post. He basically told me that Let’s Encrypt is pulling the wool over everyone’s eyes and doesn’t offer any encryption at all — just “pretends” to. That is a lie and it is misleading you so that I’d pay Bluehost for their Comodo DV Wildcard SSL certificate — and in this case (two sites using same domain), I would have also needed a dedicated IP address — both of which add to the hosting bill each year.

And most of our customers and clients — and people who would host at Bluehost — wouldn’t know that what the tech support guy told me about Let’s Encrypt is not true. And why would you question it? Why would a hosting provider lie to you outright?  You’ll walk away thinking that Let’s Encrypt is dangerous — and that is a shame.

It reminds me of when electricity was replacing gas lamps — and the gas lamp manufacturers and gas providers for the lamps were saying that electricity was volatile and could burn down your house :-).  Scare tactics to keep status quo in place.  Not cool.

Why do they want you to believe that? because they make money when they SELL you an SSL certificate. Let’s Encrypt has mucked with (formal term is “disintermediated”) the SSL revenue stream by making certificates available for free. But that DOES NOT mean they are not excellent SSL certificates. They are as good as any other DV SSL certificate.

But I will leave it to you. Following along with my example, here is the impact of staying on Bluehost and purchasing their SSL certificate for the two sites, versus moving to a hosting provider like SiteGround that makes Let’s Encrypt certificates available to their customers (we like SiteGround, but we also know there are other hosting providers that enable Let’s Encrypt certificates as well). I wrote it in an email to my customer, so they could make an informed choice:

Hi [customer name],

You are hosted at Bluehost — and to set up your eCommerce there and your course platform, we’ll set up member.[yourdomainname].com — and it will have to have SSL — in fact ALL sites should have SSL now – as its much easier (free) to get… and Google is making it one of their quality factors…

There have been a lot of advances in SSL technology in recent years, and the cost associated with SSL has gone down dramatically, which is super nice. But some hosting companies have embraced these new technologies and others have not.

Essentially, Bluehost hasn’t. In fact, they WILL do free SSL for your main site, but if you have a subdomain site (which is what “member.[yourdomainname].com” is — (the “member” part in front of your domain name means it’s a subdomain… At any rate for that, with Bluehost, you must have a “wildcard SSL certificate” — and for them, that is $149.99 per year, plus you must have a dedicated IP address to use that type of certificate and that will run you another $71.88 per year.

I think Bluehost is $12.95 per month (you would need to verify what you pay for your package) which brings your annual renewal for just your base Bluehost account to $155.40… But in order for us to create your member site – you would have to invest another $221.87 per year, bringing your hosting fees to a total of $377.27 per year.

If you go with a hosting provider that DOES offer Let’s Encrypt, like SiteGround, you will be able to install an SSL certificate for every site (and subdomain site) that you run from your hosting account, for zero added expense. That means in your first year, using SiteGround as an example, would be between $71-91 for the year, and subsequent years, the cost goes up to around $15 per month, which brings your annual hosting total to $179 per year. That’s for their “Grow Big” plan, which is the one we recommend for people serious about getting their business moving.

And it will automatically renew the certificate so you don’t have to worry — which doesn’t happen when you purchase an SSL — you must manually update your certificate before it expires.

Also — if you move hosts, it’s not that difficult to migrate your site… we do it all the time for our customers that we’re getting set up.

Let me know whether you will stay at Bluehost (and purchase their SSL option) or create an account at SiteGround.

Thanks!
Kim

At Genoo (and WPMktgEngine), we’re committed to de-mystifying the tech realities that businesses are faced with when trying to build the online portion of their business. We provide a comprehensive tech foundation for your business, using best of breed components to provide a foundation for accelerated growth for our customers. Imagine no more tech headaches?! Imagine what having access to tech support for your tech questions would do to make and keep your life so much easier?!

Having a tech foundation that’s integrated, works, and allows you to scale may be one of the least “sexy” pillars, but it is one of the keys to having a business of your dreams.  The good part for you is that it’s sexy to us :-).

If you want to explore what might be possible for your business, sign up for a Business Foundation Consultation, where we can learn all about what you’re creating and whether we might be a good fit to work together.

mm

About Kim Albee

An in-demand marketing consultant, speaker, and educator, Kim is a respected visionary with a great sense of humor who has made her life goal to make marketing easier and more accessible for small business owners. When not changing the course of marketing history, you can find her at a tiny cabin next to a Wisconsin lake with people and critters that make her happy.

Leave a Reply

Turbocharge Results | Get Your Marketing Engine Buy Now